Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer running slow for past week. No new installs. McAfee, Malwarebytes' & Ad-Aware find nothing wrong


  • This topic is locked This topic is locked
17 replies to this topic

#1 workah0lic

workah0lic

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 10 May 2010 - 02:35 PM

Hello all. I'm hoping someone out there can help me figure out what is going on with my laptop. I have a Pansonic Toughbook CF-52 with a Core 2 Duo 8400 and 1 GB RAM. Last week, it started to lag really bad when running ANYTHING. Even if my internet connection is disabled, I still get lag. Programs that once opened up quickly now take quite a bit of time to load. Outlook, Excel, Word, Internet Explorer and even anti-spyware programs are slow in opening. Even going into My Documents, which normally takes only 1 second, now takes 5-10 seconds or longer! I bought this laptop through my employer and I only had McAfee on it. I recently installed Malwarebytes Anti-Malware and it found a Trojan, which I was able to remove easily. I also installed Ad-Aware and it came back with a clean scan. I ran HiJackThis but didn't notice anything that was out of the ordinary, however I could be wrong. I ran the DDS program found here and have attached the appropriate files. I've also attached my HiJackThis Log. I tried running GMER, but it causes my system to crash and reboot. I recently ran chkdsk and it found & fixed a few errors, however this did not fix the problem. If you can provide ANY help with this issue, I would greatly appreciate it. Also, I want to mention that I do not have Administrator access on this computer, however I have had no problems installing, repairing, uninstalling etc. Thanks in advance for your help.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Colonial at 2:27:46.06 on Mon 05/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.955.263 [GMT -7:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Apps\Afaria\Bin\XeService.exe
C:\Apps\Afaria\Bin\XCMonitor.exe
C:\Apps\Afaria\Bin\XcListener.exe
C:\Program Files\B.H.A\Common\bgsvcg.exe
C:\Program Files\Afaria\Disk Protect\DPAgent.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Apps\Afaria\Bin\XcDiffCache.exe
C:\Program Files\Afaria\Disk Protect\DPAudit.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\mfevtps.exe
c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\secservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.HARMONYV8\MSSQL\Binn\secservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Panasonic\Hotkey Appendix\HKEYAPP.EXE
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Panasonic\WSwitch\WSwitch.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Becrypt\BCSystray.exe
C:\Program Files\Network Associates\Common Framework\udaterui.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Colonial Life\Time Zone Settings\TimeZoneTool.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Sprint\Sprint SmartView\RDVCHG.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMAsst.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft SQL Server\MSSQL10.HARMONYV8\MSSQL\Binn\sqlservr.exe
C:\Program Files\Panasonic\pcinfo\PCInfoPi.exe
C:\Program Files\Panasonic\pcinfo\PCInfoSV.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Colonial\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://www.coloniallife.com/Services/Appli...ices/Login.aspx
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Panasonic Hotkey Manager] c:\program files\panasonic\hotkey appendix\HKEYAPP.EXE
mRun: [PCinfo] c:\program files\panasonic\pcinfo\PcInfoUt.exe
mRun: [PRunOnce] c:\util\prunonce\PRunOnce.exe
mRun: [B'sCLiP] c:\progra~1\b'scli~1\win2k\BSCLIP.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [WSwitch] c:\program files\panasonic\wswitch\WSwitch.exe
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [SAUpdate] c:\apps\sacomm\SAUPDATE.EXE
mRun: [NODEDIAG] c:\apps\sacomm\colonial
mRun: [BCSystrayDP] c:\program files\common files\becrypt\BCSystray.exe
mRun: [ieset] c:\windows\regedit.exe /s c:\windows\system32\IESET.reg
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\udaterui.exe" /StartedFromRunKey
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Unum Time Zone Settings] "c:\program files\colonial life\time zone settings\TimeZoneTool.exe" /StartMinimized
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [RDVCHG] "c:\program files\sprint\sprint smartview\RDVCHG.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\notify.lnk - c:\sa\sa10_0\NOTIFY.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMAsst.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
LSP: bmnet.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://producermail2.coloniallife.com/iNotes6W.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1270234151843
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - c:\progra~1\qlikview\qvprot~1\Qvp.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 bcupper;BeCrypt Disk Protect Helper Driver;c:\windows\system32\drivers\bcupper.sys [2006-4-11 6016]
R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2008-5-28 17192]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-7 64288]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-8-17 340592]
R0 nlemsql;NLEMSQL;c:\windows\system32\drivers\nlemsql.sys [2009-10-1 75880]
R0 w2kenc;BeCrypt Disk Protect Filter Driver;c:\windows\system32\drivers\wxpenc.sys [2006-4-11 152064]
R2 Afaria Client Service;Afaria Client Service;c:\apps\afaria\bin\XeService.exe [2008-7-24 239104]
R2 bgsvcg;B's Recorder GOLD General Service;c:\program files\b.h.a\common\bgsvcg.exe [2008-5-27 145504]
R2 BsUDF;BsUDF;c:\windows\system32\drivers\BsUDF.sys [2008-5-28 195616]
R2 CiSmBios;CiSmBios;c:\windows\system32\drivers\cismbios.sys [2008-7-24 13688]
R2 DPAgent;DPAgent;c:\program files\afaria\disk protect\DPAgent.exe [2006-4-11 192512]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1285864]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2008-9-29 19456]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2008-3-14 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-9-29 143088]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-9-29 62800]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-8-17 67904]
R2 MSSQL$HARMONYV7;SQL Server (HARMONYV7);c:\program files\microsoft sql server\mssql.2\mssql\binn\secservr.exe [2009-1-28 607032]
R2 MSSQL$HARMONYV8;SQL Server (HARMONYV8);c:\program files\microsoft sql server\mssql10.harmonyv8\mssql\binn\secservr.exe [2009-10-1 1066360]
R2 MSSQL$SUNGARDIWORKS;SQL Server (SUNGARDIWORKS);c:\program files\microsoft sql server\mssql.3\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-5-27 244368]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-5-27 41216]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-11 108032]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-8-17 90360]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-8-17 42424]
R3 NewMisc;Panasonic Misc Driver;c:\windows\system32\drivers\newmisc.sys [2008-5-27 50440]
S2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-5-8 20968]
S3 bcscdftr;BeCrypt Smart Card Filter Driver;c:\windows\system32\drivers\bcscdftr.sys [2006-4-3 5888]
S3 FIDTPU;Fujitsu Touch Panel (USB);c:\windows\system32\drivers\FIDTPU.sys [2008-5-27 27030]
S3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [2008-5-27 87424]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-8-17 64432]
S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2008-5-27 47616]
S3 TOPAZUSB;TopazUsb.Sys Topaz Tablet USB Driver;c:\windows\system32\drivers\TopazUsb.sys [2008-7-24 33821]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]

=============== Created Last 30 ================

2010-05-09 18:41:10 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-09 06:18:14 20968 ----a-w- c:\windows\system32\drivers\cpuz133_x32.sys
2010-05-09 06:18:12 0 d-----w- c:\program files\CPUID
2010-05-09 03:47:45 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-07 08:01:26 0 d-----w- c:\docume~1\colonial\applic~1\Malwarebytes
2010-05-07 08:01:20 0 d-----w- c:\program files\SpywareBlaster
2010-05-07 08:01:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-07 08:01:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-07 08:01:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-07 08:01:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-07 07:57:03 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-07 07:53:58 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-07 07:53:35 0 d-----w- c:\program files\Lavasoft
2010-05-07 07:44:10 0 d-----w- c:\program files\Trend Micro
2010-05-07 07:39:28 0 d-----w- c:\docume~1\colonial\applic~1\Insurance Technologies

==================== Find3M ====================

2010-05-07 07:40:29 256 ----a-w- c:\documents and settings\colonial\pool.bin
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-16 17:35:40 2143744 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 16:57:54 2021888 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 2:29:44.64 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 workah0lic

workah0lic
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 10 May 2010 - 02:53 PM

This just happened and wanted to let you know. Outlook just gave me a message stating that "a program is trying to access e-mail address information stored in outlook." I was not doing anything that could have triggered this.

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:51 AM

Posted 10 May 2010 - 02:57 PM

Hello workah0lic,



Just one thing in that log that I can see. After this, let me know how it's running and we'll go from there. smile.gif


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 workah0lic

workah0lic
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 10 May 2010 - 04:09 PM

Hello teacup61! Thanks for your quick reply and your help. While I was waiting for a reply, I decided to run CCleaner and SFC /scannow. CCleaner found quite a few registry errors, but my system was still sluggish. I just ran SDFix and it finished. I then ran HiJackThis again. Here's the SDFx log file:


SDFix: Version 1.240
Run by Colonial on Mon 05/10/2010 at 01:42 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-10 13:56:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000145

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\pb7dk\\rteng6.exe"="C:\\pb7dk\\rteng6.exe:*:Enabled:Adaptive Server Anywhere Database Engine"
"C:\\pb9dk\\dbeng9.exe"="C:\\pb9dk\\dbeng9.exe:*:Enabled:Adaptive Server Anywhere Database Engine"
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\APPS\\Afaria\\Bin\\XeClient.exe"="C:\\APPS\\Afaria\\Bin\\XeClient.exe:*:Enabled:XeClient.exe"
"C:\\Nodesys\\rwkernel.exe"="C:\\Nodesys\\rwkernel.exe:*:Enabled:RemoteWare Kernel Application"
"C:\\Program Files\\Sprint\\Sprint SmartView\\SwiApiMux.exe"="C:\\Program Files\\Sprint\\Sprint SmartView\\SwiApiMux.exe:*:Enabled:SwiApiMux"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\Java\\jre6\\bin\\java.exe"="C:\\Program Files\\Java\\jre6\\bin\\java.exe:*:Enabled:Java™ Platform SE binary"
"C:\\APPS\\Afaria\\Bin\\XcListener.exe"="C:\\APPS\\Afaria\\Bin\\XcListener.exe:*:Enabled:Afaria Client Listener"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :



Files with Hidden Attributes :

Tue 5 Sep 2006 427,632 A..H. --- "C:\Program Files\Canon\Canon iP90 Setup Utility\Maint.exe"
Tue 11 May 2004 61,440 A..H. --- "C:\Program Files\Canon\Canon iP90 Setup Utility\uinstrsc.dll"
Thu 16 Apr 1998 33,280 A..H. --- "C:\Program Files\Panasonic\BRECAL\rebootex.exe"
Fri 5 Dec 2008 244 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\{3699BACB-551D-42C6-872E-2B8882A51590}.tmp"
Sun 15 Mar 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 18 Feb 2010 9,705,848 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\443b764d58ff670dcf49c85a216ff0e9\BIT8B.tmp"
Mon 10 May 2010 262,144 A..H. --- "C:\Documents and Settings\Colonial\Local Settings\Application Data\Microsoft\Outlook\~Outlook.pst.tmp"

Finished!


HiJackThis log is attached.

Attached Files



#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:51 AM

Posted 10 May 2010 - 04:16 PM

Hi there,

You're welcome. smile.gif

Be careful with CCleaner and the registry. Way back when ( whistling.gif ) I let it fix all the "problems" it found and after that I couldn't open any pictures. wacko.gif

Try to run gmer again, but this time uncheck everything except Sections and see if it will complete. smile.gif

If nothing, we'll throw a big gun at it and see. smile.gif

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 workah0lic

workah0lic
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 10 May 2010 - 04:36 PM

Should I run it in Safe mode or regular?

#7 workah0lic

workah0lic
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 10 May 2010 - 04:39 PM

Just ran it in (not Safe Mode) and it worked fine when searching Section only. Attached is the log. Thanks for sticking with me through all of this. thumbup2.gif

Attached Files



#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:51 AM

Posted 10 May 2010 - 04:46 PM

You're welcome. smile.gif

Okie dokie....nothing there, so let's do one more. If this finds nothing, then nothing will:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Unless I specify, all tools should be run in normal mode. thumbup2.gif

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 workah0lic

workah0lic
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 10 May 2010 - 06:13 PM

OK then... Finally got it to work after some difficulty with my lack of having Admin access. wacko.gif Here's the log:

ComboFix 10-05-10.02 - Colonial 05/10/2010 15:57:51.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.955.244 [GMT -7:00]
Running from: c:\documents and settings\Colonial\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Colonial\GoToAssistDownloadHelper.exe
c:\documents and settings\Colonial\ping.exe
c:\windows\regsvr32.exe
c:\windows\system32\Temp

.
((((((((((((((((((((((((( Files Created from 2010-04-10 to 2010-05-10 )))))))))))))))))))))))))))))))
.

2010-05-10 22:57 . 2010-05-10 22:57 -------- d-----w- C:\QUARANTINE
2010-05-10 22:48 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-10 22:48 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-10 22:48 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-10 22:48 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-10 22:48 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-10 22:48 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-10 22:48 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-10 22:47 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-10 22:47 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-10 22:47 . 2010-05-10 22:47 -------- d-----w- c:\program files\Alwil Software
2010-05-10 22:47 . 2010-05-10 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-10 22:12 . 2010-05-10 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-10 22:12 . 2010-05-10 22:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-10 20:39 . 2010-05-10 20:39 -------- d-----w- c:\windows\ERUNT
2010-05-10 20:25 . 2010-05-10 21:00 -------- d-----w- C:\SDFix
2010-05-10 20:16 . 2004-08-04 07:56 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-05-10 20:16 . 2001-08-18 05:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-05-10 20:15 . 2001-08-18 05:36 17408 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-05-10 20:15 . 2001-08-18 05:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-05-10 20:15 . 2001-08-18 05:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-05-10 20:15 . 2001-08-18 05:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-05-10 20:15 . 2004-08-04 05:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-05-10 20:15 . 2001-08-17 19:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-05-10 20:15 . 2004-08-04 06:10 19328 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-05-10 20:15 . 2004-08-04 05:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-05-10 20:15 . 2004-08-04 07:56 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-05-10 20:15 . 2004-08-04 06:07 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-05-10 20:15 . 2004-08-04 05:31 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-05-10 20:15 . 2001-08-17 19:12 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-05-10 20:13 . 2004-08-04 07:56 11325 -c--a-w- c:\windows\system32\dllcache\vchnt5.dll
2010-05-10 20:12 . 2001-08-18 05:36 211968 -c--a-w- c:\windows\system32\dllcache\um54scan.dll
2010-05-10 20:12 . 2001-08-18 05:36 216064 -c--a-w- c:\windows\system32\dllcache\um34scan.dll
2010-05-10 20:12 . 2001-08-17 20:52 36736 -c--a-w- c:\windows\system32\dllcache\ultra.sys
2010-05-10 20:12 . 2004-08-04 06:07 44672 -c--a-w- c:\windows\system32\dllcache\uagp35.sys
2010-05-10 20:12 . 2001-08-17 20:48 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys
2010-05-10 20:12 . 2001-08-17 19:51 166784 -c--a-w- c:\windows\system32\dllcache\tridxpm.sys
2010-05-10 20:12 . 2001-08-18 05:36 525568 -c--a-w- c:\windows\system32\dllcache\tridxp.dll
2010-05-10 20:12 . 2001-08-17 19:51 159232 -c--a-w- c:\windows\system32\dllcache\tridkbm.sys
2010-05-10 20:12 . 2001-08-17 21:56 440576 -c--a-w- c:\windows\system32\dllcache\tridkb.dll
2010-05-10 20:12 . 2001-08-17 19:51 222336 -c--a-w- c:\windows\system32\dllcache\trid3dm.sys
2010-05-10 20:12 . 2001-08-17 21:56 315520 -c--a-w- c:\windows\system32\dllcache\trid3d.dll
2010-05-10 20:10 . 2001-08-17 21:07 28384 -c--a-w- c:\windows\system32\dllcache\sym_hi.sys
2010-05-10 20:09 . 2001-08-17 20:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2010-05-10 20:08 . 2001-08-17 21:56 157696 -c--a-w- c:\windows\system32\dllcache\sisv256.dll
2010-05-10 20:07 . 2001-08-17 20:51 16640 -c--a-w- c:\windows\system32\dllcache\scmstcs.sys
2010-05-10 20:06 . 2001-08-17 19:19 30720 -c--a-w- c:\windows\system32\dllcache\rthwcls.sys
2010-05-10 20:05 . 2001-08-17 20:28 130942 -c--a-w- c:\windows\system32\dllcache\ptserlv.sys
2010-05-10 20:04 . 2004-08-04 05:06 169984 -c--a-w- c:\windows\system32\dllcache\pcx500.sys
2010-05-10 20:03 . 2001-08-17 20:28 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
2010-05-10 20:03 . 2001-08-17 19:12 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2010-05-10 20:03 . 2001-08-17 19:12 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
2010-05-10 20:03 . 2001-08-17 19:20 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2010-05-10 20:03 . 2004-08-04 05:29 1897408 -c--a-w- c:\windows\system32\dllcache\nv4_mini.sys
2010-05-10 20:03 . 2004-08-04 07:56 4274816 -c--a-w- c:\windows\system32\dllcache\nv4_disp.dll
2010-05-10 20:03 . 2001-08-17 19:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2010-05-10 20:03 . 2001-08-18 05:36 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2010-05-10 20:03 . 2004-08-04 05:41 180360 -c--a-w- c:\windows\system32\dllcache\ntmtlfax.sys
2010-05-10 20:03 . 2001-08-17 19:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-05-10 20:03 . 2001-08-17 20:47 9344 -c--a-w- c:\windows\system32\dllcache\ntapm.sys
2010-05-10 20:01 . 2001-08-17 20:50 75520 -c--a-w- c:\windows\system32\dllcache\mxport.sys
2010-05-10 20:00 . 2001-08-17 20:48 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2010-05-10 20:00 . 2001-08-17 21:00 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-05-10 20:00 . 2004-08-04 06:00 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2010-05-10 20:00 . 2004-08-05 04:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-05-10 20:00 . 2001-08-17 21:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2010-05-10 20:00 . 2001-08-17 20:48 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2010-05-10 20:00 . 2004-08-04 06:10 51328 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2010-05-10 19:59 . 2001-08-17 20:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-05-10 19:59 . 2004-08-04 06:10 15360 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2010-05-10 19:59 . 2001-08-17 20:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2010-05-10 19:59 . 2001-08-17 20:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2010-05-10 19:59 . 2001-08-17 19:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2010-05-10 19:59 . 2001-08-17 21:56 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2010-05-10 19:59 . 2004-08-04 06:00 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys
2010-05-10 19:59 . 2001-08-18 05:36 47616 -c--a-w- c:\windows\system32\dllcache\memgrp.dll
2010-05-10 19:59 . 2001-08-17 20:58 8320 -c--a-w- c:\windows\system32\dllcache\memcard.sys
2010-05-10 19:57 . 2001-08-18 05:36 242176 -c--a-w- c:\windows\system32\dllcache\kdsusd.dll
2010-05-10 19:56 . 2001-08-17 20:52 16000 -c--a-w- c:\windows\system32\dllcache\ini910u.sys
2010-05-10 19:55 . 2004-08-05 04:00 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll
2010-05-10 19:54 . 2001-08-18 05:36 123392 -c--a-w- c:\windows\system32\dllcache\hpgt21tk.dll
2010-05-10 19:53 . 2001-08-17 19:15 455680 -c--a-w- c:\windows\system32\dllcache\fus2base.sys
2010-05-10 19:52 . 2001-08-17 19:19 37120 -c--a-w- c:\windows\system32\dllcache\es1370mp.sys
2010-05-10 19:51 . 2001-08-18 05:36 102484 -c--a-w- c:\windows\system32\dllcache\digiinf.dll
2010-05-10 19:50 . 2004-08-04 06:00 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-05-10 19:49 . 2001-08-17 19:49 19456 -c--a-w- c:\windows\system32\dllcache\ativttxx.sys
2010-05-10 19:48 . 2001-08-17 21:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-05-10 19:48 . 2010-05-10 19:48 -------- d-----w- c:\program files\CCleaner
2010-05-09 18:41 . 2010-05-09 03:47 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-09 06:18 . 2010-03-11 00:25 20968 ----a-w- c:\windows\system32\drivers\cpuz133_x32.sys
2010-05-09 06:18 . 2010-05-09 06:18 -------- d-----w- c:\program files\CPUID
2010-05-09 03:47 . 2010-05-09 03:47 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-07 08:01 . 2010-05-07 08:01 -------- d-----w- c:\documents and settings\Colonial\Application Data\Malwarebytes
2010-05-07 08:01 . 2010-05-07 08:02 -------- d-----w- c:\program files\SpywareBlaster
2010-05-07 08:01 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-07 08:01 . 2010-05-07 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-07 08:01 . 2010-05-07 08:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-07 08:01 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-07 07:57 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-07 07:53 . 2010-05-07 07:54 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-07 07:53 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-05-07 07:53 . 2010-05-07 07:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-07 07:53 . 2010-05-07 07:54 -------- d-----w- c:\program files\Lavasoft
2010-05-07 07:44 . 2010-05-07 07:44 -------- d-----w- c:\program files\Trend Micro
2010-05-07 07:39 . 2010-05-07 07:39 -------- d-----w- c:\documents and settings\Colonial\Local Settings\Application Data\Insurance Technologies
2010-05-07 07:39 . 2010-05-07 07:39 -------- d-----w- c:\documents and settings\Colonial\Application Data\Insurance Technologies
2010-05-07 07:38 . 2010-05-09 05:10 -------- d-----w- c:\documents and settings\Colonial\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-10 22:54 . 2009-07-16 22:46 664 ----a-w- c:\documents and settings\Colonial\Local Settings\Application Data\d3d9caps.dat
2010-05-10 21:48 . 2008-09-16 14:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-09 07:27 . 2010-04-08 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\BecryptTemp
2010-05-07 10:42 . 2008-07-24 15:20 -------- d-----w- c:\program files\Microsoft SQL Server
2010-05-07 07:40 . 2010-04-07 05:28 256 ----a-w- c:\documents and settings\Colonial\pool.bin
2010-04-29 09:24 . 2008-07-24 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-07 05:35 . 2010-04-07 05:35 -------- d-----w- c:\documents and settings\Colonial\Application Data\Blackberry Desktop
2010-04-07 05:29 . 2010-04-07 05:25 -------- d-----w- c:\documents and settings\Colonial\Application Data\Research In Motion
2010-04-07 05:28 . 2010-04-07 05:25 256 ----a-w- c:\windows\system32\pool.bin
2010-04-07 05:24 . 2010-04-07 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-04-07 05:24 . 2010-04-07 05:21 -------- d-----w- c:\program files\Research In Motion
2010-04-07 05:22 . 2010-04-07 05:22 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-04-07 05:22 . 2010-04-07 05:22 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-04-07 00:10 . 2010-04-07 00:10 -------- d-----w- c:\documents and settings\Colonial\Application Data\Office Genuine Advantage
2010-04-06 19:21 . 2010-04-02 20:25 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-06 01:37 . 2008-05-27 21:53 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-02 20:24 . 2010-04-02 20:24 -------- d-----w- c:\program files\Windows Live
2010-04-02 20:24 . 2010-04-02 20:24 -------- d-----w- c:\program files\Microsoft
2010-04-02 20:24 . 2010-04-02 20:24 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-04-02 20:18 . 2010-04-02 20:18 -------- d-----w- c:\program files\Common Files\Windows Live
2010-04-02 20:18 . 2008-05-28 00:18 68456 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-02 20:14 . 2008-07-24 17:41 -------- d-----w- c:\program files\Microsoft Works
2010-04-02 20:06 . 2010-04-02 20:06 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-03-24 08:16 . 2008-07-28 15:18 -------- d-----w- c:\program files\Colonial Life
2010-03-24 07:49 . 2010-03-24 07:49 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-03-10 06:15 . 2008-05-27 12:03 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-03 16:34 . 2010-04-08 14:54 67072 ----a-w- c:\documents and settings\All Users\Application Data\BecryptTemp\notification.exe
2010-02-25 06:24 . 2008-05-27 12:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 12:31 . 2008-05-27 12:01 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 17:35 . 2004-08-03 23:18 2143744 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 16:57 . 2004-08-03 22:59 2021888 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2008-05-27 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2008-05-27 12:02 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]
"Panasonic Hotkey Manager"="c:\program files\Panasonic\Hotkey Appendix\HKEYAPP.EXE" [2008-04-23 976232]
"PCinfo"="c:\program files\Panasonic\pcinfo\PcInfoUt.exe" [2007-12-14 91496]
"PRunOnce"="c:\util\prunonce\PRunOnce.exe" [2007-07-11 161160]
"B'sCLiP"="c:\progra~1\B'SCLI~1\Win2K\BSCLIP.exe" [2007-09-12 753664]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-05-23 1351680]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-01-30 1040384]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-04 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-04 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-04 141848]
"WSwitch"="c:\program files\Panasonic\WSwitch\WSwitch.exe" [2008-05-09 775528]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-05-23 1191936]
"SAUpdate"="c:\apps\SACOMM\SAUPDATE.EXE" [1999-08-05 12288]
"BCSystrayDP"="c:\program files\Common Files\Becrypt\BCSystray.exe" [2006-04-03 417792]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\udaterui.exe" [2008-03-14 136512]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]
"Unum Time Zone Settings"="c:\program files\Colonial Life\Time Zone Settings\TimeZoneTool.exe" [2009-03-10 147456]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"RDVCHG"="c:\program files\Sprint\Sprint SmartView\RDVCHG.exe" [2009-12-02 316736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Notify.lnk - c:\sa\SA10_0\NOTIFY.EXE [2008-7-24 20480]
RAMASST.lnk - c:\windows\system32\RAMAsst.exe [2008-5-28 163840]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-16 14:05 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\pb7dk\\rteng6.exe"=
"c:\\pb9dk\\dbeng9.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\APPS\\Afaria\\Bin\\XeClient.exe"=
"c:\\Nodesys\\rwkernel.exe"=
"c:\\Program Files\\Sprint\\Sprint SmartView\\SwiApiMux.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\APPS\\Afaria\\Bin\\XcListener.exe"=

R0 bcupper;BeCrypt Disk Protect Helper Driver;c:\windows\system32\drivers\bcupper.sys [4/11/2006 9:10 AM 6016]
R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [5/28/2008 3:57 PM 17192]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/7/2010 12:57 AM 64288]
R0 nlemsql;NLEMSQL;c:\windows\system32\drivers\nlemsql.sys [10/1/2009 5:08 PM 75880]
R0 w2kenc;BeCrypt Disk Protect Filter Driver;c:\windows\system32\drivers\wxpenc.sys [4/11/2006 9:10 AM 152064]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/10/2010 3:48 PM 164048]
R2 Afaria Client Service;Afaria Client Service;c:\apps\Afaria\Bin\XeService.exe [7/24/2008 8:49 AM 239104]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/10/2010 3:48 PM 19024]
R2 bgsvcg;B's Recorder GOLD General Service;c:\program files\B.H.A\Common\bgsvcg.exe [5/27/2008 3:11 PM 145504]
R2 BsUDF;BsUDF;c:\windows\system32\drivers\BsUDF.sys [5/28/2008 3:57 PM 195616]
R2 CiSmBios;CiSmBios;c:\windows\system32\drivers\cismbios.sys [7/24/2008 9:18 AM 13688]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [5/8/2010 11:18 PM 20968]
R2 DPAgent;DPAgent;c:\program files\Afaria\Disk Protect\DPAgent.exe [4/11/2006 8:37 AM 192512]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [9/29/2008 8:07 AM 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [8/17/2009 2:27 AM 67904]
R2 MSSQL$HARMONYV7;SQL Server (HARMONYV7);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\secservr.exe [1/28/2009 7:04 AM 607032]
R2 MSSQL$HARMONYV8;SQL Server (HARMONYV8);c:\program files\Microsoft SQL Server\MSSQL10.HARMONYV8\MSSQL\Binn\secservr.exe [10/1/2009 5:08 PM 1066360]
R2 MSSQL$SUNGARDIWORKS;SQL Server (SUNGARDIWORKS);c:\program files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe [5/27/2009 3:27 AM 29262680]
R2 PcInfoPi;Panasonic PC Information Viewer Service 2;c:\program files\Panasonic\pcinfo\PCInfoPi.exe [5/27/2008 2:48 PM 54632]
R2 PcInfoSV;Panasonic PC Information Viewer;c:\program files\Panasonic\pcinfo\PCInfoSV.exe [5/27/2008 2:48 PM 189800]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [5/27/2008 5:10 AM 244368]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [5/27/2008 5:11 AM 41216]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [6/11/2008 5:58 PM 108032]
R3 NewMisc;Panasonic Misc Driver;c:\windows\system32\drivers\newmisc.sys [5/27/2008 5:10 AM 50440]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1285864]
S3 bcscdftr;BeCrypt Smart Card Filter Driver;c:\windows\system32\drivers\bcscdftr.sys [4/3/2006 11:38 AM 5888]
S3 FIDTPU;Fujitsu Touch Panel (USB);c:\windows\system32\drivers\FIDTPU.sys [5/27/2008 5:13 AM 27030]
S3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [5/27/2008 5:11 AM 87424]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/17/2009 2:27 AM 64432]
S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [5/27/2008 5:11 AM 47616]
S3 TOPAZUSB;TopazUsb.Sys Topaz Tablet USB Driver;c:\windows\system32\drivers\TopazUsb.sys [7/24/2008 7:06 AM 33821]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [3/30/2009 9:55 PM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 3:09 AM 239336]
S4 SQLAgent$HARMONYV8;SQL Server Agent (HARMONYV8);c:\program files\Microsoft SQL Server\MSSQL10.HARMONYV8\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 3:23 AM 366936]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AAVMKER4
*NewlyCreated* - ASWFSBLK
*NewlyCreated* - ASWMON2
*NewlyCreated* - ASWRDR
*NewlyCreated* - ASWSP
*NewlyCreated* - ASWTDI
*NewlyCreated* - AVAST!_ANTIVIRUS
*NewlyCreated* - AVAST!_MAIL_SCANNER
*NewlyCreated* - AVAST!_WEB_SCANNER
*Deregistered* - BMLoad
.
Contents of the 'Scheduled Tasks' folder

2010-05-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 03:46]

2010-05-10 c:\windows\Tasks\User_Feed_Synchronization-{66B128D4-4D91-4902-A686-56356E2BFF1E}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.coloniallife.com/Services/Appli...ices/Login.aspx
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
LSP: bmnet.dll
Handler: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - c:\progra~1\QlikView\QVPROT~1\Qvp.dll
.
- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll

- - - - - - - > 'lsass.exe'(1016)
c:\windows\system32\bmnet.dll
.
Completion time: 2010-05-10 16:08:28
ComboFix-quarantined-files.txt 2010-05-10 23:08

Pre-Run: 121,010,495,488 bytes free
Post-Run: 122,437,885,952 bytes free

- - End Of File - - FC2B2BBF3C8AE0652FB4CC51664D1FE6


#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:51 AM

Posted 10 May 2010 - 06:56 PM

One of those AntiVirus programs needs to go. Having them both is definitely not helping. If you keep MBAM, then I suggest you at least turn off AdAware all together, or uninstall it.

You can delete SDFix also.

Let me know if that helps at all. smile.gif

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 workah0lic

workah0lic
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 10 May 2010 - 08:57 PM

Oh yeah, I just installed those trying to find what was going on... I don't normally have both running... Ad-Aware is definately gonna go. I'll go delete SDFix as well, but all of this started a long time before I downloaded anti-malware programs... I am just lost now. I have no idea what to do next.

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:51 AM

Posted 10 May 2010 - 09:13 PM

I'm sorry....I just don't see anything malware related. I never did see the MBAM report....is MBAM coming up clean now?

Empty out anything unfamiliar to you in Outlook....have you gotten that message any more?

Have a look here and see if there's anything you haven't tried there: http://miekiemoes.blogspot.com/2008/02/hel...er-is-slow.html

tea


Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 workah0lic

workah0lic
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 10 May 2010 - 09:26 PM

OK. I will check out that blog and see if there's anything else. MBAM is coming up clean. I have no idea what could be causing this. But if you say that there's no malware, then there's no malware and something else is going on in the background. I'm currently going through all my programs and uninstalling recently installed ones that may be the source. Thanks again for your help thus far.

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:51 AM

Posted 10 May 2010 - 09:29 PM

You're welcome....I'll leave the thread open for a few days. If something comes up, please do let me know. I want to help if I can. smile.gif

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 workah0lic

workah0lic
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 13 May 2010 - 04:35 PM

Well I decided to go out and buy a 2GB RAM chip. I also uninstalled a few unnecessary programs, removed a few programs that ran at startup and downloaded Kaspersky. I am in the process of getting MacAfee taken off of my system as it seems to be eating up alot of RAM. Kaspersky has a smaller footprint. Anyways, it seems to be running a little more efficiently, but I think that's mostly due to the increase in RAM. Thanks for all of your help, tea. I appreciate it!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users