Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: 1 [2]  All   Go Down

Author Topic: Rootkit file ksfvjxai.sys?  (Read 15874 times)

0 Members and 1 Guest are viewing this topic.

kevlarge

    Topic Starter


    Rookie

    • Experience: Beginner
    • OS: Unknown
    Re: Rootkit file ksfvjxai.sys?
    « Reply #15 on: December 06, 2010, 11:18:56 PM »
    Hi

    Window opens with the following message:

    Choose file to upload

    ksfvjxai.sys
    A device attached to the system is not functioning

    K
    Logged

    SuperDave

    • Malware Removal Specialist


      • Genius
      • Thanked: 1020
    • Certifications: List
    • Experience: Expert
    • OS: Windows 10
    Re: Rootkit file ksfvjxai.sys?
    « Reply #16 on: December 07, 2010, 10:41:59 AM »
    Re-running ComboFix to remove infections:

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the quotebox below into it:
      Quote
      KillAll::

      File::
      C:\Windows\System32\Drivers\ksfvjxai.sys
      c:\windows\system32\drivers\rqmophar.sys

      Registry::
      [-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ksfvjxai]

      Rootkit::
      C:\Windows\System32\Drivers\ksfvjxai.sys
      c:\windows\system32\drivers\rqmophar.sys

      Driver::
      rqmophar
      ksfvjxai

    • Save this as CFScript.txt, in the same location as ComboFix.exe



    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
    Logged
    Windows 8 and Windows 10 dual boot with two SSD's

    kevlarge

      Topic Starter


      Rookie

      • Experience: Beginner
      • OS: Unknown
      Re: Rootkit file ksfvjxai.sys?
      « Reply #17 on: December 07, 2010, 11:59:08 AM »
      Ooh - Can't open Internet explorer now: "Illegal operation attempted on a registry key that has been marked for deletion"

      This is the Combofix log file, posted via another workstation:

      ComboFix 10-12-06.04 - Nashir 07/12/2010  18:34:01.3.2 - x86
      Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2006.975 [GMT 0:00]
      Running from: c:\users\Nashir\Desktop\COMMY.exe
      Command switches used :: c:\users\Nashir\Desktop\CFScript.txt
      SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
      SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

      FILE ::
      "c:\windows\System32\Drivers\ksfvjxai.sys"
      "c:\windows\system32\drivers\rqmophar.sys"
      .

      (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      .
      (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      -------\Legacy_KSFVJXAI
      -------\Service_ksfvjxai
      -------\Service_rqmophar


      (((((((((((((((((((((((((   Files Created from 2010-11-07 to 2010-12-07  )))))))))))))))))))))))))))))))
      .

      2010-12-07 18:41 . 2010-12-07 18:47   --------   d-----w-   c:\users\Nashir\AppData\Local\temp
      2010-12-07 18:41 . 2010-12-07 18:41   --------   d-----w-   c:\users\Default\AppData\Local\temp
      2010-12-07 06:18 . 2010-11-10 04:33   6273872   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{F9428589-8403-4598-AA85-7DE96BAFB4D5}\mpengine.dll
      2010-12-06 21:07 . 2010-12-06 21:08   --------   d-----w-   c:\program files\CCleaner
      2010-12-06 20:53 . 2010-12-06 20:53   --------   d-----w-   c:\program files\Common Files\Java
      2010-12-06 20:53 . 2010-09-15 04:50   472808   ----a-w-   c:\windows\system32\deployJava1.dll
      2010-12-06 09:37 . 2010-12-06 09:37   --------   d-----w-   c:\users\LogMeInRemoteUser
      2010-12-06 07:05 . 2010-12-06 07:05   --------   d-----w-   c:\users\Nashir\AppData\Local\LogMeIn
      2010-12-06 07:04 . 2010-12-01 15:04   53632   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
      2010-12-06 07:04 . 2010-12-01 15:04   29568   ----a-w-   c:\windows\system32\LMIport.dll
      2010-12-06 07:04 . 2010-12-01 15:04   83360   ----a-w-   c:\windows\system32\LMIRfsClientNP.dll
      2010-12-06 07:04 . 2010-09-17 15:40   47640   ----a-w-   c:\windows\system32\drivers\LMIRfsDriver.sys
      2010-12-06 07:04 . 2010-12-01 15:04   87424   ----a-w-   c:\windows\system32\LMIinit.dll
      2010-12-06 07:04 . 2010-12-07 06:13   --------   d-----w-   c:\programdata\LogMeIn
      2010-12-06 07:04 . 2010-12-06 07:04   --------   d-----w-   c:\program files\LogMeIn
      2010-12-05 19:22 . 2010-12-05 19:22   --------   d-----w-   c:\users\Nashir\AppData\Roaming\SUPERAntiSpyware.com
      2010-12-05 19:22 . 2010-12-05 19:22   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
      2010-12-05 19:21 . 2010-12-05 19:22   --------   d-----w-   c:\program files\SUPERAntiSpyware
      2010-12-05 19:06 . 2010-12-05 19:06   388096   ----a-r-   c:\users\Nashir\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
      2010-12-05 19:06 . 2010-12-05 19:06   --------   d-----w-   c:\program files\Trend Micro
      2010-12-05 16:12 . 2010-05-26 10:45   18816   ------w-   c:\windows\system32\SAVRKBootTasks.sys
      2010-12-05 13:25 . 2010-12-05 13:25   --------   d-----w-   c:\program files\Sophos
      2010-12-05 13:06 . 2010-12-05 13:06   --------   d-----w-   c:\program files\Unlocker
      2010-11-25 09:14 . 2010-10-19 04:27   7680   ----a-w-   c:\program files\Internet Explorer\iecompat.dll
      2010-11-23 17:23 . 2009-06-30 10:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
      2010-11-20 18:23 . 2010-11-20 18:23   --------   d-----w-   c:\users\Nashir\AppData\Roaming\PCDr
      2010-11-10 10:59 . 2010-10-07 11:37   2409784   ----a-w-   c:\program files\Windows Mail\OESpamFilter.dat

      .
      ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2010-12-07 18:43 . 2010-09-25 08:48   843264   ----a-w-   c:\windows\system32\drivers\ksfvjxai.sys
      2010-11-29 17:42 . 2010-07-16 19:55   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
      2010-11-29 17:42 . 2010-07-16 19:55   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
      2010-10-19 10:41 . 2009-10-04 18:05   222080   ------w-   c:\windows\system32\MpSigStub.exe
      2010-09-17 15:39 . 2010-09-17 15:39   25248   ----a-w-   c:\windows\system32\lmimirr.dll
      2010-09-17 15:39 . 2010-09-17 15:39   11552   ----a-w-   c:\windows\system32\lmimirr2.dll
      2010-09-17 15:39 . 2010-09-17 15:39   10144   ----a-w-   c:\windows\system32\drivers\lmimirr.sys
      2010-09-13 13:56 . 2010-10-13 09:07   8147456   ----a-w-   c:\windows\system32\wmploc.DLL
      .

      (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      *Note* empty entries & legit default entries are not shown
      REGEDIT4

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
      "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
      "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
      "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-25 39408]
      "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-22 2424560]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-01 1422632]
      "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-01 150040]
      "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-01 178712]
      "Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-01 154136]
      "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 3810304]
      "Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
      "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
      "Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-11-11 442536]
      "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
      "SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
      "diagnostics"="c:\program files\Thomson\ST330\diagnostics\diagnostics.exe" [2009-06-23 557149]
      "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
      "btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
      "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
      "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-15 202256]
      "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
      "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
      "UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
      "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
      "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

      c:\users\Nashir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
      Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

      c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
      Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-11-18 780840]

      c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
      Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
      "EnableUIADesktopToggle"= 0 (0x0)

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
      2009-09-22 13:58   16680   ----a-w-   c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
      @=""

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
      @=""

      [HKEY_LOCAL_MACHINE\software\microsoft\security center]
      "AntiVirusOverride"=""
      "FirewallOverride"=""

      R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
      R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 135664]
      S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [2009-03-20 81920]
      S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
      S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-12-24 29736]
      S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2008-10-28 135936]
      S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-01 112128]
      S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-10-08 212992]


      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
      bthsvcs   REG_MULTI_SZ      BthServ
      LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
      .
      Contents of the 'Scheduled Tasks' folder

      2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
      - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 20:12]

      2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
      - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 20:12]

      2010-05-15 c:\windows\Tasks\McDefragTask.job
      - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

      2009-07-31 c:\windows\Tasks\McQcTask.job
      - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

      2010-12-07 c:\windows\Tasks\ParetoLogic Registration3.job
      - c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]

      2010-12-06 c:\windows\Tasks\ParetoLogic Update Version3.job
      - c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]

      2010-12-03 c:\windows\Tasks\PC Health Advisor Defrag.job
      - c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

      2010-10-27 c:\windows\Tasks\PC Health Advisor.job
      - c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

      2010-12-07 c:\windows\Tasks\User_Feed_Synchronization-{E7640368-FDBF-4942-94A0-18CC59282571}.job
      - c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]
      .
      .
      ------- Supplementary Scan -------
      .
      uStart Page = hxxp://www.bbc.co.uk/
      mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
      uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
      IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
      IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
      IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
      IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
      .

      **************************************************************************
      scanning hidden processes ... 

      scanning hidden autostart entries ...

      scanning hidden files ... 

      scan completed successfully
      hidden files:

      **************************************************************************

      [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
      "ImagePath"="\??\c:\windows\system32\2107.tmp"

      [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
      "ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"

      [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\st330service]
      "ImagePath"="C:\Program Files/Thomson/ST330/service/st330service.exe -service"
      .
      --------------------- DLLs Loaded Under Running Processes ---------------------

      - - - - - - - > 'Explorer.exe'(5560)
      c:\program files\Unlocker\UnlockerHook.dll
      c:\progra~1\mcafee\SITEAD~1\saHook.dll
      c:\windows\system32\btmmhook.dll
      c:\windows\system32\btncopy.dll
      .
      ------------------------ Other Running Processes ------------------------
      .
      c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
      c:\program files\Thomson\ST330\service\st330service.exe
      c:\windows\system32\msinfo32.exe
      c:\windows\System32\WLTRYSVC.EXE
      c:\windows\System32\bcmwltry.exe
      c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
      c:\program files\LogMeIn\x86\LMIGuardianSvc.exe
      c:\program files\LogMeIn\x86\RaMaint.exe
      c:\program files\LogMeIn\x86\LogMeIn.exe
      c:\program files\McAfee\SiteAdvisor\McSACore.exe
      c:\program files\Common Files\Motive\McciCMService.exe
      c:\windows\system32\rundll32.exe
      c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
      c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
      c:\program files\McAfee\MPF\MPFSrv.exe
      c:\program files\McAfee\MSK\MskSrver.exe
      c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
      c:\progra~1\McAfee\MSC\mcmscsvc.exe
      c:\progra~1\mcafee.com\agent\mcagent.exe
      c:\windows\system32\igfxsrvc.exe
      c:\windows\ehome\ehmsas.exe
      c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
      c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
      c:\program files\Synaptics\SynTP\SynTPHelper.exe
      c:\windows\system32\WerFault.exe
      c:\program files\Dell Support Center\bin\sprtsvc.exe
      .
      **************************************************************************
      .
      Completion time: 2010-12-07  18:53:44 - machine was rebooted
      ComboFix-quarantined-files.txt  2010-12-07 18:53
      ComboFix2.txt  2010-12-06 07:29
      ComboFix3.txt  2010-12-04 18:43

      Pre-Run: 172,233,457,664 bytes free
      Post-Run: 171,874,471,936 bytes free

      - - End Of File - - 5B2C30AC82EE04F5A32589E7617084B5
      Logged

      kevlarge

        Topic Starter


        Rookie

        • Experience: Beginner
        • OS: Unknown
        Re: Rootkit file ksfvjxai.sys?
        « Reply #18 on: December 07, 2010, 11:43:07 PM »
        Interesting - rebooted the machine again, and IE is back up and running. However ksfvjxai.sys is still there.

        K
        Logged

        SuperDave

        • Malware Removal Specialist


          • Genius
          • Thanked: 1020
        • Certifications: List
        • Experience: Expert
        • OS: Windows 10
        Re: Rootkit file ksfvjxai.sys?
        « Reply #19 on: December 08, 2010, 12:49:44 PM »
        Ok. Let's try this one more time.

        Re-running ComboFix to remove infections:

        • Close any open browsers.
        • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
        • Open notepad and copy/paste the text in the quotebox below into it:
          Quote
          KillAll::

          File::
          c:\windows\system32\drivers\ksfvjxai.sys

        • Save this as CFScript.txt, in the same location as ComboFix.exe



        • Referring to the picture above, drag CFScript into ComboFix.exe
        • When finished, it shall produce a log for you at C:\ComboFix.txt
        • Please post the contents of the log in your next reply.
        ****************************************
        Please run the SysProt Antirootkit as instructed in Reply #12
        Logged
        Windows 8 and Windows 10 dual boot with two SSD's

        kevlarge

          Topic Starter


          Rookie

          • Experience: Beginner
          • OS: Unknown
          Re: Rootkit file ksfvjxai.sys?
          « Reply #20 on: December 09, 2010, 08:59:03 AM »
          Hi

          Ran combofix - it updated itself; then I ran it again as requested. PC rebooted then it did a chkdisk, rebooted but no log was produced, so I ran combofix again. This time log was produced - as below:

          ComboFix 10-12-08.04 - Nashir 09/12/2010  12:55:21.4.2 - x86
          Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2006.846 [GMT 0:00]
          Running from: c:\users\Nashir\Desktop\COMMY.exe
          Command switches used :: c:\users\Nashir\Desktop\CFScript.txt
          SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
          SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

          FILE ::
          "c:\windows\system32\drivers\ksfvjxai.sys"
          .

          (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
          .

          c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1DE.tmp
          c:\windows\system32\drivers\ksfvjxai.sys

          .
          (((((((((((((((((((((((((   Files Created from 2010-11-09 to 2010-12-09  )))))))))))))))))))))))))))))))
          .

          2010-12-09 13:03 . 2010-12-09 13:06   --------   d-----w-   c:\users\Nashir\AppData\Local\temp
          2010-12-09 13:03 . 2010-12-09 13:03   --------   d-----w-   c:\users\Default\AppData\Local\temp
          2010-12-09 12:39 . 2010-12-09 12:39   --------   d-----w-   C:\found.000
          2010-12-07 06:18 . 2010-11-10 04:33   6273872   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{F9428589-8403-4598-AA85-7DE96BAFB4D5}\mpengine.dll
          2010-12-06 21:07 . 2010-12-06 21:08   --------   d-----w-   c:\program files\CCleaner
          2010-12-06 20:53 . 2010-12-06 20:53   --------   d-----w-   c:\program files\Common Files\Java
          2010-12-06 20:53 . 2010-09-15 04:50   472808   ----a-w-   c:\windows\system32\deployJava1.dll
          2010-12-06 09:37 . 2010-12-06 09:37   --------   d-----w-   c:\users\LogMeInRemoteUser
          2010-12-06 07:05 . 2010-12-06 07:05   --------   d-----w-   c:\users\Nashir\AppData\Local\LogMeIn
          2010-12-06 07:04 . 2010-12-01 15:04   53632   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
          2010-12-06 07:04 . 2010-12-01 15:04   29568   ----a-w-   c:\windows\system32\LMIport.dll
          2010-12-06 07:04 . 2010-12-01 15:04   83360   ----a-w-   c:\windows\system32\LMIRfsClientNP.dll
          2010-12-06 07:04 . 2010-09-17 15:40   47640   ----a-w-   c:\windows\system32\drivers\LMIRfsDriver.sys
          2010-12-06 07:04 . 2010-12-01 15:04   87424   ----a-w-   c:\windows\system32\LMIinit.dll
          2010-12-06 07:04 . 2010-12-09 12:25   --------   d-----w-   c:\programdata\LogMeIn
          2010-12-06 07:04 . 2010-12-06 07:04   --------   d-----w-   c:\program files\LogMeIn
          2010-12-05 19:22 . 2010-12-05 19:22   --------   d-----w-   c:\users\Nashir\AppData\Roaming\SUPERAntiSpyware.com
          2010-12-05 19:22 . 2010-12-05 19:22   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
          2010-12-05 19:21 . 2010-12-05 19:22   --------   d-----w-   c:\program files\SUPERAntiSpyware
          2010-12-05 19:06 . 2010-12-05 19:06   388096   ----a-r-   c:\users\Nashir\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
          2010-12-05 19:06 . 2010-12-05 19:06   --------   d-----w-   c:\program files\Trend Micro
          2010-12-05 16:12 . 2010-05-26 10:45   18816   ------w-   c:\windows\system32\SAVRKBootTasks.sys
          2010-12-05 13:25 . 2010-12-05 13:25   --------   d-----w-   c:\program files\Sophos
          2010-12-05 13:06 . 2010-12-05 13:06   --------   d-----w-   c:\program files\Unlocker
          2010-11-25 09:14 . 2010-10-19 04:27   7680   ----a-w-   c:\program files\Internet Explorer\iecompat.dll
          2010-11-23 17:23 . 2009-06-30 10:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
          2010-11-20 18:23 . 2010-11-20 18:23   --------   d-----w-   c:\users\Nashir\AppData\Roaming\PCDr
          2010-11-10 10:59 . 2010-10-07 11:37   2409784   ----a-w-   c:\program files\Windows Mail\OESpamFilter.dat

          .
          ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
          .
          2010-11-29 17:42 . 2010-07-16 19:55   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
          2010-11-29 17:42 . 2010-07-16 19:55   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
          2010-10-19 10:41 . 2009-10-04 18:05   222080   ------w-   c:\windows\system32\MpSigStub.exe
          2010-09-17 15:39 . 2010-09-17 15:39   25248   ----a-w-   c:\windows\system32\lmimirr.dll
          2010-09-17 15:39 . 2010-09-17 15:39   11552   ----a-w-   c:\windows\system32\lmimirr2.dll
          2010-09-17 15:39 . 2010-09-17 15:39   10144   ----a-w-   c:\windows\system32\drivers\lmimirr.sys
          2010-09-13 13:56 . 2010-10-13 09:07   8147456   ----a-w-   c:\windows\system32\wmploc.DLL
          .

          (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
          .
          .
          *Note* empty entries & legit default entries are not shown
          REGEDIT4

          [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
          "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
          "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
          "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
          "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-25 39408]
          "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-22 2424560]

          [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
          "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-01 1422632]
          "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-01 150040]
          "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-01 178712]
          "Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-01 154136]
          "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 3810304]
          "Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
          "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
          "Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-11-11 442536]
          "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
          "SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
          "diagnostics"="c:\program files\Thomson\ST330\diagnostics\diagnostics.exe" [2009-06-23 557149]
          "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
          "btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
          "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
          "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-15 202256]
          "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
          "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
          "UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
          "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
          "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

          c:\users\Nashir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
          Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

          c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
          Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-11-18 780840]

          c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
          Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

          [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
          "EnableUIADesktopToggle"= 0 (0x0)

          [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
          2009-09-22 13:58   16680   ----a-w-   c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
          @=""

          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
          @=""

          [HKEY_LOCAL_MACHINE\software\microsoft\security center]
          "AntiVirusOverride"=""
          "FirewallOverride"=""

          R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
          R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 135664]
          R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\2107.tmp

          R3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [2008-11-04 22904]
          R3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2009-06-23 30464]
          R3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2009-06-23 12672]
          R3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\DRIVERS\stppp.sys [2009-06-23 35328]
          R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
          S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
          S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
          S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
          S1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-05-26 18816]
          S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [2009-03-20 81920]
          S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
          S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2010-12-01 374152]
          S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-09-17 12856]
          S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-05-20 88176]
          S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-12-24 29736]
          S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2008-10-28 135936]
          S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-01 112128]
          S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-10-08 212992]
          S3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\DRIVERS\OA008Ufd.sys [2009-02-10 133472]
          S3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\DRIVERS\OA008Vid.sys [2009-02-10 271616]


          [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
          bthsvcs   REG_MULTI_SZ      BthServ
          LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
          .
          Contents of the 'Scheduled Tasks' folder

          2010-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
          - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 20:12]

          2010-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
          - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 20:12]

          2010-05-15 c:\windows\Tasks\McDefragTask.job
          - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

          2009-07-31 c:\windows\Tasks\McQcTask.job
          - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

          2010-12-08 c:\windows\Tasks\ParetoLogic Registration3.job
          - c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]

          2010-12-06 c:\windows\Tasks\ParetoLogic Update Version3.job
          - c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]

          2010-12-03 c:\windows\Tasks\PC Health Advisor Defrag.job
          - c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

          2010-12-08 c:\windows\Tasks\PC Health Advisor.job
          - c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

          2010-12-09 c:\windows\Tasks\User_Feed_Synchronization-{E7640368-FDBF-4942-94A0-18CC59282571}.job
          - c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]
          .
          .
          ------- Supplementary Scan -------
          .
          uStart Page = hxxp://www.bbc.co.uk/
          mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
          uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
          IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
          IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
          IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
          IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
          .

          **************************************************************************
          scanning hidden processes ... 

          scanning hidden autostart entries ...

          scanning hidden files ... 

          scan completed successfully
          hidden files:

          **************************************************************************

          [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
          "ImagePath"="\??\c:\windows\system32\2107.tmp"

          [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
          "ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"

          [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\st330service]
          "ImagePath"="C:\Program Files/Thomson/ST330/service/st330service.exe -service"
          .
          --------------------- DLLs Loaded Under Running Processes ---------------------

          - - - - - - - > 'Explorer.exe'(5260)
          c:\program files\Unlocker\UnlockerHook.dll
          c:\progra~1\mcafee\SITEAD~1\saHook.dll
          c:\windows\system32\btmmhook.dll
          c:\windows\system32\btncopy.dll
          .
          ------------------------ Other Running Processes ------------------------
          .
          c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
          c:\program files\Thomson\ST330\service\st330service.exe
          c:\windows\system32\msinfo32.exe
          c:\windows\System32\WLTRYSVC.EXE
          c:\windows\System32\bcmwltry.exe
          c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
          c:\program files\LogMeIn\x86\RaMaint.exe
          c:\program files\LogMeIn\x86\LogMeIn.exe
          c:\program files\Common Files\Motive\McciCMService.exe
          c:\windows\system32\rundll32.exe
          c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
          c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
          c:\program files\McAfee\MPF\MPFSrv.exe
          c:\program files\McAfee\MSK\MskSrver.exe
          c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
          c:\progra~1\McAfee\MSC\mcmscsvc.exe
          c:\progra~1\mcafee.com\agent\mcagent.exe
          c:\windows\system32\igfxsrvc.exe
          c:\windows\ehome\ehmsas.exe
          c:\program files\Windows Media Player\wmpnetwk.exe
          c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
          c:\program files\Synaptics\SynTP\SynTPHelper.exe
          c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
          c:\program files\Dell Support Center\bin\sprtsvc.exe
          c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
          .
          **************************************************************************
          .
          Completion time: 2010-12-09  13:12:37 - machine was rebooted
          ComboFix-quarantined-files.txt  2010-12-09 13:12
          ComboFix2.txt  2010-12-07 18:53
          ComboFix3.txt  2010-12-06 07:29
          ComboFix4.txt  2010-12-04 18:43

          Pre-Run: 171,817,422,848 bytes free
          Post-Run: 171,800,563,712 bytes free

          - - End Of File - - 6032CFF263D7A9F7AE41285A75E31A06



          Logged

          kevlarge

            Topic Starter


            Rookie

            • Experience: Beginner
            • OS: Unknown
            Re: Rootkit file ksfvjxai.sys?
            « Reply #21 on: December 09, 2010, 09:00:14 AM »
            Then ran Sysprot as directed - log below:

            SysProt AntiRootkit v1.0.1.0
            by swatkat

            ******************************************************************************************
            ******************************************************************************************

            No Hidden Processes found

            ******************************************************************************************
            ******************************************************************************************
            Kernel Modules:
            Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys
            Service Name: ---
            Module Base: 8C400000
            Module End: 8C40B000
            Hidden: Yes

            Module Name: \SystemRoot\System32\Drivers\dump_msahci.sys
            Service Name: ---
            Module Base: 8C1F3000
            Module End: 8C1FD000
            Hidden: Yes

            ******************************************************************************************
            ******************************************************************************************
            No SSDT Hooks found

            ******************************************************************************************
            ******************************************************************************************
            Kernel Hooks:
            Hooked Function: ZwCreateUserProcess
            At Address: 82BD7B82
            Jump To: 8D343766
            Module Name: C:\Windows\system32\drivers\mfehidk.sys

            Hooked Function: ZwYieldExecution
            At Address: 82A399D2
            Jump To: 8D3437CC
            Module Name: C:\Windows\system32\drivers\mfehidk.sys

            Hooked Function: ZwUnmapViewOfSection
            At Address: 82C1E7BD
            Jump To: 8D3437F6
            Module Name: C:\Windows\system32\drivers\mfehidk.sys

            Hooked Function: ZwTerminateProcess
            At Address: 82BFEDA3
            Jump To: 8D34380F
            Module Name: C:\Windows\system32\drivers\mfehidk.sys

            Hooked Function: ZwSetInformationProcess
            At Address: 82C22528
            Jump To: 8D34377A
            Module Name: C:\Windows\system32\drivers\mfehidk.sys

            Hooked Function: ZwSetContextThread
            At Address: 82CA03C7
            Jump To: 8D34378E
            Module Name: C:\Windows\system32\drivers\mfehidk.sys

            Hooked Function: ZwProtectVirtualMemory
            At Address: 82C27F3D
            Jump To: 8D3437B6
            Module Name: C:\Windows\system32\drivers\mfehidk.sys

            Hooked Function: ZwOpenThread
            At Address: 82C2A15A
            Jump To: 8D343728
            Module Name: C:\Windows\system32\drivers\mfehidk.sys

            Hooked Function: ZwOpenProcess
            At Address: 82C2EC08
            Jump To: 8D343714
            Module Name: C:\Windows\system32\drivers\mfehidk.sys

            Hooked Function: ZwMapViewOfSection
            At Address: 82C1E4FA
            Jump To: 8D3437E0
            Module Name: C:\Windows\system32\drivers\mfehidk.sys

            Hooked Function: ZwCreateProcessEx
            At Address: 82C9F90A
            Jump To: 8D343750
            Module Name: C:\Windows\system32\drivers\mfehidk.sys

            Hooked Function: ZwCreateProcess
            At Address: 82C9F8BF
            Jump To: 8D34373C
            Module Name: C:\Windows\system32\drivers\mfehidk.sys

            Hooked Function: ZwCreateFile
            At Address: 82C4FE5B
            Jump To: 8D3437A2
            Module Name: C:\Windows\system32\drivers\mfehidk.sys

            Hooked Function: PsSetContextThread
            At Address: 82CA03C7
            Jump To: 8D34378E
            Module Name: C:\Windows\system32\drivers\mfehidk.sys

            ******************************************************************************************
            ******************************************************************************************
            Hidden files/folders:
            Object: C:\Qoobox\BackEnv\AppData.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Cache.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Cookies.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Desktop.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Favorites.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\History.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Music.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\NetHood.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Personal.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Pictures.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Programs.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Recent.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\SendTo.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\SetPath.bat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\StartUp.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\SysPath.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Templates.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\VikPev00
            Status: Access denied

            Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
            Status: Access denied

            Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
            Status: Access denied

            Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
            Status: Access denied

            Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
            Status: Access denied

            Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
            Status: Access denied

            Logged

            SuperDave

            • Malware Removal Specialist


              • Genius
              • Thanked: 1020
            • Certifications: List
            • Experience: Expert
            • OS: Windows 10
            Re: Rootkit file ksfvjxai.sys?
            « Reply #22 on: December 09, 2010, 01:38:27 PM »
            Re-running ComboFix to remove infections:

            • Close any open browsers.
            • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
            • Open notepad and copy/paste the text in the quotebox below into it:
              Quote
              KillAll::

              File::
              C:\found.000

            • Save this as CFScript.txt, in the same location as ComboFix.exe



            • Referring to the picture above, drag CFScript into ComboFix.exe
            • When finished, it shall produce a log for you at C:\ComboFix.txt
            • I don't need to see the log from this script.
            ***********************************************
            I'd like to scan your machine with ESET OnlineScan

            •Hold down Control and click on the following link to open ESET OnlineScan in a new window.
            ESET OnlineScan
            •Click the button.
            •For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
            • Click on to download the ESET Smart Installer. Save it to your desktop.
            • Double click on the icon on your desktop.
            •Check
            •Click the button.
            •Accept any security warnings from your browser.
            •Check
            •Push the Start button.
            •ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
            •When the scan completes, push
            •Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
            •Push the button.
            •Push
            A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

            Logged
            Windows 8 and Windows 10 dual boot with two SSD's

            kevlarge

              Topic Starter


              Rookie

              • Experience: Beginner
              • OS: Unknown
              Re: Rootkit file ksfvjxai.sys?
              « Reply #23 on: December 10, 2010, 01:03:09 AM »
              Combofix log:

              ComboFix 10-12-09.02 - Nashir 10/12/2010   7:40.5.2 - x86
              Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2006.995 [GMT 0:00]
              Running from: c:\users\Nashir\Desktop\COMMY.exe
              Command switches used :: c:\users\Nashir\Desktop\CFScript.txt
              SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
              SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

              FILE ::
              "C:\found.000"
              .

              (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
              .

              c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3A35.tmp

              .
              (((((((((((((((((((((((((   Files Created from 2010-11-10 to 2010-12-10  )))))))))))))))))))))))))))))))
              .

              2010-12-10 07:49 . 2010-12-10 07:52   --------   d-----w-   c:\users\Nashir\AppData\Local\temp
              2010-12-10 07:49 . 2010-12-10 07:49   --------   d-----w-   c:\users\Default\AppData\Local\temp
              2010-12-09 12:39 . 2010-12-09 12:39   --------   d-----w-   C:\found.000
              2010-12-07 06:18 . 2010-11-10 04:33   6273872   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{F9428589-8403-4598-AA85-7DE96BAFB4D5}\mpengine.dll
              2010-12-06 21:07 . 2010-12-06 21:08   --------   d-----w-   c:\program files\CCleaner
              2010-12-06 20:53 . 2010-12-06 20:53   --------   d-----w-   c:\program files\Common Files\Java
              2010-12-06 20:53 . 2010-09-15 04:50   472808   ----a-w-   c:\windows\system32\deployJava1.dll
              2010-12-06 09:37 . 2010-12-06 09:37   --------   d-----w-   c:\users\LogMeInRemoteUser
              2010-12-06 07:05 . 2010-12-06 07:05   --------   d-----w-   c:\users\Nashir\AppData\Local\LogMeIn
              2010-12-06 07:04 . 2010-12-01 15:04   53632   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
              2010-12-06 07:04 . 2010-12-01 15:04   29568   ----a-w-   c:\windows\system32\LMIport.dll
              2010-12-06 07:04 . 2010-12-01 15:04   83360   ----a-w-   c:\windows\system32\LMIRfsClientNP.dll
              2010-12-06 07:04 . 2010-09-17 15:40   47640   ----a-w-   c:\windows\system32\drivers\LMIRfsDriver.sys
              2010-12-06 07:04 . 2010-12-01 15:04   87424   ----a-w-   c:\windows\system32\LMIinit.dll
              2010-12-06 07:04 . 2010-12-10 07:25   --------   d-----w-   c:\programdata\LogMeIn
              2010-12-06 07:04 . 2010-12-06 07:04   --------   d-----w-   c:\program files\LogMeIn
              2010-12-05 19:22 . 2010-12-05 19:22   --------   d-----w-   c:\users\Nashir\AppData\Roaming\SUPERAntiSpyware.com
              2010-12-05 19:22 . 2010-12-05 19:22   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
              2010-12-05 19:21 . 2010-12-05 19:22   --------   d-----w-   c:\program files\SUPERAntiSpyware
              2010-12-05 19:06 . 2010-12-05 19:06   388096   ----a-r-   c:\users\Nashir\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
              2010-12-05 19:06 . 2010-12-05 19:06   --------   d-----w-   c:\program files\Trend Micro
              2010-12-05 16:12 . 2010-05-26 10:45   18816   ------w-   c:\windows\system32\SAVRKBootTasks.sys
              2010-12-05 13:25 . 2010-12-05 13:25   --------   d-----w-   c:\program files\Sophos
              2010-12-05 13:06 . 2010-12-05 13:06   --------   d-----w-   c:\program files\Unlocker
              2010-11-25 09:14 . 2010-10-19 04:27   7680   ----a-w-   c:\program files\Internet Explorer\iecompat.dll
              2010-11-23 17:23 . 2009-06-30 10:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
              2010-11-20 18:23 . 2010-11-20 18:23   --------   d-----w-   c:\users\Nashir\AppData\Roaming\PCDr
              2010-11-10 10:59 . 2010-10-07 11:37   2409784   ----a-w-   c:\program files\Windows Mail\OESpamFilter.dat

              .
              ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
              .
              2010-11-29 17:42 . 2010-07-16 19:55   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
              2010-11-29 17:42 . 2010-07-16 19:55   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
              2010-10-19 10:41 . 2009-10-04 18:05   222080   ------w-   c:\windows\system32\MpSigStub.exe
              2010-09-17 15:39 . 2010-09-17 15:39   25248   ----a-w-   c:\windows\system32\lmimirr.dll
              2010-09-17 15:39 . 2010-09-17 15:39   11552   ----a-w-   c:\windows\system32\lmimirr2.dll
              2010-09-17 15:39 . 2010-09-17 15:39   10144   ----a-w-   c:\windows\system32\drivers\lmimirr.sys
              2010-09-13 13:56 . 2010-10-13 09:07   8147456   ----a-w-   c:\windows\system32\wmploc.DLL
              .

              (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
              .
              .
              *Note* empty entries & legit default entries are not shown
              REGEDIT4

              [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
              "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
              "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
              "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
              "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-25 39408]

              [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
              "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-01 1422632]
              "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-01 150040]
              "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-01 178712]
              "Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-01 154136]
              "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 3810304]
              "Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
              "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
              "Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-11-11 442536]
              "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
              "SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
              "diagnostics"="c:\program files\Thomson\ST330\diagnostics\diagnostics.exe" [2009-06-23 557149]
              "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
              "btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
              "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
              "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-15 202256]
              "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
              "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
              "UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
              "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
              "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

              c:\users\Nashir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
              Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

              c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
              Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-11-18 780840]

              c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
              Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

              [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
              "EnableUIADesktopToggle"= 0 (0x0)

              [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
              2009-09-22 13:58   16680   ----a-w-   c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

              [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
              @=""

              [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
              @=""

              [HKEY_LOCAL_MACHINE\software\microsoft\security center]
              "AntiVirusOverride"=""
              "FirewallOverride"=""

              R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
              R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 135664]
              R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\2107.tmp

              R3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [2008-11-04 22904]
              R3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2009-06-23 30464]
              R3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2009-06-23 12672]
              R3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\DRIVERS\stppp.sys [2009-06-23 35328]
              R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
              S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
              S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
              S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
              S1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-05-26 18816]
              S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [2009-03-20 81920]
              S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
              S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2010-12-01 374152]
              S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-09-17 12856]
              S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-05-20 88176]
              S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-12-24 29736]
              S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2008-10-28 135936]
              S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-01 112128]
              S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-10-08 212992]
              S3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\DRIVERS\OA008Ufd.sys [2009-02-10 133472]
              S3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\DRIVERS\OA008Vid.sys [2009-02-10 271616]


              [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
              bthsvcs   REG_MULTI_SZ      BthServ
              LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
              .
              Contents of the 'Scheduled Tasks' folder

              2010-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
              - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 20:12]

              2010-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
              - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 20:12]

              2010-05-15 c:\windows\Tasks\McDefragTask.job
              - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

              2009-07-31 c:\windows\Tasks\McQcTask.job
              - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

              2010-12-09 c:\windows\Tasks\ParetoLogic Registration3.job
              - c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]

              2010-12-06 c:\windows\Tasks\ParetoLogic Update Version3.job
              - c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]

              2010-12-10 c:\windows\Tasks\PC Health Advisor Defrag.job
              - c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

              2010-12-08 c:\windows\Tasks\PC Health Advisor.job
              - c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

              2010-12-09 c:\windows\Tasks\User_Feed_Synchronization-{E7640368-FDBF-4942-94A0-18CC59282571}.job
              - c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]
              .
              .
              ------- Supplementary Scan -------
              .
              uStart Page = hxxp://www.bbc.co.uk/
              mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
              uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
              IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
              IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
              IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
              IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
              .

              **************************************************************************
              scanning hidden processes ... 

              scanning hidden autostart entries ...

              scanning hidden files ... 

              scan completed successfully
              hidden files:

              **************************************************************************

              [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
              "ImagePath"="\??\c:\windows\system32\2107.tmp"

              [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
              "ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"

              [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\st330service]
              "ImagePath"="C:\Program Files/Thomson/ST330/service/st330service.exe -service"
              .
              --------------------- DLLs Loaded Under Running Processes ---------------------

              - - - - - - - > 'Explorer.exe'(2260)
              c:\program files\Unlocker\UnlockerHook.dll
              c:\progra~1\mcafee\SITEAD~1\saHook.dll
              c:\windows\system32\btmmhook.dll
              c:\windows\system32\btncopy.dll
              .
              ------------------------ Other Running Processes ------------------------
              .
              c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
              c:\program files\Thomson\ST330\service\st330service.exe
              c:\windows\system32\msinfo32.exe
              c:\windows\System32\WLTRYSVC.EXE
              c:\windows\System32\bcmwltry.exe
              c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
              c:\program files\LogMeIn\x86\RaMaint.exe
              c:\program files\LogMeIn\x86\LogMeIn.exe
              c:\program files\Common Files\Motive\McciCMService.exe
              c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
              c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
              c:\windows\system32\rundll32.exe
              c:\program files\McAfee\MPF\MPFSrv.exe
              c:\program files\McAfee\MSK\MskSrver.exe
              c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
              c:\progra~1\McAfee\MSC\mcmscsvc.exe
              c:\progra~1\mcafee.com\agent\mcagent.exe
              c:\windows\system32\igfxsrvc.exe
              c:\windows\ehome\ehmsas.exe
              c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
              c:\program files\Synaptics\SynTP\SynTPHelper.exe
              c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
              c:\program files\Dell Support Center\bin\sprtsvc.exe
              .
              **************************************************************************
              .
              Completion time: 2010-12-10  07:57:47 - machine was rebooted
              ComboFix-quarantined-files.txt  2010-12-10 07:57
              ComboFix2.txt  2010-12-09 13:12
              ComboFix3.txt  2010-12-07 18:53
              ComboFix4.txt  2010-12-06 07:29
              ComboFix5.txt  2010-12-10 07:36

              Pre-Run: 173,336,719,360 bytes free
              Post-Run: 173,376,696,320 bytes free

              - - End Of File - - AAC0C20AE4A5A48FA054BEB3609F144C
              Logged

              SuperDave

              • Malware Removal Specialist


                • Genius
                • Thanked: 1020
              • Certifications: List
              • Experience: Expert
              • OS: Windows 10
              Re: Rootkit file ksfvjxai.sys?
              « Reply #24 on: December 10, 2010, 01:31:28 PM »
              I need to see the ESET scan log.
              Logged
              Windows 8 and Windows 10 dual boot with two SSD's

              kevlarge

                Topic Starter


                Rookie

                • Experience: Beginner
                • OS: Unknown
                Re: Rootkit file ksfvjxai.sys?
                « Reply #25 on: December 10, 2010, 03:03:30 PM »
                Sorry - as below:

                C:\Qoobox\Quarantine\C\Users\Nashir\AppData\Local\{20B77007-BD36-42C6-8C5E-53C7139A1BBE}\chrome\content\overlay.xul.vir   probably a variant of Win32/Agent.NVQFFQI trojan   cleaned by deleting - quarantined
                C:\Qoobox\Quarantine\C\Windows\System32\drivers\ksfvjxai.sys.vir   a variant of Win32/Bubnix.BB trojan   cleaned by deleting - quarantined
                C:\Users\Nashir\Desktop\unlocker1.9.0.exe   Win32/Adware.ADON application   deleted - quarantined
                Logged

                SuperDave

                • Malware Removal Specialist


                  • Genius
                  • Thanked: 1020
                • Certifications: List
                • Experience: Expert
                • OS: Windows 10
                Re: Rootkit file ksfvjxai.sys?
                « Reply #26 on: December 10, 2010, 04:07:55 PM »
                That looks good. How's your computer working?
                Logged
                Windows 8 and Windows 10 dual boot with two SSD's

                kevlarge

                  Topic Starter


                  Rookie

                  • Experience: Beginner
                  • OS: Unknown
                  Re: Rootkit file ksfvjxai.sys?
                  « Reply #27 on: December 11, 2010, 02:09:36 AM »
                  Hi Dave, looks fully functional, IE is responsive, no hangs or crashes, the ksfvjxai.sys file is gone, which is good! Was it the updated Combofix that killed the unwanted processes?

                  K
                  Logged

                  SuperDave

                  • Malware Removal Specialist


                    • Genius
                    • Thanked: 1020
                  • Certifications: List
                  • Experience: Expert
                  • OS: Windows 10
                  Re: Rootkit file ksfvjxai.sys?
                  « Reply #28 on: December 11, 2010, 01:25:28 PM »
                  Quote
                  Was it the updated Combofix that killed the unwanted processes?
                  I don't wish to discuss this in an open forum. The bad guys are probably watching. Let's do some cleanup.

                  * Click START then RUN - Vista users press the Windows Key and the R keys together for the Run box.
                  * Now type COMMY /uninstall in the runbox
                  * Make sure there's a space between COMMY and /Uninstall
                  * Then hit Enter

                  * The above procedure will:
                  * Delete the following:
                  * ComboFix and its associated files and folders.
                  * Reset the clock settings.
                  * Hide file extensions, if required.
                  * Hide System/Hidden files, if required.
                  * Set a new, clean Restore Point.

                  *****************************************

                  Clean out your temporary internet files and temp files.

                  Download TFC by OldTimer to your desktop.

                  Double-click TFC.exe to run it.

                  Note: If you are running on Vista, right-click on the file and choose Run As Administrator

                  TFC will close all programs when run, so make sure you have saved all your work before you begin.

                  * Click the Start button to begin the cleaning process.
                  * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
                  * Please let TFC run uninterrupted until it is finished.

                  Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
                  ***********************************
                  Use the Secunia Software Inspector to check for out of date software.

                  •Click Start Now

                  •Check the box next to Enable thorough system inspection.

                  •Click Start

                  •Allow the scan to finish and scroll down to see if any updates are needed.
                  •Update anything listed.
                  .
                  ----------

                  Go to Microsoft Windows Update and get all critical updates.

                  ----------

                  I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

                  SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
                  * Using SpywareBlaster to protect your computer from Spyware and Malware
                  * If you don't know what ActiveX controls are, see here

                  Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

                  Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

                  Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
                  Safe Surfing!
                  Logged
                  Windows 8 and Windows 10 dual boot with two SSD's

                  emsky1280

                  • Guest
                  Re: Rootkit file ksfvjxai.sys?
                  « Reply #29 on: December 12, 2010, 04:05:07 AM »
                  Great site and very helpful :)...its great to be here!
                  Logged
                  Pages: 1 [2]  All   Go Up
                  « previous next »