"Vista Internet Security 2011"

By Elmorell
Nov 20, 2010
  1. I've got some kind of malware infection that's posing as "Vista Internet Security 2011", giving me popups in the bottom right hand corner every few minutes talking about how my system is infected. Followed the preliminary procedure, but it seems like the malware is blocking MalwareBytes, I can download the file but the setup won't run. The other logs are below:

    DDS (Ver_10-11-10.01) - NTFSx86
    Run by Jeff at 12:40:44.93 on Sat 11/20/2010
    Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_18
    Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2035.988 [GMT -5:00]

    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
    C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Dell\Ambient Light Sensor\AlsSvc.exe
    C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Steam\steam.exe
    C:\Users\Jeff\AppData\Roaming\Google\Google Talk\googletalk.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Steam\SteamService.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Mozilla Thunderbird\thunderbird.exe
    C:\Program Files\Mozilla Firefox\firefox.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
    uRun: [Qjebiredoxirakip] rundll32.exe "c:\users\jeff\appdata\local\mptlsL.dll",Startup
    uRun: [Fwoxekoconisix] rundll32.exe "c:\users\jeff\appdata\local\imaquloy.dll",Startup
    uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
    uRun: [googletalk] c:\users\jeff\appdata\roaming\google\google talk\googletalk.exe /autostart
    uRun: [fgjadtyj] c:\users\jeff\appdata\local\pupseyakw\nlvemdktssd.exe
    uRun: [fdeesoml] c:\users\jeff\appdata\local\bucnmdybr\cpwmvgttssd.exe
    uRun: [hstofynd] c:\users\jeff\appdata\local\abmqjilto\mbrlkwvtssd.exe
    uRun: [hsplrbnk] c:\users\jeff\appdata\local\vsgqscujy\eexajyxtssd.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
    mRun: [nwiz] nwiz.exe /install
    mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [Unattend0000000001{A7ED37BA-A960-42D4-87DD-A67355B13AD5}] "\Program Files\Princeton SCI\Downloader\LaunchDownloader.cmd"
    mRun: [Unattend0000000001{48D95F8F-4D75-4950-84DB-E255C78B200F}] "\Program Files\Princeton SCI\Downloader\LaunchDownloader.cmd"
    mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
    mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\jeff\appdata\roaming\mozilla\firefox\profiles\bi65epm3.default\
    FF - prefs.js: browser.startup.homepage - hxxp://
    FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\download manager\npfpdlm.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
    FF - plugin: c:\users\jeff\appdata\roaming\move networks\plugins\npqmp071503000010.dll
    FF - plugin: c:\users\jeff\appdata\roaming\mozilla\firefox\profiles\bi65epm3.default\extensions\\platform\winnt_x86-msvc\plugins\npActiveGS.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

    ============= SERVICES / DRIVERS ===============

    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-4-20 343920]
    R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_38163857\AEstSrv.exe [2009-4-20 81920]
    R2 alssvc;Ambient Light Sensor;c:\program files\dell\ambient light sensor\AlsSvc.exe [2008-6-3 382232]
    R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2008-11-11 808296]
    R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2008-11-11 20840]
    R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2010-1-6 22816]
    R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2010-6-1 120128]
    R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2010-1-6 147472]
    R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2010-1-6 66896]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-10-16 70728]
    R3 CCIDFILTER;Broadcom Smart Card Reader Filter Driver;c:\windows\system32\drivers\ccidflt.sys [2009-4-21 12840]
    R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2008-11-11 32808]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2009-4-20 224384]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-20 91832]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-20 43288]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-16 135664]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-10-16 66600]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

    =============== File Associations ===============


    =============== Created Last 30 ================

    2010-11-20 17:00:27 318976 --sha-w- c:\users\jeff\appdata\local\am.exe
    2010-11-10 17:16:42 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2010-10-27 16:22:03 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-10-27 16:22:02 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

    ==================== Find3M ====================

    2010-09-20 09:25:01 231936 ----a-w- c:\windows\system32\msshsq.dll
    2010-09-10 16:37:06 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2010-09-08 17:26:59 833024 ----a-w- c:\windows\system32\wininet.dll
    2010-09-08 17:23:42 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-09-08 15:53:07 389632 ----a-w- c:\windows\system32\html.iec
    2010-09-08 15:28:29 1383424 ----a-w- c:\windows\system32\mshtml.tlb
    2010-09-06 16:24:40 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2010-09-06 16:23:14 17920 ----a-w- c:\windows\system32\netevent.dll
    2010-08-31 15:41:42 954752 ----a-w- c:\windows\system32\mfc40.dll
    2010-08-31 15:41:42 954288 ----a-w- c:\windows\system32\mfc40u.dll
    2010-08-31 15:40:26 531968 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-31 13:39:46 2037248 ----a-w- c:\windows\system32\win32k.sys
    2010-08-26 16:07:25 157184 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-26 16:01:35 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
    2010-08-26 16:01:33 459776 ----a-w- c:\windows\apppatch\AcSpecfc.dll
    2010-08-26 16:01:32 541696 ----a-w- c:\windows\apppatch\AcLayers.dll
    2010-08-26 16:01:32 2153984 ----a-w- c:\windows\apppatch\AcGenral.dll

    ============= FINISH: 12:41:29.87 ===============


    DDS (Ver_10-11-10.01)

    Microsoft® Windows Vista™ Ultimate
    Boot Device: \Device\HarddiskVolume2
    Install Date: 6/23/2009 5:21:39 PM
    System Uptime: 11/20/2010 10:18:39 AM (2 hours ago)

    Motherboard: Dell Inc. | | 0X564R
    Processor: Intel(R) Core(TM)2 Duo CPU P8600 @ 2.40GHz | Microprocessor | 2400/266mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 233 GiB total, 99.33 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft 6to4 Adapter
    Device ID: ROOT\*6TO4MP\0006
    Manufacturer: Microsoft
    Name: Microsoft 6to4 Adapter #3
    PNP Device ID: ROOT\*6TO4MP\0006
    Service: tunnel

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft 6to4 Adapter
    Device ID: ROOT\*6TO4MP\0007
    Manufacturer: Microsoft
    Name: Microsoft 6to4 Adapter #4
    PNP Device ID: ROOT\*6TO4MP\0007
    Service: tunnel

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft ISATAP Adapter
    Device ID: ROOT\*ISATAP\0003
    Manufacturer: Microsoft
    Name: Microsoft ISATAP Adapter #2
    PNP Device ID: ROOT\*ISATAP\0003
    Service: tunnel

    ==== System Restore Points ===================

    ==== Installed Programs ======================
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3
    Adobe Shockwave Player 11.5
    All Day Battery Life Configuration
    Ambient Light Sensor
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    BioAPI Framework
    Broadcom USH Host Components
    Bullzip PDF Printer
    Call of Duty: Modern Warfare 2
    Call of Duty: Modern Warfare 2 - Multiplayer
    Circuit Construction Kit (DC Only)
    Dell Security Device Driver Pack
    Dell Touchpad
    Dell Wireless WLAN Card Utility
    DivX Setup
    Doom 3
    Download Manager 2.3.10
    EndNote X2
    FileZilla Client 3.2.1
    Google Earth
    Google Talk (remove only)
    Google Update Helper
    GPL Ghostscript Lite 8.70
    Grand Theft Auto Vice City
    GTA San Andreas
    GTK+ Runtime 2.14.7 rev a (remove only)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hype - The Time Quest
    IDT Audio
    Intel(R) Network Connections
    Intel® Matrix Storage Manager
    ISI ResearchSoft - Export Helper
    Java DB
    Java(TM) 6 Update 18
    Java(TM) SE Development Kit 6 Update 18
    Logitech Desktop Messenger
    Logitech Webcam Software
    Logitech Webcam Software Driver Package
    MATLAB R2009a
    McAfee Agent
    McAfee AntiSpyware Enterprise Module
    McAfee VirusScan Enterprise
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Save as PDF Add-in for 2007 Microsoft Office programs
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    MiKTeX 2.7
    Move Media Player
    Mozilla Firefox (3.5.15)
    Mozilla Thunderbird (3.1.6)
    Myst IV - Revelation
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    RICOH R5U241 / R5C847 Media Driver ver.
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office Outlook 2007 (KB2288953)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office Publisher 2007 (KB982124)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Skype Toolbars
    Skype™ 4.2
    System Requirements Lab
    TIBCO Spotfire S+ 8.1
    Turing Machine
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2443839)
    VC80CRTRedist - 8.0.50727.4053
    Visual X-TOY 7.1 for Java 1.4
    Windows Driver Package - Dell Inc. PBADRV System (01/07/2008
    Wolfram Mathematica 7 for Students (M-WIN-G 7.0.1 1213989)
    Wolfram Notebook Indexer 2.0
    Zuma Deluxe

    ==== End Of File ===========================
    GMER -
    Rootkit quick scan 2010-11-20 12:39:00
    Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST925042 rev.DE17
    Running: dbsy6ouj.exe; Driver: C:\Users\Jeff\AppData\Local\Temp\kxldypob.sys

    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0x8819668A]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0x881965E8]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x881965FC]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x881966C8]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8819664E]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8819669E]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0x88196676]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0x88196662]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0x8819663A]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x88196626]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x881966F7]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x881966DE]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x881966B4]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x88196612]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the malware. Please run the following and when through, try the Malwarebytes scan again:

    Please download randmbam.exe

    It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already. Once done, try running a scan again. Mbam should remove some of the rogue entries.

    Go ahead and run the following also. I see numerous entries that will need to be removed, all part of the malware. I'm setting up script for you to run later:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    So I need the logs from Malwarebytes, the Eset online scan and Combofix in your next reply.
  3. Elmorell

    Elmorell TS Rookie Topic Starter Posts: 38

    That program gives me an error message saying that Malwarebytes is not installed--it's the actual setup that's being blocked, so I can't run the installation. As in, I've downloaded the mbam-setup.1.46.exe file, but running it doesn't do anything.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Do a right click> Delete on the Mbam setup.
    Download Malwarebytes again and attempt the installation and scan
    If scan fails again. run ranmbam
    Run Mbam

    Please run the Eset scan and Combofix.
  5. Elmorell

    Elmorell TS Rookie Topic Starter Posts: 38

    New problem--the .exe default program association is somehow now wrong. Whenever I try to run a .exe (including ComboFix or anything else) I get an "Open With" display asking me to pick a program to run it with, which obviously makes no sense. I can't get into regedit to fix it because, you guessed it, regedit.exe gives the same message. Thoughts?
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Ah we don't want you doing any regedits anyway!

    Run these, then try the scans:

    Please download and run the tool below named Rkill (courtesy of which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.scr
    • Rkill.pif
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following>>>>.

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...