Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Security Center and Defender are repeatedly self-disabled


  • This topic is locked This topic is locked
30 replies to this topic

#1 dwatkin235

dwatkin235

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 27 February 2011 - 03:52 AM

Good morning, and thank you in advance for your response. Here is the what I have:


System Description: Windows 7 64-bit running Microsoft Forefront and Windows Defender

Problem Description: Windows Security Center and Defender are repeatedly self-disabled. Neither will automatically start with Windows. When manually restarted, they revert to disabled within minutes. There could be other related issues I have not yet discovered.

Attempted Unsuccessful Remedies:
1) Manually restarted them in Services
2) Manually restarted them in Regedit (by changing start value from 4 to 2)
3) Ended scheduled task "uzzcli" in Task Scheduler
4) Ran Spy-bot S&D (log available) - removed fakealert, win32.palevo
5) Currently running Ad-aware
6) Currently running Malwarebytes' Anti-Malware

Notes: DDS Attach file attached. DDS Text file pasted below:



DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by Dan at 3:11:28.09 on Sun 02/27/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8191.5136 [GMT -5:00]

AV: Microsoft Forefront Client Security *Enabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Forefront Client Security *Enabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\SysWOW64\ASTSRV.EXE
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Hewlett-Packard\HP Easy Backup\HPBtnSrv.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Novatel Wireless\Novacore\Server\NvtlSrvr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\HP\HP Battery Backup Monitor\UPSMON_Service.Exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\HP\HP Battery Backup Monitor\UPSUSBInt2.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\WUDFHost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\nvraidservice.exe
C:\PROGRA~1\HEWLET~1\HPREMO~1\HPREMO~1.EXE
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Windows\system32\wbem\unsecapp.exe
c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\HP\HP Battery Backup Monitor\UPSMON.exe
C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
C:\Program Files (x86)\SlySoft\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files (x86)\Hewlett-Packard\HP QuickSync\QuickSync.exe
C:\Program Files (x86)\Sprint\RDVCHG.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\Hewlett-Packard\HP QuickSync\jre\bin\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files (x86)\Malwarebytes\mbam.exe
C:\Program Files (x86)\Hewlett-Packard\KBD\kbd.exe
c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe
C:\Program Files (x86)\Combi-Fix\TrendMicro\HiJackThis\HiJackThis.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AWSC.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AWSC.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dan\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://emp.psaairlines.com/crewweb/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\Spybot\SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0552.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0552.0\msneshellx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
uRun: [Google Update] "C:\Users\Dan\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot\TeaTimer.exe
mRun: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mRun: [Microsoft Default Manager] "c:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [UpdateLBPShortCut] "c:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
mRun: [UpdateP2GoShortCut] "c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [UpdatePDIRShortCut] "c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
mRun: [UpdatePSTShortCut] "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
mRun: [UPSMON] "C:\Program Files (x86)\HP\HP Battery Backup Monitor\UPSMON.EXE"
mRun: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [KBD] C:\Program Files (x86)\Hewlett-Packard\KBD\KbdStub.EXE
mRun: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
mRun: [VirtualCloneDrive] "C:\Program Files (x86)\SlySoft\VirtualCloneDrive\VCDDaemon.exe" /s
mRun: [HP] C:\Program Files (x86)\Hewlett-Packard\HP QuickSync\QuickSync.exe
mRun: [Sprint SmartView] "C:\Program Files (x86)\Sprint\SprintSV.exe" -a
mRun: [RDVCHG] "C:\Program Files (x86)\Sprint\RDVCHG.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Dan\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MAGICD~1.LNK - C:\Program Files (x86)\MagicDisc\MagicDisc.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBEG~1.LNK - C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MIF5BA~1\Office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\Spybot\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [HP Remote Software] C:\Program Files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe
mRun-x64: [NVRaidService] C:\Windows\system32\nvraidservice.exe
mRun-x64: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
mRun-x64: [Microsoft Forefront Client Security Antimalware Service] "c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" -hide
mRunOnce-x64: [PCDrProfiler] "C:\Program Files\PC-Doctor for Windows\RunProfiler.exe" -r
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;C:\Windows\System32\drivers\Lbd.sys [2011-2-27 69376]
R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atipmdag.sys [2010-3-10 6403072]
R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2010-3-10 188928]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2011-2-22 17152]
R3 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2009-12-10 91520]
S3 bcm;WiMAX Network Adapter;C:\Windows\System32\drivers\drxvi314_64.sys [2010-2-11 359040]
S3 bcmbusctr;WiMAX Bus Driver;C:\Windows\System32\drivers\BcmBusCtr_64.sys [2010-2-11 62976]
S3 cm_net;C-motech USB Network Adapter Drivers;C:\Windows\System32\drivers\cm_net.sys [2010-9-30 133120]
S3 cm_ser;C-motech USB Serial Port Driver;C:\Windows\System32\drivers\cm_ser.sys [2010-9-30 118272]

=============== Created Last 30 ================

2011-02-27 07:26:35 388096 ----a-r- C:\Users\Dan\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2011-02-27 07:26:35 -------- d-----w- C:\Program Files (x86)\Combi-Fix
2011-02-27 06:53:42 -------- d-----w- C:\Users\Dan\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2011-02-27 06:35:58 69376 ----a-w- C:\Windows\System32\drivers\Lbd.sys
2011-02-27 06:35:55 49752 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2011-02-27 06:33:56 -------- d-----w- C:\Users\Dan\AppData\Roaming\Malwarebytes
2011-02-27 06:33:28 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-02-27 06:33:27 24664 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-02-27 06:33:27 -------- d-----w- C:\Program Files (x86)\Malwarebytes
2011-02-27 06:33:27 -------- d-----w- C:\PROGRA~3\Malwarebytes
2011-02-27 06:33:13 -------- d-----w- C:\Users\Dan\AppData\Local\Sunbelt Software
2011-02-27 06:31:54 -------- dc-h--w- C:\PROGRA~3\{E53F90E0-D7CA-4310-8844-F6E688407890}
2011-02-27 06:31:45 -------- d-----w- C:\Program Files (x86)\Lavasoft
2011-02-27 06:04:57 -------- d-----w- C:\Program Files (x86)\Spybot
2011-02-27 06:04:57 -------- d-----w- C:\PROGRA~3\Spybot - Search & Destroy
2011-02-27 04:52:44 7947600 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{EC948AF6-3303-4109-ADDB-3C36BDAFF5DF}\mpengine.dll
2011-02-27 04:49:30 153088 ----a-w- C:\Windows\Snekya.exe
2011-02-27 04:49:24 52736 --sha-r- C:\Windows\SysWow64\imageresx.dll
2011-02-27 04:26:03 7947600 ----a-w- C:\PROGRA~3\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{131168B2-6142-49DA-8B54-A4F42F6F3D3E}\mpengine.dll
2011-02-23 19:16:11 101376 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\HPZPPWN7.DLL
2011-02-10 19:15:59 264192 ----a-w- C:\Windows\System32\upnp.dll
2011-02-10 19:13:15 612352 ----a-w- C:\Windows\System32\vbscript.dll
2011-02-10 19:13:15 428032 ----a-w- C:\Windows\SysWow64\vbscript.dll
2011-02-10 19:13:03 46080 ----a-w- C:\Windows\System32\atmlib.dll
2011-02-10 19:13:03 366080 ----a-w- C:\Windows\System32\atmfd.dll
2011-02-10 19:13:03 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2011-02-10 19:13:03 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll
2011-01-31 02:57:07 -------- d-----w- C:\APDL
2011-01-30 19:57:00 103864 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\nppdf32.dll
2011-01-28 22:31:24 -------- d-----w- C:\Users\Dan\AppData\Local\Amazon
2011-01-28 22:31:17 -------- d-----w- C:\Program Files (x86)\Amazon
2011-01-28 22:14:07 -------- d-----w- C:\Program Files (x86)\Common Files\xing shared
2011-01-28 15:55:06 -------- d-----w- C:\Program Files\iTunes
2011-01-28 15:55:06 -------- d-----w- C:\Program Files\iPod

==================== Find3M ====================

2011-02-03 02:40:23 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-02-02 22:11:20 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-01-26 06:53:10 982912 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2011-01-26 06:53:10 265088 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2011-01-26 06:31:20 144384 ----a-w- C:\Windows\System32\cdd.dll
2011-01-05 04:00:16 3127808 ----a-w- C:\Windows\System32\win32k.sys
2010-12-21 06:16:27 97280 ----a-w- C:\Windows\System32\wscsvc.dll
2010-12-21 06:16:27 62976 ----a-w- C:\Windows\System32\wscapi.dll
2010-12-21 06:16:16 214016 ----a-w- C:\Windows\System32\winsrv.dll
2010-12-21 06:16:14 442880 ----a-w- C:\Windows\System32\winhttp.dll
2010-12-21 06:16:14 1197056 ----a-w- C:\Windows\System32\wininet.dll
2010-12-21 06:16:09 258048 ----a-w- C:\Windows\System32\WebClnt.dll
2010-12-21 06:15:31 15360 ----a-w- C:\Windows\System32\slwga.dll
2010-12-21 06:13:03 2003968 ----a-w- C:\Windows\System32\msxml6.dll
2010-12-21 06:13:03 1880576 ----a-w- C:\Windows\System32\msxml3.dll
2010-12-21 06:10:22 100864 ----a-w- C:\Windows\System32\davclnt.dll
2010-12-21 05:38:24 51200 ----a-w- C:\Windows\SysWow64\wscapi.dll
2010-12-21 05:38:22 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-12-21 05:38:22 350720 ----a-w- C:\Windows\SysWow64\winhttp.dll
2010-12-21 05:38:21 204800 ----a-w- C:\Windows\SysWow64\WebClnt.dll
2010-12-21 05:38:19 204288 ----a-w- C:\Windows\SysWow64\upnp.dll
2010-12-21 05:38:16 14336 ----a-w- C:\Windows\SysWow64\slwga.dll
2010-12-21 05:36:17 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll
2010-12-21 05:36:16 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2010-12-21 05:34:12 80384 ----a-w- C:\Windows\SysWow64\davclnt.dll
2010-12-18 06:11:41 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2010-12-18 06:11:34 714752 ----a-w- C:\Windows\System32\kerberos.dll
2010-12-18 05:29:40 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-12-18 05:29:31 541184 ----a-w- C:\Windows\SysWow64\kerberos.dll
2010-12-18 04:55:03 482816 ----a-w- C:\Windows\System32\html.iec
2010-12-18 04:20:55 386048 ----a-w- C:\Windows\SysWow64\html.iec
2010-12-18 04:13:40 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-12-18 03:47:59 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2010-11-29 22:38:30 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts

============= FINISH: 3:14:49.56 ===============

EDIT: Please be patient. There are over 130 unanswered topics in this forum at present and the current average wait time to receive help is 5 days. ~BP

Thank you for the response, I understand. I have added this to my "watched topics". Looking forward to correcting this together. Thank you.

Attached Files


Edited by Budapest, 01 March 2011 - 01:22 AM.


BC AdBot (Login to Remove)

 


#2 dwatkin235

dwatkin235
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 05 March 2011 - 08:54 PM

Any advice would be greatly appreciated.

#3 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:35 AM

Posted 06 March 2011 - 05:34 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#4 dwatkin235

dwatkin235
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 06 March 2011 - 03:22 PM

Thank you for the response Casey. I will run the scan as directed and paste the new results here tonight.

#5 dwatkin235

dwatkin235
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 08 March 2011 - 10:54 AM

Sorry about the delay, I got called into work on short notice. I'll run the scan and post the new results here momentarily.

#6 dwatkin235

dwatkin235
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 08 March 2011 - 12:29 PM

1. I am still having this issue.

2. System Description: Windows 7 64-bit running Microsoft Forefront and Windows Defender

3. I have two Windows 7 Recovery discs, one on a partition and one on a DVD.

4. The instructed steps were successfully completed.

5. Problem Description: Windows Security Center and Defender are repeatedly self-disabled. Neither will automatically start with Windows. When manually restarted, they revert to disabled within minutes. There could be other related issues I have not yet discovered.

Attempted Unsuccessful Remedies:
a) Manually restarted them in Services
B) Manually restarted them in Regedit (by changing start value from 4 to 2)
c) Ended scheduled task "uzzcli" in Task Scheduler
d) Ran Spy-bot S&D (log available) - removed fakealert, win32.palevo
e) Currently running Ad-aware
f) Currently running Malwarebytes' Anti-Malware

6. Awaiting response.

7. See new DDS log attached as well as pasted below (GMER anti-rootkit Scanner unavailable due to running the 64-bit version of Windows).

================================================
Attached File  Attach.zip   5.49KB   1 downloads
DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by Dan at 12:02:48.19 on Tue 03/08/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8191.5519 [GMT -5:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Forefront Client Security *Enabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Forefront Client Security *Enabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\ASTSRV.EXE
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Hewlett-Packard\HP Easy Backup\HPBtnSrv.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Novatel Wireless\Novacore\Server\NvtlSrvr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\HP\HP Battery Backup Monitor\UPSMON_Service.Exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\HP\HP Battery Backup Monitor\UPSUSBInt2.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Windows\System32\nvraidservice.exe
C:\PROGRA~1\HEWLET~1\HPREMO~1\HPREMO~1.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\HP\HP Battery Backup Monitor\UPSMON.exe
C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
C:\Program Files (x86)\Hewlett-Packard\HP QuickSync\QuickSync.exe
C:\Program Files (x86)\Sprint\RDVCHG.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Hewlett-Packard\HP QuickSync\jre\bin\javaw.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\Hewlett-Packard\KBD\kbd.exe
c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AWSC.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AWSC.exe
C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AWSC.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AWSC.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AWSC.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AWSC.exe
C:\Program Files (x86)\DDS\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://emp.psaairlines.com/crewweb/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: AutorunsDisabled - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\Spybot\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0552.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0552.0\msneshellx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
uRun: [Google Update] "C:\Users\Dan\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot\TeaTimer.exe
mRun: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mRun: [Microsoft Default Manager] "c:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [UpdateLBPShortCut] "c:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
mRun: [UpdateP2GoShortCut] "c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [UpdatePDIRShortCut] "c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
mRun: [UpdatePSTShortCut] "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
mRun: [UPSMON] "C:\Program Files (x86)\HP\HP Battery Backup Monitor\UPSMON.EXE"
mRun: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [KBD] C:\Program Files (x86)\Hewlett-Packard\KBD\KbdStub.EXE
mRun: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
mRun: [HP] C:\Program Files (x86)\Hewlett-Packard\HP QuickSync\QuickSync.exe
mRun: [Sprint SmartView] "C:\Program Files (x86)\Sprint\SprintSV.exe" -a
mRun: [RDVCHG] "C:\Program Files (x86)\Sprint\RDVCHG.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBEG~1.LNK - C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MIF5BA~1\Office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\Spybot\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [HP Remote Software] C:\Program Files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe
mRun-x64: [NVRaidService] C:\Windows\system32\nvraidservice.exe
mRun-x64: [Microsoft Forefront Client Security Antimalware Service] "c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" -hide
mRunOnce-x64: [PCDrProfiler] "C:\Program Files\PC-Doctor for Windows\RunProfiler.exe" -r
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;C:\Windows\System32\drivers\Lbd.sys [2011-2-27 69376]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2009-7-28 52856]
R1 SASDIFSV;SASDIFSV;C:\Program Files (x86)\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
R1 SASKUTIL;SASKUTIL;C:\Program Files (x86)\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 !SASCORE;SAS Core Service;C:\Program Files (x86)\SUPERAntiSpyware\SASCore64.exe [2010-6-29 128752]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/12/10 14:11:45];C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-12-10 146928]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-8-18 203264]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [2010-7-20 16384]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [2007-4-5 77216]
R2 HPBtnSrv;HP Easy Backup Button Service;C:\Program Files (x86)\Hewlett-Packard\HP Easy Backup\HPBtnSrv.exe [2009-4-22 192512]
R2 NvtlService;NovaCore SDK Service;C:\Program Files (x86)\Novatel Wireless\Novacore\Server\NvtlSrvr.exe [2010-1-11 82944]
R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2010-9-8 7767552]
R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2010-9-8 279040]
R3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
R3 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2009-12-10 91520]
R3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2010-9-28 51712]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate1ca065b814b8617;Google Update Service (gupdate1ca065b814b8617);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-7-16 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-2-22 1405384]
S2 McAfeeFramework;McAfee Framework Service;"C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe" /ServiceStart --> C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [?]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot\SDWinSec.exe [2011-2-27 1153368]
S3 bcm;WiMAX Network Adapter;C:\Windows\System32\drivers\drxvi314_64.sys [2010-2-11 359040]
S3 bcmbusctr;WiMAX Bus Driver;C:\Windows\System32\drivers\BcmBusCtr_64.sys [2010-2-11 62976]
S3 CASprint;Sprint Con App Svc;C:\Program Files (x86)\Sprint\ConAppsSvc.exe [2010-6-8 124224]
S3 cm_net;C-motech USB Network Adapter Drivers;C:\Windows\System32\drivers\cm_net.sys [2010-9-30 133120]
S3 cm_ser;C-motech USB Serial Port Driver;C:\Windows\System32\drivers\cm_ser.sys [2010-9-30 118272]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2011-3-8 48488]
S3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;C:\Windows\System32\PCTINDIS5X64.sys [2010-6-8 43032]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\System32\drivers\vwifimp.sys [2009-7-13 17920]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\System32\drivers\WSDPrint.sys [2009-7-13 23040]

=============== Created Last 30 ================

2011-03-08 16:41:11 7947600 ----a-w- C:\PROGRA~3\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{4A189E73-758D-4EB6-870E-9D46CEF15272}\mpengine.dll
2011-03-08 16:40:17 -------- d-----w- C:\Users\Dan\AppData\Local\{FAE4DDEE-4D48-4389-A4ED-209DAAC837F8}
2011-03-08 16:22:57 -------- d-----w- C:\Windows\en
2011-03-08 16:13:14 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2011-03-08 16:08:55 48488 ----a-w- C:\Windows\System32\drivers\fssfltr.sys
2011-03-08 16:07:07 15712 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\df7952401cbddaa19\MeshBetaRemover.exe
2011-03-08 16:07:05 69464 ----a-w- C:\Windows\SysWow64\XAPOFX1_3.dll
2011-03-08 16:07:05 523088 ----a-w- C:\Windows\System32\d3dx10_42.dll
2011-03-08 16:07:05 515416 ----a-w- C:\Windows\SysWow64\XAudio2_5.dll
2011-03-08 16:07:05 453456 ----a-w- C:\Windows\SysWow64\d3dx10_42.dll
2011-03-08 16:07:02 94040 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\dc7ad7801cbddaa18\DSETUP.dll
2011-03-08 16:07:02 525656 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\dc7ad7801cbddaa18\DXSETUP.exe
2011-03-08 16:07:02 1691480 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\dc7ad7801cbddaa18\dsetup32.dll
2011-03-08 16:06:51 4398360 ----a-w- C:\Windows\System32\d3dx9_32.dll
2011-03-08 16:06:51 3426072 ----a-w- C:\Windows\SysWow64\d3dx9_32.dll
2011-03-08 16:06:49 94040 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\d44e7ee01cbddaa17\DSETUP.dll
2011-03-08 16:06:49 525656 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\d44e7ee01cbddaa17\DXSETUP.exe
2011-03-08 16:06:49 1691480 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\d44e7ee01cbddaa17\dsetup32.dll
2011-03-08 15:58:30 -------- d-----w- C:\Users\Dan\AppData\Local\Windows Live
2011-03-08 15:58:27 -------- d-----w- C:\Program Files (x86)\Common Files\Windows Live
2011-03-08 15:53:00 197120 ----a-w- C:\Windows\System32\d3d10_1.dll
2011-03-08 15:53:00 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll
2011-03-01 17:41:20 -------- d-----w- C:\Windows\pss
2011-03-01 16:10:40 -------- d-----w- C:\Users\Dan\AppData\Roaming\QuickScan
2011-03-01 02:05:17 521448 ----a-w- C:\Windows\System32\deployJava1.dll
2011-03-01 01:23:39 -------- d-----w- C:\Users\Dan\AppData\Local\Adobe
2011-03-01 01:10:35 -------- d-----w- C:\Program Files (x86)\SpywareBlaster
2011-03-01 00:25:08 -------- d-----w- C:\PROGRA~3\RegCure
2011-02-28 22:43:54 -------- d-----w- C:\Users\Dan\AppData\Roaming\SUPERAntiSpyware.com
2011-02-28 22:43:54 -------- d-----w- C:\PROGRA~3\SUPERAntiSpyware.com
2011-02-28 22:43:50 -------- d-----w- C:\PROGRA~3\!SASCORE
2011-02-28 22:43:33 -------- d-----w- C:\Program Files (x86)\SUPERAntiSpyware
2011-02-28 21:49:46 -------- d-----w- C:\Program Files (x86)\ATF-Cleaner
2011-02-28 20:35:54 367104 ----a-w- C:\Windows\System32\wcncsvc.dll
2011-02-28 20:35:54 276992 ----a-w- C:\Windows\SysWow64\wcncsvc.dll
2011-02-28 20:35:42 442880 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2011-02-28 20:35:41 662528 ----a-w- C:\Windows\System32\XpsPrint.dll
2011-02-28 20:35:41 475648 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2011-02-28 20:35:40 288256 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2011-02-27 17:02:54 16432 ----a-w- C:\Windows\System32\lsdelete.exe
2011-02-27 13:57:38 -------- d-----w- C:\Program Files (x86)\DDS
2011-02-27 07:26:35 388096 ----a-r- C:\Users\Dan\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2011-02-27 07:26:35 -------- d-----w- C:\Program Files (x86)\Combi-Fix
2011-02-27 06:53:42 -------- d-----w- C:\Users\Dan\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2011-02-27 06:35:58 69376 ----a-w- C:\Windows\System32\drivers\Lbd.sys
2011-02-27 06:35:55 49752 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2011-02-27 06:33:56 -------- d-----w- C:\Users\Dan\AppData\Roaming\Malwarebytes
2011-02-27 06:33:28 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-02-27 06:33:27 24664 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-02-27 06:33:27 -------- d-----w- C:\Program Files (x86)\Malwarebytes
2011-02-27 06:33:27 -------- d-----w- C:\PROGRA~3\Malwarebytes
2011-02-27 06:33:13 -------- d-----w- C:\Users\Dan\AppData\Local\Sunbelt Software
2011-02-27 06:31:54 -------- dc-h--w- C:\PROGRA~3\{E53F90E0-D7CA-4310-8844-F6E688407890}
2011-02-27 06:31:45 -------- d-----w- C:\Program Files (x86)\Lavasoft
2011-02-27 06:04:57 -------- d-----w- C:\Program Files (x86)\Spybot
2011-02-27 06:04:57 -------- d-----w- C:\PROGRA~3\Spybot - Search & Destroy
2011-02-27 04:52:44 7947600 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{EC948AF6-3303-4109-ADDB-3C36BDAFF5DF}\mpengine.dll
2011-02-27 04:49:24 52736 --sha-r- C:\Windows\SysWow64\imageresx.dll
2011-02-23 19:16:11 101376 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\HPZPPWN7.DLL
2011-02-10 19:15:59 264192 ----a-w- C:\Windows\System32\upnp.dll
2011-02-10 19:13:15 612352 ----a-w- C:\Windows\System32\vbscript.dll
2011-02-10 19:13:15 428032 ----a-w- C:\Windows\SysWow64\vbscript.dll
2011-02-10 19:13:03 46080 ----a-w- C:\Windows\System32\atmlib.dll
2011-02-10 19:13:03 366080 ----a-w- C:\Windows\System32\atmfd.dll
2011-02-10 19:13:03 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2011-02-10 19:13:03 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll

==================== Find3M ====================

2011-02-03 02:40:23 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-02-02 22:11:20 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-01-26 06:53:10 982912 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2011-01-26 06:53:10 265088 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2011-01-26 06:31:20 144384 ----a-w- C:\Windows\System32\cdd.dll
2011-01-21 16:07:28 956224 ----a-w- C:\Windows\SysWow64\Actbar3.ocx
2011-01-06 16:22:32 259392 ----a-w- C:\Windows\SysWow64\tiffexpt.dll
2011-01-06 16:22:28 132416 ----a-w- C:\Windows\SysWow64\textexpt.dll
2011-01-06 16:22:18 210240 ----a-w- C:\Windows\SysWow64\rtfexpt.dll
2011-01-06 16:22:10 378176 ----a-w- C:\Windows\SysWow64\pdfexpt.dll
2011-01-06 16:21:56 554304 ----a-w- C:\Windows\SysWow64\htmlexpt.dll
2011-01-06 16:21:52 357696 ----a-w- C:\Windows\SysWow64\exclexpt.dll
2011-01-06 16:21:50 1835328 ----a-w- C:\Windows\SysWow64\arpro2.dll
2011-01-06 16:21:24 612672 ----a-w- C:\Windows\SysWow64\ARVIEW2.OCX
2011-01-05 04:00:16 3127808 ----a-w- C:\Windows\System32\win32k.sys
2010-12-21 06:16:27 97280 ----a-w- C:\Windows\System32\wscsvc.dll
2010-12-21 06:16:27 62976 ----a-w- C:\Windows\System32\wscapi.dll
2010-12-21 06:16:16 214016 ----a-w- C:\Windows\System32\winsrv.dll
2010-12-21 06:16:14 442880 ----a-w- C:\Windows\System32\winhttp.dll
2010-12-21 06:16:14 1197056 ----a-w- C:\Windows\System32\wininet.dll
2010-12-21 06:16:09 258048 ----a-w- C:\Windows\System32\WebClnt.dll
2010-12-21 06:15:31 15360 ----a-w- C:\Windows\System32\slwga.dll
2010-12-21 06:13:03 2003968 ----a-w- C:\Windows\System32\msxml6.dll
2010-12-21 06:13:03 1880576 ----a-w- C:\Windows\System32\msxml3.dll
2010-12-21 06:10:22 100864 ----a-w- C:\Windows\System32\davclnt.dll
2010-12-21 05:38:24 51200 ----a-w- C:\Windows\SysWow64\wscapi.dll
2010-12-21 05:38:22 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-12-21 05:38:22 350720 ----a-w- C:\Windows\SysWow64\winhttp.dll
2010-12-21 05:38:21 204800 ----a-w- C:\Windows\SysWow64\WebClnt.dll
2010-12-21 05:38:19 204288 ----a-w- C:\Windows\SysWow64\upnp.dll
2010-12-21 05:38:16 14336 ----a-w- C:\Windows\SysWow64\slwga.dll
2010-12-21 05:36:17 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll
2010-12-21 05:36:16 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2010-12-21 05:34:12 80384 ----a-w- C:\Windows\SysWow64\davclnt.dll
2010-12-18 06:11:41 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2010-12-18 06:11:34 714752 ----a-w- C:\Windows\System32\kerberos.dll
2010-12-18 05:29:40 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-12-18 05:29:31 541184 ----a-w- C:\Windows\SysWow64\kerberos.dll
2010-12-18 04:55:03 482816 ----a-w- C:\Windows\System32\html.iec
2010-12-18 04:20:55 386048 ----a-w- C:\Windows\SysWow64\html.iec
2010-12-18 04:13:40 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-12-18 03:47:59 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

============= FINISH: 12:04:26.66 ===============

#7 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:35 AM

Posted 09 March 2011 - 06:19 AM

Hi,

My name is Casey and I will be helping you with your malware problems.

As you may have noticed, I am currently in training which means that all of my responses will first be verified by a malware removal coach. As such, there may be a little delay in my responses to you. On the plus side, there will be two sets of eyes looking over your logs.

Whilst I research the problems in your logs, it is very important that you do not make any changes to this PC. Specifically, do not run any further malware removal tools or try to remove anything yourself.

You may wish to "track this topic" so that you are immediately informed of any replies I make. I also ask that you reply to my posts within 5 days else your topic will be closed as stale.

Throughout the removal process, if you have any questions then you should ask them. If you are unsure of my instructions or something does not go as planned - then please tell me. Conversely, it is also important that you answer any questions I have and that you keep me updated on the state of the PC.

Regards,

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#8 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:35 AM

Posted 09 March 2011 - 04:18 PM

Hi,

Quick question before we start: have you ran ComboFix before? If you have, please post me the log.

Ran Spy-bot S&D (log available) - removed fakealert, win32.palevo


Could you post that log for me, please? I'd also like to see the log produced when you ran MBAM if you still have it.

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

Download and run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are prompted to install the Recovery Console, then please do so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If you have trouble running ComboFix, then please rename ComboFix.exe to Caseyboy.exe and re-run.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#9 dwatkin235

dwatkin235
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 09 March 2011 - 07:37 PM

No, I have not run Combo-Fix yet.

I am away on business for a few days. I will post the Spy-bot and MBAM logs, as well as run Combo-Fix as directed and post that log once I return on the 12th.

Thank you again for your help.

#10 dwatkin235

dwatkin235
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 12 March 2011 - 06:31 PM

SpybotSD Log:


--- Report generated: 2011-02-27 01:27 ---

Win32.FraudLoad.edt: [SBI $8454102F] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-759282183-2352944667-851806981-1004\Software\NtWqIVLZEWZU

Win32.FraudLoad.edt: [SBI $666C83D9] Data (File, fixed)
C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Win32.FraudLoad.edt: [SBI $1436A642] Data (File, fixed)
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Win32.FraudLoad.edt: [SBI $354F3C2C] Data (File, fixed)
C:\Windows\Tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start

Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start

Win32.Palevo: [SBI $067C0FA0] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-759282183-2352944667-851806981-1004\Software\JP595IR86O

BurstMedia: Tracking cookie (Internet Explorer: Dan) (Cookie, fixed)


BurstMedia: Tracking cookie (Internet Explorer: Dan) (Cookie, fixed)


WebTrends live: Tracking cookie (Internet Explorer: Dan) (Cookie, fixed)


Zedo: Tracking cookie (Internet Explorer: Dan) (Cookie, fixed)


DoubleClick: Tracking cookie (Internet Explorer: Dan) (Cookie, fixed)


MediaPlex: Tracking cookie (Internet Explorer: Dan) (Cookie, fixed)


Statcounter: Tracking cookie (Internet Explorer: Dan) (Cookie, fixed)


MediaPlex: Tracking cookie (Internet Explorer: Dan) (Cookie, fixed)


Right Media: Tracking cookie (Internet Explorer: Dan) (Cookie, fixed)


FastClick: Tracking cookie (Internet Explorer: Dan) (Cookie, fixed)


CasaleMedia: Tracking cookie (Internet Explorer: Dan) (Cookie, fixed)


MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


HitBox: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


HitBox: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


HitBox: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


BurstMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


BurstMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


WebTrends live: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


BurstMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


FastClick: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


FastClick: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


FastClick: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


FastClick: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


FastClick: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


BurstMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


Statcounter: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2011-02-27 spybotsd162.exe (1.6.2.0)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-02-27 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-02-24 Includes\Adware.sbi (*)
2011-02-24 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-02-24 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2010-11-30 Includes\Hijackers.sbi (*)
2011-02-24 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-02-24 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-02-24 Includes\Malware.sbi (*)
2011-02-24 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-02-24 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-02-24 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-02-24 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2011-02-24 Includes\TrojansC-02.sbi (*)
2011-02-24 Includes\TrojansC-03.sbi (*)
2011-02-24 Includes\TrojansC-04.sbi (*)
2011-02-24 Includes\TrojansC-05.sbi (*)
2011-02-24 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

MBAM Log:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5890

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

2/27/2011 8:48:52 AM
mbam-log-2011-02-27 (08-48-52).txt

Scan type: Full scan (C:\|)
Objects scanned: 600634
Time elapsed: 5 hour(s), 16 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files (x86)\ChromePass\ChromePass.exe (Tool.PasswordViewer) -> Quarantined and deleted successfully.

#11 dwatkin235

dwatkin235
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 12 March 2011 - 07:26 PM

After closing all anti-virus, anti-malware, and anti-spyware programs, I started Combo-Fix and received a message that Microsoft Forefront Client Security antivirus and antispyware are still active. I checked running processes and services and neither were active, so I clicked "Ok" and received this message:

Posted Image

I checked again. Microsoft Forefront Client Security (MSASCui.exe) is not running. The malware is apparently fooling the system into thinking that Forefront is already running. Should I continue with the Combo-Fix scan?

#12 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:35 AM

Posted 13 March 2011 - 12:28 PM

Hi,

Since you are sure that Forefront is not running, you may proceed with running ComboFix and ignore the warning.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#13 dwatkin235

dwatkin235
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 14 March 2011 - 12:07 PM

I found other instances of Microsoft Forefront Client Utility running and ended these executables: Anti-malware Service (MsMpeng.exe), State Assessment Service (FcsSas.exe), UI (MSASCui.exe).

I then checked "Ok" to continue the scan and received this message:

Posted Image

Then I changed the name of ComboFix.exe to Caseyboy.exe and reran the scan with the same result.

#14 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:35 AM

Posted 15 March 2011 - 06:58 AM

Hi there,

That error message suggests that you tried to run a ComboFix script, did you?

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#15 dwatkin235

dwatkin235
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 15 March 2011 - 02:38 PM

No, I downloaded ComboFix from the link provided and followed the instructions to run the program. I do not know how to run a script.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users