Author Topic: Rootkit file ksfvjxai.sys? (Read 17829 times)

kevlarge · « **on:** December 05, 2010, 10:55:29 AM »

Hi

Need some expert help to get rid of what I believe is a rootkit. ksfvjxai.sys located in System32/drivers folder cannot be deleted. Attempted to delete it from the command prompt first. Then tried Unlocker, Malwarebytes, Combofix, Sophos anti rootkit and Gmer, all to no avail.

Let me know what logs you would like to see if any.

Vista 32bit SP2

Cheers!

Allan · « **Reply #1 on:** December 05, 2010, 11:02:44 AM »

Please follow the instructions in the following link and post your logs:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

harry 48 · « **Reply #2 on:** December 05, 2010, 11:07:02 AM »

try to complete , post the logs a malware expert will help you

http://www.computerhope.com/forum/index.php/topic,46313.0.html

rename combofix to commy.exe before you save it to your deaktop

"" malwarebytes to anything "" "" " "" " "

"" highjackthis to snipper.exe "" "" " "" ""

kevlarge · « **Reply #3 on:** December 05, 2010, 12:25:52 PM »

Thanks for your prompt response;

Malwarebytes log:

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5242

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

04/12/2010 13:42:32
mbam-log-2010-12-04 (13-42-32).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 261230
Time elapsed: 1 hour(s), 35 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

kevlarge · « **Reply #4 on:** December 05, 2010, 12:27:35 PM »

Hijack this:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 19:11:21, on 05/12/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Thomson\ST330\diagnostics\diagnostics.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Nashir\Desktop\7ezuevl2.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Taskmgr.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.search.yahoo.com/search?fr=mcafee&p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files\Thomson\ST330\diagnostics\diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson/ST330/service/st330service.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 12804 bytes

kevlarge · « **Reply #5 on:** December 05, 2010, 12:53:11 PM »

Combofix log:

(ksfvjxai appears as an entry as service in memory)

ComboFix 10-12-03.03 - Nashir 04/12/2010 18:31:23.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2006.1045 [GMT 0:00]
Running from: c:\users\Nashir\Desktop\ComboFixkl.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1EE8.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2255.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2609.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2D89.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3842.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3851.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3852.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3A16.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3B5D.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4C1F.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4CAC.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc59A6.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5ED4.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6B04.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6C3C.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6FC5.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc751F.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc762.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc76E6.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc77E1.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7CA1.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7F11.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc847D.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8C2B.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc92B0.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc92DF.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc97CE.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA305.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB4FF.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB55C.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB878.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBCE1.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBF3C.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC0C2.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC3AF.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC43B.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC90B.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCB9B.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCBE9.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCDE.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCE2A.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD4DE.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD5C8.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE320.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE3CC.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE4A6.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE4B6.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE561.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE89C.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEE1.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEF02.tmp
c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF884.tmp
c:\users\Nashir\AppData\Roaming\l0wsec
c:\users\Nashir\AppData\Roaming\l0wsec\l0cal.ds
c:\users\Nashir\AppData\Roaming\l0wsec\us3r.ds
.
---- Previous Run -------
.
c:\users\Nashir\AppData\Roaming\Ugubg\vuipa.exe
c:\users\Nashir\AppData\Roaming\Ynkue\hoha.exe

.
((((((((((((((((((((((((( Files Created from 2010-11-04 to 2010-12-04 )))))))))))))))))))))))))))))))
.

2010-12-04 18:40 . 2010-12-04 18:41   --------   d-----w-   c:\users\Nashir\AppData\Local\temp
2010-12-04 18:40 . 2010-12-04 18:40   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-12-03 13:07 . 2010-11-10 04:33   6273872   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{E5D07C6F-44E4-427D-9D8E-B7985FB9AA3D}\mpengine.dll
2010-11-25 09:14 . 2010-10-19 04:27   7680   ----a-w-   c:\program files\Internet Explorer\iecompat.dll
2010-11-23 17:23 . 2009-06-30 10:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
2010-11-20 18:23 . 2010-11-20 18:23   --------   d-----w-   c:\users\Nashir\AppData\Roaming\PCDr
2010-11-10 10:59 . 2010-10-07 11:37   2409784   ----a-w-   c:\program files\Windows Mail\OESpamFilter.dat
2010-11-06 11:37 . 2010-11-06 11:37   103864   ----a-w-   c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 17:42 . 2010-07-16 19:55   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2010-07-16 19:55   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-10-19 10:41 . 2009-10-04 18:05   222080   ------w-   c:\windows\system32\MpSigStub.exe
2010-09-13 13:56 . 2010-10-13 09:07   8147456   ----a-w-   c:\windows\system32\wmploc.DLL
2010-09-08 06:01 . 2010-10-13 09:06   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-13 09:06   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-13 09:06   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-13 09:05   71680   ----a-w-   c:\windows\system32\iesetup.dll
2010-09-08 05:56 . 2010-10-13 09:05   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2010-09-08 05:04 . 2010-10-13 09:06   385024   ----a-w-   c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-13 09:05   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-13 09:05   1638912   ----a-w-   c:\windows\system32\mshtml.tlb
2010-09-06 16:20 . 2010-10-13 09:06   125952   ----a-w-   c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-13 09:06   17920   ----a-w-   c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-13 09:06   304128   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-13 09:06   145408   ----a-w-   c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-13 09:06   102400   ----a-w-   c:\windows\system32\drivers\srvnet.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-25 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-01 1422632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-01 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-01 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-01 154136]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 3810304]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-11-11 442536]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"diagnostics"="c:\program files\Thomson\ST330\diagnostics\diagnostics.exe" [2009-06-23 557149]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-15 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

c:\users\Nashir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-11-18 780840]

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-09-22 13:58   16680   ----a-w-   c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=""
"FirewallOverride"=""

R1 rqmophar;rqmophar;c:\windows\system32\drivers\rqmophar.sys

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 135664]
R3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [2008-11-04 22904]
R3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2009-06-23 30464]
R3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2009-06-23 12672]
R3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\DRIVERS\stppp.sys [2009-06-23 35328]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [2009-03-20 81920]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-05-20 88176]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-12-24 29736]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2008-10-28 135936]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-01 112128]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-10-08 212992]
S3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\DRIVERS\OA008Ufd.sys [2009-02-10 133472]
S3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\DRIVERS\OA008Vid.sys [2009-02-10 271616]

--- Other Services/Drivers In Memory ---

*Deregistered* - ksfvjxai

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 20:12]

2010-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 20:12]

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

2009-07-31 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

2010-12-04 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]

2010-10-27 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]

2010-12-03 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

2010-10-27 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

2010-12-04 c:\windows\Tasks\User_Feed_Synchronization-{E7640368-FDBF-4942-94A0-18CC59282571}.job
- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
- - - - ORPHANS REMOVED - - - -

Toolbar-BigBitmap - (no file)
Toolbar-SmallBitmap - (no file)
HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe
AddRemove-alotToolbar - c:\program files\alot\alotUninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-04 18:41
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\st330service]
"ImagePath"="C:\Program Files/Thomson/ST330/service/st330service.exe -service"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ksfvjxai]

.
Completion time: 2010-12-04 18:43:56
ComboFix-quarantined-files.txt 2010-12-04 18:43

Pre-Run: 166,878,900,224 bytes free
Post-Run: 167,412,301,824 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=18 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
- - End Of File - - 339AAA4D7BEC25A46EB44B87E3991A06

SuperDave · « **Reply #6 on:** December 05, 2010, 07:12:36 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

C:\Users\Nashir\Desktop\7ezuevl2.exe
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
********************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
*****************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
*****************************************

Please delete ComboFix from your desktop, download this one and run a new scan and post the logs.

Please download ComboFix

from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

kevlarge · « **Reply #7 on:** December 05, 2010, 11:57:22 PM »

Hi Dave

SuperAnti spyware log below:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/05/2010 at 09:15 PM

Application Version : 4.46.1000

Core Rules Database Version : 5907
Trace Rules Database Version: 3719

Scan type : Complete Scan
Total Scan Time : 01:44:59

Memory items scanned : 780
Memory threats detected : 0
Registry items scanned : 13797
Registry threats detected : 1
File items scanned : 128484
File threats detected : 191

Adware.Tracking Cookie
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\nashir@atdmt[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\system@overture[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\nashir@adviva[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\nashir@advertising[2].txt
   .doubleclick.net [ C:\Users\Nashir\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
   bc.youporn.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   broadcast.piximedia.fr [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   cdn-www.pornhub.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   cdn4.specificclick.net [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   cdn5.specificclick.net [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   core.insightexpressai.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   ec.atdmt.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   freeporn.youngleafs.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   ia.media-imdb.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   m1.emea.2mdn.net [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   media.mtvnservices.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   media.socialvibe.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   media.thewb.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   media1.break.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   members.allelitepass.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   naiadsystems.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   objects.tremormedia.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   rmd.atdmt.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   s0.2mdn.net [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   secure-us.imrworldwide.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   serving-sys.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   stat.easydate.biz [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   static.2mdn.net [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   static.xxxmatch.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   static.youporn.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   static1.pornturbo.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   track.webgains.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   vidii.hardsextube.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   www.bestpornogratis.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   www.faceporn.tv [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   www.naiadsystems.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   www.realgfporn.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   www.xxxmsncam.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   wwwstatic.megaporn.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   xxxbunker.com [ C:\Users\Nashir\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QXHXAVCP ]
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@247realmedia[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@2o7[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@adbrite[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@adecn[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@admarketplace[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@adtech[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@adultadworld[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@adultfriendfinder[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@advertise[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@advertising[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@adviva[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@adxpose[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@apmebf[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@atdmt[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@audience2media[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@bestspeedfind[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@bravenet[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@burstnet[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@casalemedia[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@chitika[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@cleoteener[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@cleoteener[3].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@clicksor[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@collective-media[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][3].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@displayadnetwork[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@doubleclick[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@ero-advertising[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@fastclick[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@freepornfaces[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@freepornfaces[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@freepornfaces[3].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@hitbox[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@imrworldwide[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@interclick[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@invitemedia[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@kantarmedia[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@kontera[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@legolas-media[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@media6degrees[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@mediaplex[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@mediatraffic[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@myroitracking[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@overture[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@pointroll[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@pro-market[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@questionmarket[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@realmedia[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@realtubeporn[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@revsci[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@rgadvert[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@ru4[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@serving-sys[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@sextracker[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@smartadserver[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@specificclick[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@statcounter[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@tacoda[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@teen-*censored*[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@teenboat[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@theclickcheck[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@tns-counter[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@toplist[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@tradedoubler[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@trafficholder[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@trafficmp[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@tribalfusion[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@vidsfucker[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@virginmedia[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@weborama[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][8].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected]*censored*[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@xiti[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@xxxgamer[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@xxxmatch[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@yadro[1].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@yieldmanager[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@yourfuckbook[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@zanox[2].txt
   C:\Users\Nashir\AppData\Roaming\Microsoft\Windows\Cookies\Low\nashir@zedo[1].txt

Trojan.Agent/Gen
   HKU\S-1-5-21-2449012518-1802567105-2469266473-1000\Software\MailBlocker

Rogue.AntiMalwareDoctor
   C:\Users\Nashir\AppData\Roaming\27B8FA3C168C0AE33F03F93F3C2A3DCD

Will get the others in due course.

kevlarge · « **Reply #8 on:** December 06, 2010, 12:08:46 AM »

Security check:

Results of screen317's Security Check version 0.99.6
Windows Vista Service Pack 2 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
McAfee SecurityCenter
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 11
Out of date Java installed!
Adobe Flash Player
Adobe Reader 9.4.1
````````````````````````````````
Process Check:
objlist.exe by Laurent
McAfee VIRUSS~1 mcshield.exe
McAfee VIRUSS~1 mcsysmon.exe
````````````````````````````````
DNS Vulnerability Check:
Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

``````````End of Log````````````

kevlarge · « **Reply #9 on:** December 06, 2010, 02:40:06 AM »

Fresh Combofix log

ComboFix 10-12-04.03 - Nashir 06/12/2010 7:16.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2006.876 [GMT 0:00]
Running from: c:\users\Nashir\Desktop\commy.exe
Command switches used :: /stepdel
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\arp.exe

.
((((((((((((((((((((((((( Files Created from 2010-11-06 to 2010-12-06 )))))))))))))))))))))))))))))))
.

2010-12-06 07:26 . 2010-12-06 07:26   --------   d-----w-   c:\users\Nashir\AppData\Local\temp
2010-12-06 07:26 . 2010-12-06 07:26   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-12-06 07:05 . 2010-12-06 07:05   --------   d-----w-   c:\users\Nashir\AppData\Local\LogMeIn
2010-12-06 07:04 . 2010-12-01 15:04   53632   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-12-06 07:04 . 2010-12-01 15:04   29568   ----a-w-   c:\windows\system32\LMIport.dll
2010-12-06 07:04 . 2010-12-01 15:04   83360   ----a-w-   c:\windows\system32\LMIRfsClientNP.dll
2010-12-06 07:04 . 2010-09-17 15:40   47640   ----a-w-   c:\windows\system32\drivers\LMIRfsDriver.sys
2010-12-06 07:04 . 2010-12-01 15:04   87424   ----a-w-   c:\windows\system32\LMIinit.dll
2010-12-06 07:04 . 2010-12-06 07:05   --------   d-----w-   c:\programdata\LogMeIn
2010-12-06 07:04 . 2010-12-06 07:04   --------   d-----w-   c:\program files\LogMeIn
2010-12-05 19:22 . 2010-12-05 19:22   --------   d-----w-   c:\users\Nashir\AppData\Roaming\SUPERAntiSpyware.com
2010-12-05 19:22 . 2010-12-05 19:22   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-12-05 19:21 . 2010-12-05 19:22   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-12-05 19:06 . 2010-12-05 19:06   388096   ----a-r-   c:\users\Nashir\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-05 19:06 . 2010-12-05 19:06   --------   d-----w-   c:\program files\Trend Micro
2010-12-05 16:12 . 2010-05-26 10:45   18816   ------w-   c:\windows\system32\SAVRKBootTasks.sys
2010-12-05 13:25 . 2010-12-05 13:25   --------   d-----w-   c:\program files\Sophos
2010-12-05 13:06 . 2010-12-05 13:06   --------   d-----w-   c:\program files\Unlocker
2010-12-03 13:07 . 2010-11-10 04:33   6273872   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{E5D07C6F-44E4-427D-9D8E-B7985FB9AA3D}\mpengine.dll
2010-11-25 09:14 . 2010-10-19 04:27   7680   ----a-w-   c:\program files\Internet Explorer\iecompat.dll
2010-11-23 17:23 . 2009-06-30 10:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
2010-11-20 18:23 . 2010-11-20 18:23   --------   d-----w-   c:\users\Nashir\AppData\Roaming\PCDr
2010-11-10 10:59 . 2010-10-07 11:37   2409784   ----a-w-   c:\program files\Windows Mail\OESpamFilter.dat
2010-11-06 11:37 . 2010-11-06 11:37   103864   ----a-w-   c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 17:42 . 2010-07-16 19:55   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2010-07-16 19:55   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-10-19 10:41 . 2009-10-04 18:05   222080   ------w-   c:\windows\system32\MpSigStub.exe
2010-09-17 15:39 . 2010-09-17 15:39   25248   ----a-w-   c:\windows\system32\lmimirr.dll
2010-09-17 15:39 . 2010-09-17 15:39   11552   ----a-w-   c:\windows\system32\lmimirr2.dll
2010-09-17 15:39 . 2010-09-17 15:39   10144   ----a-w-   c:\windows\system32\drivers\lmimirr.sys
2010-09-13 13:56 . 2010-10-13 09:07   8147456   ----a-w-   c:\windows\system32\wmploc.DLL
2010-09-08 06:01 . 2010-10-13 09:06   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-13 09:06   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-13 09:06   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-13 09:05   71680   ----a-w-   c:\windows\system32\iesetup.dll
2010-09-08 05:56 . 2010-10-13 09:05   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2010-09-08 05:04 . 2010-10-13 09:06   385024   ----a-w-   c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-13 09:05   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-13 09:05   1638912   ----a-w-   c:\windows\system32\mshtml.tlb
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-25 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-22 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-01 1422632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-01 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-01 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-01 154136]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 3810304]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-11-11 442536]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"diagnostics"="c:\program files\Thomson\ST330\diagnostics\diagnostics.exe" [2009-06-23 557149]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-15 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]

c:\users\Nashir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-11-18 780840]

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-09-22 13:58   16680   ----a-w-   c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=""
"FirewallOverride"=""

R1 rqmophar;rqmophar;c:\windows\system32\drivers\rqmophar.sys

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 135664]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\2107.tmp

R3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [2008-11-04 22904]
R3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2009-06-23 30464]
R3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2009-06-23 12672]
R3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\DRIVERS\stppp.sys [2009-06-23 35328]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-05-26 18816]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [2009-03-20 81920]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2010-12-01 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-09-17 12856]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-05-20 88176]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-12-24 29736]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2008-10-28 135936]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-01 112128]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-10-08 212992]
S3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\DRIVERS\OA008Ufd.sys [2009-02-10 133472]
S3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\DRIVERS\OA008Vid.sys [2009-02-10 271616]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - LMIINFO
*NewlyCreated* - LMIRFSDRIVER
*Deregistered* - ksfvjxai

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 20:12]

2010-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 20:12]

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

2009-07-31 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

2010-12-05 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]

2010-12-06 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]

2010-12-03 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

2010-10-27 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

2010-12-05 c:\windows\Tasks\User_Feed_Synchronization-{E7640368-FDBF-4942-94A0-18CC59282571}.job
- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-06 07:26
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\2107.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\st330service]
"ImagePath"="C:\Program Files/Thomson/ST330/service/st330service.exe -service"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ksfvjxai]

.
Completion time: 2010-12-06 07:29:17
ComboFix-quarantined-files.txt 2010-12-06 07:29
ComboFix2.txt 2010-12-04 18:43

Pre-Run: 167,849,021,440 bytes free
Post-Run: 167,831,252,992 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=18 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
- - End Of File - - 8BCE30D505C295B04DDCC994FC4AE0FF

kevlarge · « **Reply #10 on:** December 06, 2010, 06:04:15 AM »

Hi jottis site is down; is there another scan site that you recommend?

kevlarge · « **Reply #11 on:** December 06, 2010, 11:49:01 AM »

Ok Jottis site back up

http://virusscan.jotti.org/en-gb/scanresult/f3ac024719549e76b23276bf07324fca4ad96243/7f1b68b92cd07db43bfac342b6ea66df25c0de95

This was originally the download from GMER

Cheers

K

SuperDave · « **Reply #12 on:** December 06, 2010, 01:26:16 PM »

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
4. Run CCleaner.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
***************************************
Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\windows\system32\drivers\rqmophar.sys
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
***********************************************
Why do you have this file: C:\Users\Nashir\Desktop\7ezuevl2.exe on your desktop?

****************************************************

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected
- Click on the Create Log button on the bottom right.
- After a few seconds a new window should appear.
- Select Scan Root Drive. Click on the Start button.
- When it is complete a new window will appear to indicate that the scan is finished.
- The log will be saved automatically in the same folder Sysprot.exe was

kevlarge · « **Reply #13 on:** December 06, 2010, 02:22:36 PM »

Java 6.22 installed

Old versions uninstalled

CCleaner run

Scan file with Jottis scan c:\windows\system32\drivers\rqmophar.sys "File Not found"

\Users\Nashir\Desktop\7ezuevl2.exe on the desktop = GMER rooktkit detector

Sysprot log:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: C:\Windows\System32\Drivers\ksfvjxai.sys
Service Name: ksfvjxai
Module Base: 8070B000
Module End: 807DE000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys
Service Name: ---
Module Base: 8DB12000
Module End: 8DB1D000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_msahci.sys
Service Name: ---
Module Base: 8DB1D000
Module End: 8DB27000
Hidden: Yes

Module Name: \??\C:\Users\Nashir\AppData\Local\Temp\catchme.sys
Service Name: catchme
Module Base: AF3EE000
Module End: AF3F6000
Hidden: Yes

Module Name: \??\C:\Windows\system32\Drivers\PROCEXP113.SYS
Service Name: ---
Module Base: AF3FA000
Module End: AF3FC000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwTerminateProcess
Address: 8CFB1620
Driver Base: 8CFA7000
Driver End: 8CFC9000
Driver Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwCreateUserProcess
At Address: 82BDDB82
Jump To: 8DA24766
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwYieldExecution
At Address: 82A3F9D2
Jump To: 8DA247CC
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwUnmapViewOfSection
At Address: 82C247BD
Jump To: 8DA247F6
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwTerminateProcess
At Address: 82C04DA3
Jump To: 8DA2480F
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwSetInformationProcess
At Address: 82C28528
Jump To: 8DA2477A
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwSetContextThread
At Address: 82CA63C7
Jump To: 8DA2478E
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwRestoreKey
At Address: 82C668D2
Jump To: 8DA24837
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwReplaceKey
At Address: 82C67AD6
Jump To: 8DA2484B
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwProtectVirtualMemory
At Address: 82C2DF3D
Jump To: 8DA247B6
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwOpenThread
At Address: 82C3015A
Jump To: 8DA24728
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwOpenProcess
At Address: 82C34C08
Jump To: 8DA24714
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwNotifyChangeKey
At Address: 82BD35B5
Jump To: 8DA24823
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwMapViewOfSection
At Address: 82C244FA
Jump To: 8DA247E0
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateProcessEx
At Address: 82CA590A
Jump To: 8DA24750
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateProcess
At Address: 82CA58BF
Jump To: 8DA2473C
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateFile
At Address: 82C55E5B
Jump To: 8DA247A2
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: PsSetContextThread
At Address: 82CA63C7
Jump To: 8DA2478E
Module Name: C:\Windows\system32\drivers\mfehidk.sys

******************************************************************************************
******************************************************************************************
No hidden files/folders found

Cheers, K

SuperDave · « **Reply #14 on:** December 06, 2010, 07:33:10 PM »

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

C:\Windows\System32\Drivers\ksfvjxai.sys

* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

kevlarge · « **Reply #15 on:** December 06, 2010, 11:18:56 PM »

Hi

Window opens with the following message:

Choose file to upload

ksfvjxai.sys
A device attached to the system is not functioning

K

SuperDave · « **Reply #16 on:** December 07, 2010, 10:41:59 AM »

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

File::
C:\Windows\System32\Drivers\ksfvjxai.sys
c:\windows\system32\drivers\rqmophar.sys

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ksfvjxai]

Rootkit::
C:\Windows\System32\Drivers\ksfvjxai.sys
c:\windows\system32\drivers\rqmophar.sys

Driver::
rqmophar
ksfvjxai
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

kevlarge · « **Reply #17 on:** December 07, 2010, 11:59:08 AM »

Ooh - Can't open Internet explorer now: "Illegal operation attempted on a registry key that has been marked for deletion"

This is the Combofix log file, posted via another workstation:

ComboFix 10-12-06.04 - Nashir 07/12/2010 18:34:01.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2006.975 [GMT 0:00]
Running from: c:\users\Nashir\Desktop\COMMY.exe
Command switches used :: c:\users\Nashir\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\System32\Drivers\ksfvjxai.sys"
"c:\windows\system32\drivers\rqmophar.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KSFVJXAI
-------\Service_ksfvjxai
-------\Service_rqmophar

((((((((((((((((((((((((( Files Created from 2010-11-07 to 2010-12-07 )))))))))))))))))))))))))))))))
.

2010-12-07 18:41 . 2010-12-07 18:47   --------   d-----w-   c:\users\Nashir\AppData\Local\temp
2010-12-07 18:41 . 2010-12-07 18:41   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-12-07 06:18 . 2010-11-10 04:33   6273872   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{F9428589-8403-4598-AA85-7DE96BAFB4D5}\mpengine.dll
2010-12-06 21:07 . 2010-12-06 21:08   --------   d-----w-   c:\program files\CCleaner
2010-12-06 20:53 . 2010-12-06 20:53   --------   d-----w-   c:\program files\Common Files\Java
2010-12-06 20:53 . 2010-09-15 04:50   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2010-12-06 09:37 . 2010-12-06 09:37   --------   d-----w-   c:\users\LogMeInRemoteUser
2010-12-06 07:05 . 2010-12-06 07:05   --------   d-----w-   c:\users\Nashir\AppData\Local\LogMeIn
2010-12-06 07:04 . 2010-12-01 15:04   53632   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-12-06 07:04 . 2010-12-01 15:04   29568   ----a-w-   c:\windows\system32\LMIport.dll
2010-12-06 07:04 . 2010-12-01 15:04   83360   ----a-w-   c:\windows\system32\LMIRfsClientNP.dll
2010-12-06 07:04 . 2010-09-17 15:40   47640   ----a-w-   c:\windows\system32\drivers\LMIRfsDriver.sys
2010-12-06 07:04 . 2010-12-01 15:04   87424   ----a-w-   c:\windows\system32\LMIinit.dll
2010-12-06 07:04 . 2010-12-07 06:13   --------   d-----w-   c:\programdata\LogMeIn
2010-12-06 07:04 . 2010-12-06 07:04   --------   d-----w-   c:\program files\LogMeIn
2010-12-05 19:22 . 2010-12-05 19:22   --------   d-----w-   c:\users\Nashir\AppData\Roaming\SUPERAntiSpyware.com
2010-12-05 19:22 . 2010-12-05 19:22   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-12-05 19:21 . 2010-12-05 19:22   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-12-05 19:06 . 2010-12-05 19:06   388096   ----a-r-   c:\users\Nashir\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-05 19:06 . 2010-12-05 19:06   --------   d-----w-   c:\program files\Trend Micro
2010-12-05 16:12 . 2010-05-26 10:45   18816   ------w-   c:\windows\system32\SAVRKBootTasks.sys
2010-12-05 13:25 . 2010-12-05 13:25   --------   d-----w-   c:\program files\Sophos
2010-12-05 13:06 . 2010-12-05 13:06   --------   d-----w-   c:\program files\Unlocker
2010-11-25 09:14 . 2010-10-19 04:27   7680   ----a-w-   c:\program files\Internet Explorer\iecompat.dll
2010-11-23 17:23 . 2009-06-30 10:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
2010-11-20 18:23 . 2010-11-20 18:23   --------   d-----w-   c:\users\Nashir\AppData\Roaming\PCDr
2010-11-10 10:59 . 2010-10-07 11:37   2409784   ----a-w-   c:\program files\Windows Mail\OESpamFilter.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-07 18:43 . 2010-09-25 08:48   843264   ----a-w-   c:\windows\system32\drivers\ksfvjxai.sys
2010-11-29 17:42 . 2010-07-16 19:55   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2010-07-16 19:55   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-10-19 10:41 . 2009-10-04 18:05   222080   ------w-   c:\windows\system32\MpSigStub.exe
2010-09-17 15:39 . 2010-09-17 15:39   25248   ----a-w-   c:\windows\system32\lmimirr.dll
2010-09-17 15:39 . 2010-09-17 15:39   11552   ----a-w-   c:\windows\system32\lmimirr2.dll
2010-09-17 15:39 . 2010-09-17 15:39   10144   ----a-w-   c:\windows\system32\drivers\lmimirr.sys
2010-09-13 13:56 . 2010-10-13 09:07   8147456   ----a-w-   c:\windows\system32\wmploc.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-25 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-22 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-01 1422632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-01 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-01 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-01 154136]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 3810304]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-11-11 442536]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"diagnostics"="c:\program files\Thomson\ST330\diagnostics\diagnostics.exe" [2009-06-23 557149]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-15 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\users\Nashir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-11-18 780840]

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-09-22 13:58   16680   ----a-w-   c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=""
"FirewallOverride"=""

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 135664]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [2009-03-20 81920]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-12-24 29736]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2008-10-28 135936]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-01 112128]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-10-08 212992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs   REG_MULTI_SZ     BthServ
LocalServiceAndNoImpersonation   REG_MULTI_SZ     FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 20:12]

2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 20:12]

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

2009-07-31 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

2010-12-07 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]

2010-12-06 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]

2010-12-03 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

2010-10-27 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

2010-12-07 c:\windows\Tasks\User_Feed_Synchronization-{E7640368-FDBF-4942-94A0-18CC59282571}.job
- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\2107.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\st330service]
"ImagePath"="C:\Program Files/Thomson/ST330/service/st330service.exe -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5560)
c:\program files\Unlocker\UnlockerHook.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
c:\program files\Thomson\ST330\service\st330service.exe
c:\windows\system32\msinfo32.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\LogMeIn\x86\LMIGuardianSvc.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\McAfee\SiteAdvisor\McSACore.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\rundll32.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\system32\WerFault.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
.
**************************************************************************
.
Completion time: 2010-12-07 18:53:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-07 18:53
ComboFix2.txt 2010-12-06 07:29
ComboFix3.txt 2010-12-04 18:43

Pre-Run: 172,233,457,664 bytes free
Post-Run: 171,874,471,936 bytes free

- - End Of File - - 5B2C30AC82EE04F5A32589E7617084B5

kevlarge · « **Reply #18 on:** December 07, 2010, 11:43:07 PM »

Interesting - rebooted the machine again, and IE is back up and running. However ksfvjxai.sys is still there.

K

SuperDave · « **Reply #19 on:** December 08, 2010, 12:49:44 PM »

Ok. Let's try this one more time.

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

File::
c:\windows\system32\drivers\ksfvjxai.sys
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

****************************************
Please run the SysProt Antirootkit as instructed in Reply #12

kevlarge · « **Reply #20 on:** December 09, 2010, 08:59:03 AM »

Hi

Ran combofix - it updated itself; then I ran it again as requested. PC rebooted then it did a chkdisk, rebooted but no log was produced, so I ran combofix again. This time log was produced - as below:

ComboFix 10-12-08.04 - Nashir 09/12/2010 12:55:21.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2006.846 [GMT 0:00]
Running from: c:\users\Nashir\Desktop\COMMY.exe
Command switches used :: c:\users\Nashir\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\drivers\ksfvjxai.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1DE.tmp
c:\windows\system32\drivers\ksfvjxai.sys

.
((((((((((((((((((((((((( Files Created from 2010-11-09 to 2010-12-09 )))))))))))))))))))))))))))))))
.

2010-12-09 13:03 . 2010-12-09 13:06   --------   d-----w-   c:\users\Nashir\AppData\Local\temp
2010-12-09 13:03 . 2010-12-09 13:03   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-12-09 12:39 . 2010-12-09 12:39   --------   d-----w-   C:\found.000
2010-12-07 06:18 . 2010-11-10 04:33   6273872   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{F9428589-8403-4598-AA85-7DE96BAFB4D5}\mpengine.dll
2010-12-06 21:07 . 2010-12-06 21:08   --------   d-----w-   c:\program files\CCleaner
2010-12-06 20:53 . 2010-12-06 20:53   --------   d-----w-   c:\program files\Common Files\Java
2010-12-06 20:53 . 2010-09-15 04:50   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2010-12-06 09:37 . 2010-12-06 09:37   --------   d-----w-   c:\users\LogMeInRemoteUser
2010-12-06 07:05 . 2010-12-06 07:05   --------   d-----w-   c:\users\Nashir\AppData\Local\LogMeIn
2010-12-06 07:04 . 2010-12-01 15:04   53632   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-12-06 07:04 . 2010-12-01 15:04   29568   ----a-w-   c:\windows\system32\LMIport.dll
2010-12-06 07:04 . 2010-12-01 15:04   83360   ----a-w-   c:\windows\system32\LMIRfsClientNP.dll
2010-12-06 07:04 . 2010-09-17 15:40   47640   ----a-w-   c:\windows\system32\drivers\LMIRfsDriver.sys
2010-12-06 07:04 . 2010-12-01 15:04   87424   ----a-w-   c:\windows\system32\LMIinit.dll
2010-12-06 07:04 . 2010-12-09 12:25   --------   d-----w-   c:\programdata\LogMeIn
2010-12-06 07:04 . 2010-12-06 07:04   --------   d-----w-   c:\program files\LogMeIn
2010-12-05 19:22 . 2010-12-05 19:22   --------   d-----w-   c:\users\Nashir\AppData\Roaming\SUPERAntiSpyware.com
2010-12-05 19:22 . 2010-12-05 19:22   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-12-05 19:21 . 2010-12-05 19:22   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-12-05 19:06 . 2010-12-05 19:06   388096   ----a-r-   c:\users\Nashir\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-05 19:06 . 2010-12-05 19:06   --------   d-----w-   c:\program files\Trend Micro
2010-12-05 16:12 . 2010-05-26 10:45   18816   ------w-   c:\windows\system32\SAVRKBootTasks.sys
2010-12-05 13:25 . 2010-12-05 13:25   --------   d-----w-   c:\program files\Sophos
2010-12-05 13:06 . 2010-12-05 13:06   --------   d-----w-   c:\program files\Unlocker
2010-11-25 09:14 . 2010-10-19 04:27   7680   ----a-w-   c:\program files\Internet Explorer\iecompat.dll
2010-11-23 17:23 . 2009-06-30 10:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
2010-11-20 18:23 . 2010-11-20 18:23   --------   d-----w-   c:\users\Nashir\AppData\Roaming\PCDr
2010-11-10 10:59 . 2010-10-07 11:37   2409784   ----a-w-   c:\program files\Windows Mail\OESpamFilter.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 17:42 . 2010-07-16 19:55   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2010-07-16 19:55   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-10-19 10:41 . 2009-10-04 18:05   222080   ------w-   c:\windows\system32\MpSigStub.exe
2010-09-17 15:39 . 2010-09-17 15:39   25248   ----a-w-   c:\windows\system32\lmimirr.dll
2010-09-17 15:39 . 2010-09-17 15:39   11552   ----a-w-   c:\windows\system32\lmimirr2.dll
2010-09-17 15:39 . 2010-09-17 15:39   10144   ----a-w-   c:\windows\system32\drivers\lmimirr.sys
2010-09-13 13:56 . 2010-10-13 09:07   8147456   ----a-w-   c:\windows\system32\wmploc.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-25 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-22 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-01 1422632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-01 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-01 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-01 154136]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 3810304]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-11-11 442536]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"diagnostics"="c:\program files\Thomson\ST330\diagnostics\diagnostics.exe" [2009-06-23 557149]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-15 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\users\Nashir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-11-18 780840]

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-09-22 13:58   16680   ----a-w-   c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=""
"FirewallOverride"=""

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 135664]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\2107.tmp

R3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [2008-11-04 22904]
R3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2009-06-23 30464]
R3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2009-06-23 12672]
R3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\DRIVERS\stppp.sys [2009-06-23 35328]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-05-26 18816]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [2009-03-20 81920]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2010-12-01 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-09-17 12856]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-05-20 88176]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-12-24 29736]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2008-10-28 135936]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-01 112128]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-10-08 212992]
S3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\DRIVERS\OA008Ufd.sys [2009-02-10 133472]
S3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\DRIVERS\OA008Vid.sys [2009-02-10 271616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 20:12]

2010-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 20:12]

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

2009-07-31 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

2010-12-08 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]

2010-12-06 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]

2010-12-03 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

2010-12-08 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

2010-12-09 c:\windows\Tasks\User_Feed_Synchronization-{E7640368-FDBF-4942-94A0-18CC59282571}.job
- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\2107.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\st330service]
"ImagePath"="C:\Program Files/Thomson/ST330/service/st330service.exe -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5260)
c:\program files\Unlocker\UnlockerHook.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
c:\program files\Thomson\ST330\service\st330service.exe
c:\windows\system32\msinfo32.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\rundll32.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-12-09 13:12:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-09 13:12
ComboFix2.txt 2010-12-07 18:53
ComboFix3.txt 2010-12-06 07:29
ComboFix4.txt 2010-12-04 18:43

Pre-Run: 171,817,422,848 bytes free
Post-Run: 171,800,563,712 bytes free

- - End Of File - - 6032CFF263D7A9F7AE41285A75E31A06

kevlarge · « **Reply #21 on:** December 09, 2010, 09:00:14 AM »

Then ran Sysprot as directed - log below:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys
Service Name: ---
Module Base: 8C400000
Module End: 8C40B000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_msahci.sys
Service Name: ---
Module Base: 8C1F3000
Module End: 8C1FD000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwCreateUserProcess
At Address: 82BD7B82
Jump To: 8D343766
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwYieldExecution
At Address: 82A399D2
Jump To: 8D3437CC
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwUnmapViewOfSection
At Address: 82C1E7BD
Jump To: 8D3437F6
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwTerminateProcess
At Address: 82BFEDA3
Jump To: 8D34380F
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwSetInformationProcess
At Address: 82C22528
Jump To: 8D34377A
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwSetContextThread
At Address: 82CA03C7
Jump To: 8D34378E
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwProtectVirtualMemory
At Address: 82C27F3D
Jump To: 8D3437B6
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwOpenThread
At Address: 82C2A15A
Jump To: 8D343728
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwOpenProcess
At Address: 82C2EC08
Jump To: 8D343714
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwMapViewOfSection
At Address: 82C1E4FA
Jump To: 8D3437E0
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateProcessEx
At Address: 82C9F90A
Jump To: 8D343750
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateProcess
At Address: 82C9F8BF
Jump To: 8D34373C
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateFile
At Address: 82C4FE5B
Jump To: 8D3437A2
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: PsSetContextThread
At Address: 82CA03C7
Jump To: 8D34378E
Module Name: C:\Windows\system32\drivers\mfehidk.sys

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
Status: Access denied

SuperDave · « **Reply #22 on:** December 09, 2010, 01:38:27 PM »

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

File::
C:\found.000
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
I don't need to see the log from this script.

***********************************************
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

kevlarge · « **Reply #23 on:** December 10, 2010, 01:03:09 AM »

Combofix log:

ComboFix 10-12-09.02 - Nashir 10/12/2010 7:40.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2006.995 [GMT 0:00]
Running from: c:\users\Nashir\Desktop\COMMY.exe
Command switches used :: c:\users\Nashir\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"C:\found.000"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3A35.tmp

.
((((((((((((((((((((((((( Files Created from 2010-11-10 to 2010-12-10 )))))))))))))))))))))))))))))))
.

2010-12-10 07:49 . 2010-12-10 07:52   --------   d-----w-   c:\users\Nashir\AppData\Local\temp
2010-12-10 07:49 . 2010-12-10 07:49   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-12-09 12:39 . 2010-12-09 12:39   --------   d-----w-   C:\found.000
2010-12-07 06:18 . 2010-11-10 04:33   6273872   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{F9428589-8403-4598-AA85-7DE96BAFB4D5}\mpengine.dll
2010-12-06 21:07 . 2010-12-06 21:08   --------   d-----w-   c:\program files\CCleaner
2010-12-06 20:53 . 2010-12-06 20:53   --------   d-----w-   c:\program files\Common Files\Java
2010-12-06 20:53 . 2010-09-15 04:50   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2010-12-06 09:37 . 2010-12-06 09:37   --------   d-----w-   c:\users\LogMeInRemoteUser
2010-12-06 07:05 . 2010-12-06 07:05   --------   d-----w-   c:\users\Nashir\AppData\Local\LogMeIn
2010-12-06 07:04 . 2010-12-01 15:04   53632   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-12-06 07:04 . 2010-12-01 15:04   29568   ----a-w-   c:\windows\system32\LMIport.dll
2010-12-06 07:04 . 2010-12-01 15:04   83360   ----a-w-   c:\windows\system32\LMIRfsClientNP.dll
2010-12-06 07:04 . 2010-09-17 15:40   47640   ----a-w-   c:\windows\system32\drivers\LMIRfsDriver.sys
2010-12-06 07:04 . 2010-12-01 15:04   87424   ----a-w-   c:\windows\system32\LMIinit.dll
2010-12-06 07:04 . 2010-12-10 07:25   --------   d-----w-   c:\programdata\LogMeIn
2010-12-06 07:04 . 2010-12-06 07:04   --------   d-----w-   c:\program files\LogMeIn
2010-12-05 19:22 . 2010-12-05 19:22   --------   d-----w-   c:\users\Nashir\AppData\Roaming\SUPERAntiSpyware.com
2010-12-05 19:22 . 2010-12-05 19:22   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-12-05 19:21 . 2010-12-05 19:22   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-12-05 19:06 . 2010-12-05 19:06   388096   ----a-r-   c:\users\Nashir\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-05 19:06 . 2010-12-05 19:06   --------   d-----w-   c:\program files\Trend Micro
2010-12-05 16:12 . 2010-05-26 10:45   18816   ------w-   c:\windows\system32\SAVRKBootTasks.sys
2010-12-05 13:25 . 2010-12-05 13:25   --------   d-----w-   c:\program files\Sophos
2010-12-05 13:06 . 2010-12-05 13:06   --------   d-----w-   c:\program files\Unlocker
2010-11-25 09:14 . 2010-10-19 04:27   7680   ----a-w-   c:\program files\Internet Explorer\iecompat.dll
2010-11-23 17:23 . 2009-06-30 10:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
2010-11-20 18:23 . 2010-11-20 18:23   --------   d-----w-   c:\users\Nashir\AppData\Roaming\PCDr
2010-11-10 10:59 . 2010-10-07 11:37   2409784   ----a-w-   c:\program files\Windows Mail\OESpamFilter.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 17:42 . 2010-07-16 19:55   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2010-07-16 19:55   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-10-19 10:41 . 2009-10-04 18:05   222080   ------w-   c:\windows\system32\MpSigStub.exe
2010-09-17 15:39 . 2010-09-17 15:39   25248   ----a-w-   c:\windows\system32\lmimirr.dll
2010-09-17 15:39 . 2010-09-17 15:39   11552   ----a-w-   c:\windows\system32\lmimirr2.dll
2010-09-17 15:39 . 2010-09-17 15:39   10144   ----a-w-   c:\windows\system32\drivers\lmimirr.sys
2010-09-13 13:56 . 2010-10-13 09:07   8147456   ----a-w-   c:\windows\system32\wmploc.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-25 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-01 1422632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-01 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-01 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-01 154136]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 3810304]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-11-11 442536]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"diagnostics"="c:\program files\Thomson\ST330\diagnostics\diagnostics.exe" [2009-06-23 557149]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-15 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\users\Nashir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-11-18 780840]

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-09-22 13:58   16680   ----a-w-   c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=""
"FirewallOverride"=""

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 135664]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\2107.tmp

R3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [2008-11-04 22904]
R3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2009-06-23 30464]
R3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2009-06-23 12672]
R3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\DRIVERS\stppp.sys [2009-06-23 35328]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-05-26 18816]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [2009-03-20 81920]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2010-12-01 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-09-17 12856]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-05-20 88176]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-12-24 29736]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2008-10-28 135936]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-01 112128]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-10-08 212992]
S3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\DRIVERS\OA008Ufd.sys [2009-02-10 133472]
S3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\DRIVERS\OA008Vid.sys [2009-02-10 271616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 20:12]

2010-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 20:12]

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

2009-07-31 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

2010-12-09 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]

2010-12-06 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]

2010-12-10 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

2010-12-08 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

2010-12-09 c:\windows\Tasks\User_Feed_Synchronization-{E7640368-FDBF-4942-94A0-18CC59282571}.job
- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\2107.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\st330service]
"ImagePath"="C:\Program Files/Thomson/ST330/service/st330service.exe -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2260)
c:\program files\Unlocker\UnlockerHook.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
c:\program files\Thomson\ST330\service\st330service.exe
c:\windows\system32\msinfo32.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\windows\system32\rundll32.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
.
**************************************************************************
.
Completion time: 2010-12-10 07:57:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-10 07:57
ComboFix2.txt 2010-12-09 13:12
ComboFix3.txt 2010-12-07 18:53
ComboFix4.txt 2010-12-06 07:29
ComboFix5.txt 2010-12-10 07:36

Pre-Run: 173,336,719,360 bytes free
Post-Run: 173,376,696,320 bytes free

- - End Of File - - AAC0C20AE4A5A48FA054BEB3609F144C

SuperDave · « **Reply #24 on:** December 10, 2010, 01:31:28 PM »

I need to see the ESET scan log.

kevlarge · « **Reply #25 on:** December 10, 2010, 03:03:30 PM »

Sorry - as below:

C:\Qoobox\Quarantine\C\Users\Nashir\AppData\Local\{20B77007-BD36-42C6-8C5E-53C7139A1BBE}\chrome\content\overlay.xul.vir   probably a variant of Win32/Agent.NVQFFQI trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\drivers\ksfvjxai.sys.vir   a variant of Win32/Bubnix.BB trojan   cleaned by deleting - quarantined
C:\Users\Nashir\Desktop\unlocker1.9.0.exe   Win32/Adware.ADON application   deleted - quarantined

SuperDave · « **Reply #26 on:** December 10, 2010, 04:07:55 PM »

That looks good. How's your computer working?

kevlarge · « **Reply #27 on:** December 11, 2010, 02:09:36 AM »

Hi Dave, looks fully functional, IE is responsive, no hangs or crashes, the ksfvjxai.sys file is gone, which is good! Was it the updated Combofix that killed the unwanted processes?

K

SuperDave · « **Reply #28 on:** December 11, 2010, 01:25:28 PM »

Quote

Was it the updated Combofix that killed the unwanted processes?

I don't wish to discuss this in an open forum. The bad guys are probably watching. Let's do some cleanup.

* Click START then RUN - Vista users press the Windows Key and the R keys together for the Run box.
* Now type COMMY /uninstall in the runbox
* Make sure there's a space between COMMY and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

*****************************************

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
***********************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

emsky1280 · « **Reply #29 on:** December 12, 2010, 04:05:07 AM »

Great site and very helpful

...its great to be here!

Computer Hope Forum

News:

Author Topic: Rootkit file ksfvjxai.sys? (Read 17829 times)

kevlarge

Allan

harry 48

kevlarge

kevlarge

kevlarge

SuperDave

kevlarge

kevlarge

kevlarge

kevlarge

kevlarge

SuperDave

kevlarge

SuperDave

kevlarge

SuperDave

kevlarge

kevlarge

SuperDave

kevlarge

kevlarge

SuperDave

kevlarge

SuperDave

kevlarge

SuperDave

kevlarge

SuperDave

emsky1280