Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Windows File Protection: fake warning

  • This topic is locked This topic is locked
3 replies to this topic

#1 steeltoe


  • Members
  • 2 posts
  • Local time:12:53 PM

Posted 04 January 2010 - 01:19 AM

Howdy, I'm a long time reader and this time I'm stumped. I get a random taskbar popup claiming to be Windows File Protection. If clicked it goes to an installer for Data Doctor 2010 (I cancel it). Malwarebytes does not detect anything, Ad-Aware just keeps crashing, the Rootkit Repeal freezes for hours and hours and never responds when I try to use the options in the forum directions. Spybot Search and Destroy fails to complete. Super Anti Spyware found some cookies and nothing else. Any ideas? Can't load Firefox (the browser was active when the machine got infected), can't load IE, only Google Chrome will work.

DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by steeltoe at 23:03:40.37 on Sun 01/03/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.16 [GMT -5:00]

AV: avast! antivirus 4.7.1098 [VPS 080325-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Documents and Settings\steeltoe\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [amd_dc_opt] "c:\program files\amd\amd_dc_opt\amd_dc_opt.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [AMD_Display] c:\program files\amd\amd power monitor\AMD_PwrMon.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
StartupFolder: c:\docume~1\steeltoe\startm~1\programs\startup\shortc~1.lnk - c:\program files\realtek ac97\SoundMan.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: Send To &Bluetooth - c:\program files\iogear\bluetooth software\btsendto_ie_ctx.htm
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\iogear\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.8.110.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-
DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/5/c/2/5c2fc4b7-3875-4eec-946b-ffe15472cabc/WebCleaner.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204767978015
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204765361859
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://raysmtb.axiscam.net:7777/activex/AMC.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\secf.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 AmdAcpi;AmdAcpi Bus Filter Driver;c:\windows\system32\drivers\amdacpi.sys [2007-5-3 14336]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-3 64288]
R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2005-12-28 16640]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-2-6 93336]
R3 amdtools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [2006-1-23 33792]
S1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
S1 vcdrom;Virtual CD-ROM Device Driver;c:\down\xp iso\VCdRom.sys [2001-12-19 8576]
S2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-2-6 727720]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
S3 cpuz126;cpuz126;\??\c:\docume~1\steeltoe\locals~1\temp\cpuz.sys --> c:\docume~1\steeltoe\locals~1\temp\cpuz.sys [?]
S3 cpuz128;cpuz128;\??\c:\docume~1\steeltoe\locals~1\temp\cpuz_x32.sys --> c:\docume~1\steeltoe\locals~1\temp\cpuz_x32.sys [?]
S3 CrystalCpuInfo;CrystalCpuInfo;\??\c:\docume~1\steeltoe\locals~1\temp\cpuinfo.sys --> c:\docume~1\steeltoe\locals~1\temp\CpuInfo.sys [?]
S3 GPU-Z;GPU-Z;\??\c:\docume~1\steeltoe\locals~1\temp\gpu-z.sys --> c:\docume~1\steeltoe\locals~1\temp\GPU-Z.sys [?]
S3 pbfilter;pbfilter;c:\program files\peer blocker\pbfilter.sys [2009-11-17 14424]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]

=============== Created Last 30 ================

2010-01-04 03:50:04 0 d-sha-r- C:\cmdcons
2010-01-04 03:49:20 98816 ----a-w- c:\windows\sed.exe
2010-01-04 03:49:20 77312 ----a-w- c:\windows\MBR.exe
2010-01-04 03:49:20 261632 ----a-w- c:\windows\PEV.exe
2010-01-04 03:49:20 161792 ----a-w- c:\windows\SWREG.exe
2010-01-04 03:49:12 0 d-----w- C:\ComboFix
2010-01-04 03:20:16 0 d-----w- c:\program files\Trend Micro
2010-01-04 00:18:37 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-03 23:57:18 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-03 23:17:36 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-03 23:17:10 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-03 23:17:10 0 d-----w- c:\docume~1\steeltoe\applic~1\SUPERAntiSpyware.com
2010-01-03 10:13:12 696832 ----a-w- c:\windows\isRS-000.tmp
2009-12-17 16:47:14 0 d-----w- c:\program files\Winamp Detect
2009-12-09 17:47:38 73728 ----a-w- c:\windows\system\vdremote.dll
2009-12-09 17:47:38 65536 ----a-w- c:\windows\system\vdsvrlnk.dll
2009-12-09 17:47:06 0 d-----w- c:\program files\Virtualdub
2009-12-09 17:41:18 0 d-----w- c:\program files\AC3File
2009-12-09 17:41:05 819200 ----a-w- c:\windows\system32\xvidcore.dll
2009-12-09 17:41:05 77824 ----a-w- c:\windows\system32\xvid.ax
2009-12-09 17:41:03 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2009-12-09 17:41:02 0 d-----w- c:\program files\Xvid
2009-12-06 08:06:56 0 d-----w- c:\program files\Garmin GPS Plugin

==================== Find3M ====================

2010-01-03 10:07:33 102400 ----a-w- c:\windows\system32\secf.dll
2009-12-30 19:55:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 19:54:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 07:40:40 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-01 07:40:40 22328 ----a-w- c:\docume~1\steeltoe\applic~1\PnkBstrK.sys
2009-12-01 07:40:28 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-01 07:40:21 669184 ----a-w- c:\windows\system32\pbsvc.exe
2009-12-01 07:21:45 2038 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-11-28 20:51:24 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-11-28 20:51:24 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-11-21 01:32:14 278120 ----a-w- c:\windows\system32\nvmccs.dll
2009-11-21 01:32:14 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2009-11-21 01:32:14 145000 ----a-w- c:\windows\system32\nvcolor.exe
2009-11-21 01:32:14 12669544 ----a-w- c:\windows\system32\nvcpl.dll
2009-11-21 01:32:14 110184 ----a-w- c:\windows\system32\nvmctray.dll
2009-11-21 01:32:10 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-11-20 02:42:56 592488 ----a-w- c:\windows\system32\NVUNINST.EXE

============= FINISH: 23:04:30.40 ===============

BC AdBot (Login to Remove)


#2 myrti



  • Malware Study Hall Admin
  • 33,766 posts
  • Gender:Female
  • Location:At home
  • Local time:07:53 PM

Posted 12 January 2010 - 08:24 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#3 steeltoe

  • Topic Starter

  • Members
  • 2 posts
  • Local time:12:53 PM

Posted 12 January 2010 - 04:55 PM

Thanks for the reply. I fixed the issue though it took some time. The fix for this intrusion (Data doctor) is the Vipre Antivirus program from Sunbelt.

More info here


Edited by steeltoe, 12 January 2010 - 04:57 PM.

#4 myrti



  • Malware Study Hall Admin
  • 33,766 posts
  • Gender:Female
  • Location:At home
  • Local time:07:53 PM

Posted 12 January 2010 - 05:02 PM


Since this topic appears to be resolved, I will now close it. Thanks for letting us know! :(

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users