Author Topic: "GFI Software Anti MalWare Service has stopped working"  (Read 3760 times)

0 Members and 1 Guest are viewing this topic.

Offline Sojourner

  • Jr. Member
  • **
  • Posts: 23
    • View Profile
"GFI Software Anti MalWare Service has stopped working"
« on: June 15, 2012, 11:15:32 AM »
Only I don't have anything from GFI installed!

Running Vista with all current updates; AVG; AdAware; no firewall.  It's a desktop with 6GB RAM and a terabyte HD.

Recently I installed SeaMonkey (since removed), some games off GoG.com (a paid game provider sort of like Steam, only without the overlord approach), Thunderbird, and possibly one other app (legit) that I can't recall off the top of my head.  Also the update from AVG 2011 to 2012, and I accidentally got the 30-day "free trial" version instead of the "free" version (VERY annoying!).  Also updated AdAware.  I can't think of anything else new I've added to the computer.  I removed all old versions of JAVA and installed the new versions (both 32 and 64 bit as I have apps that need each).  To the best of my knowledge I deselected any leechware that was attached to anything I installed.  (I define leechware to include anything packaged with legit software that isn't actually part of that software - stuff like versions of virus scanners like McAfree, all those toolbar thingies, stuff that wants to change your default search engine - even if it comes from a legit source, if its not part of what I'm installing its leechware)

There was some kind of registry checking software that ended up on my desktop, I only noticed it when I accidentally clicked on it and opened it and it started running.  That did say GFI on it but I cancelled it as soon as it started running and immediately went to the Add/Remove programs thing (whatever they call it under Vista) and uninstalled it.  However I continue to get these "GFI failed" messages.

There's nothing in the processes list of the task manager labeled GFI.  I was getting these failure messages before uninstalling the registry checker labeled GFI but only rarely and it was not affecting the actual operation of the PC.  Now the system boots noticeably more slowly, things hang, I can't keep an internet connection for more than a few minutes (when checked with the Windows repair utility it tells me there's nothing wrong yet I can't get out on it).  After about 5 or 10 minutes, I get the GFI FAILED notification, the internet is fried at that point, but as long as I stay off the internet things seem to be OK.  Dropbox still seems to work; but my MOG app (internet Radio) fails, Spotify (another internet radio) seems to work at least for awhile, and if it was started before the crash, uTorrent can download a file (I have not been downloading torrents nor have I opened a file downloaded in this way but I did run that just to check since Dropbox seems unaffected).  Both Chrome and Firefox seem to be blocked however.  (I have Ghostery, BetterPrivacy, and Adaware installed).

At first I assumed GFI had come as leechware with one of my recent legit software installations but looking around their website I didn't see any signs of a stand-alone registry checker, and their only "free trial" version is a business version - not the kind of thing I would expect to be leeched to any home software.  Plus if it were legit, uninstalling should have taken care of the problem.  Instead it seems to have made it much, much worse.

I did a full scan of all files with both AdAware and AVG - AdAware found a few tracking things, AVG found 8 more.  All have been removed.  I set AVG to do a rootkit scan but I don't remember how to trigger the scan on boot.  Both AdAware and AVG are showing the system clean at this point.

The last time I had malware that nobody else had heard of, folks here knew what it was and how to get rid of it.  I'm hoping somebody here will have some helpful ideas this time too.

Thanks.


EDIT:  I remember the other app I installed - DROPBOX!

Offline Sojourner

  • Jr. Member
  • **
  • Posts: 23
    • View Profile
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #1 on: June 15, 2012, 12:55:11 PM »
Further information : I have contacted GFI software and the person with whom I spoke states that this is not a GFI product, that none of their evaluation software is being leeched to their knowledge, and that none of their software performs any registry checking whatsoever.

So it's looking like it's malware masquerading as a GFI product.

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14701
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #2 on: June 15, 2012, 01:39:09 PM »
Hi, Sojourner.

Thank you for the excellent description of the problem.  In order to determine if we are able to assist, please provide the requested logs as indicated in the Log Posting Instructions topic.

Thank you.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Sojourner

  • Jr. Member
  • **
  • Posts: 23
    • View Profile
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #3 on: June 15, 2012, 05:19:36 PM »
OK first here is DDS.TXT

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421  BrowserJavaVersion: 10.4.0
Run by Sojourner at 13:46:33 on 2012-06-15
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.6134.4505 [GMT -4:00]
.
AV: Lavasoft Ad-Aware *Enabled/Updated* {445B48C3-0FA4-6B16-8F07-6506F305D800}
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: Lavasoft Ad-Aware *Enabled/Updated* {FF3AA927-299E-6498-B5B7-5E74888292BD}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Lavasoft Ad-Aware *Disabled* {7C60C9E6-45CB-6A4E-A458-CC330DD69F7B}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2012\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Sojourner\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\Winamp\winampa.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\Utilities\Ad-Aware Antivirus\AdAwareService.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
C:\PROGRA~2\UTILIT~1\AD-AWA~1\AdAware.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Utilities\Ad-Aware Antivirus\SBAMSvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://www.dell.com
uStart Page = hxxp://www.dell.com
mWinlogon: Userinit=C:\Windows\SysWOW64\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Blog This in Windows Live: {2adefb8e-b923-35e6-86e2-2b7841f5d6a4} - mscoree.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [MUpdates] C:\Users\Sojourner\AppData\Roaming\MCommon\MUpdates_new.exe
uRun: [Spotify Web Helper] "C:\Users\Sojourner\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\Media\Quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
mRun: [Ad-Aware Antivirus] "C:\Program Files (x86)\Utilities\Ad-Aware Antivirus\AdAwareLauncher" --windows-run
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe"  -osboot
dRunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f
dRunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f
StartupFolder: C:\Users\SOJOUR~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Sojourner\AppData\Roaming\Dropbox\bin\Dropbox.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{B1AC72A0-692E-4DBD-B6BD-83266810345A} : DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64:     AcroIEHelperStub - No File
BHO-X64: Blog This in Windows Live: {2adefb8e-b923-35e6-86e2-2b7841f5d6a4} - mscoree.dll
BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO-X64: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
BHO-X64:     AVG Do Not Track - No File
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO-X64:     WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun-x64: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\Media\Quicktime\QTTask.exe" -atboottime
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
mRun-x64: [Ad-Aware Antivirus] "C:\Program Files (x86)\Utilities\Ad-Aware Antivirus\AdAwareLauncher" --windows-run
mRun-x64: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe"  -osboot
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Sojourner\AppData\Roaming\Mozilla\Firefox\Profiles\6ae0q1en.default\
FF - prefs.js: browser.search.selectedEngine - DuckDuckGo
FF - prefs.js: browser.startup.homepage - hxxp://www.kingarthurflour.com/customerservice/promotions.html|http://www.jigidi.com/login.php|http://www.jigzone.com/|http://www.allexperts.com/expertx.cgi
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: C:\Program Files (x86)\AVG\AVG2012\Firefox4\components\avgssff10.dll
FF - component: C:\Program Files (x86)\AVG\AVG2012\Firefox4\components\avgssff4.dll
FF - component: C:\Program Files (x86)\AVG\AVG2012\Firefox4\components\avgssff5.dll
FF - component: C:\Program Files (x86)\AVG\AVG2012\Firefox4\components\avgssff6.dll
FF - component: C:\Program Files (x86)\AVG\AVG2012\Firefox4\components\avgssff7.dll
FF - component: C:\Program Files (x86)\AVG\AVG2012\Firefox4\components\avgssff8.dll
FF - component: C:\Program Files (x86)\AVG\AVG2012\Firefox4\components\avgssff9.dll
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Media\Quicktime\Plugins\npqtplugin.dll
FF - plugin: C:\Program Files (x86)\Media\Quicktime\Plugins\npqtplugin2.dll
FF - plugin: C:\Program Files (x86)\Media\Quicktime\Plugins\npqtplugin3.dll
FF - plugin: C:\Program Files (x86)\Media\Quicktime\Plugins\npqtplugin4.dll
FF - plugin: C:\Program Files (x86)\Media\Quicktime\Plugins\npqtplugin5.dll
FF - plugin: C:\Program Files (x86)\Media\Quicktime\Plugins\npqtplugin6.dll
FF - plugin: C:\Program Files (x86)\Media\Quicktime\Plugins\npqtplugin7.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\nprpplugin.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll
FF - plugin: C:\Program Files (x86)\Utilities\VLC\npvlc.dll
FF - plugin: C:\Program Files\Utilities\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\system32\DRIVERS\avgidsha.sys --> C:\Windows\system32\DRIVERS\avgidsha.sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R1 SbFw;SbFw;C:\Windows\system32\drivers\SbFw.sys --> C:\Windows\system32\drivers\SbFw.sys [?]
R1 SBRE;SBRE;C:\Windows\System32\drivers\SBREDrv.sys [2011-10-26 101112]
R2 Ad-Aware Service;Ad-Aware Service;C:\Program Files (x86)\Utilities\Ad-Aware Antivirus\AdAwareService.exe [2012-5-3 1226096]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [2012-4-30 5106744]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-2-14 193288]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 SBAMSvc;Ad-Aware;C:\Program Files (x86)\Utilities\Ad-Aware Antivirus\SBAMSvc.exe [2011-12-19 3289032]
R2 sbapifs;sbapifs;C:\Windows\system32\DRIVERS\sbapifs.sys --> C:\Windows\system32\DRIVERS\sbapifs.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdLH6.sys --> C:\Windows\system32\drivers\AtihdLH6.sys [?]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\avgidsdrivera.sys --> C:\Windows\system32\DRIVERS\avgidsdrivera.sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\avgidsfiltera.sys --> C:\Windows\system32\DRIVERS\avgidsfiltera.sys [?]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;C:\Windows\system32\DRIVERS\e1y60x64.sys --> C:\Windows\system32\DRIVERS\e1y60x64.sys [?]
R3 SBFWIMCLMP;GFI Software Firewall NDIS IM Filter Miniport;C:\Windows\system32\DRIVERS\SBFWIM.sys --> C:\Windows\system32\DRIVERS\SBFWIM.sys [?]
R3 sbhips;sbhips;C:\Windows\system32\drivers\sbhips.sys --> C:\Windows\system32\drivers\sbhips.sys [?]
R3 sbwtis;sbwtis;C:\Windows\system32\DRIVERS\sbwtis.sys --> C:\Windows\system32\DRIVERS\sbwtis.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;C:\Games\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [2011-6-17 25832]
S3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\Dell Support Center\pcdsrvc_x64.pkms [2012-4-10 25072]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 Point64;Microsoft IntelliPoint Filter Driver;C:\Windows\system32\DRIVERS\point64k.sys --> C:\Windows\system32\DRIVERS\point64k.sys [?]
S3 SBFWIMCL;GFI Software Firewall NDIS IM Filter Service;C:\Windows\system32\DRIVERS\sbfwim.sys --> C:\Windows\system32\DRIVERS\sbfwim.sys [?]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;C:\Windows\system32\DRIVERS\VBoxNetAdp.sys --> C:\Windows\system32\DRIVERS\VBoxNetAdp.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2011-5-11 88576]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2011-5-13 89920]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.reg=Regedit.Document
.
=============== Created Last 30 ================
.
2012-06-14 16:31:33   --------   d-----w-   C:\Users\Sojourner\AppData\Local\Thunderbird
2012-06-14 05:23:15   --------   d-----w-   C:\Users\Sojourner\AppData\Roaming\Nico Mak Computing
2012-06-14 05:23:12   18760   ----a-w-   C:\Windows\System32\roboot64.exe
2012-06-14 05:23:08   --------   d-----w-   C:\Program Files (x86)\WinZip Registry Optimizer
2012-06-14 05:20:38   209920   ----a-w-   C:\Windows\System32\drivers\rdpwd.sys
2012-06-14 05:20:36   2767360   ----a-w-   C:\Windows\System32\win32k.sys
2012-06-11 10:04:42   --------   d-----w-   C:\Program Files (x86)\Dropbox
2012-06-09 16:21:53   --------   d-----w-   C:\Program Files (x86)\MSXML 4.0
2012-06-08 07:40:49   --------   d-----w-   C:\Program Files (x86)\Common Files\xing shared
2012-06-08 07:39:58   129144   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\plugins\nprpplugin.dll
2012-06-08 06:27:24   --------   d-----w-   C:\Users\Sojourner\AppData\Local\adawarebp
2012-06-07 14:53:46   --------   d-----w-   C:\Users\Sojourner\AppData\Local\adaware
2012-06-07 14:53:31   60536   ----a-w-   C:\Windows\System32\drivers\sbhips.sys
2012-06-07 14:53:09   256632   ----a-w-   C:\Windows\System32\drivers\SbFw.sys
2012-06-07 14:53:09   119416   ----a-w-   C:\Windows\System32\drivers\SbFwIm.sys
2012-06-07 14:53:08   45936   ----a-w-   C:\Windows\System32\sbbd.exe
2012-06-07 14:51:04   --------   d-----w-   C:\Users\Sojourner\AppData\Roaming\Ad-Aware Antivirus
2012-06-06 08:56:56   955848   ----a-w-   C:\Windows\System32\npDeployJava1.dll
2012-06-03 07:07:03   772552   ----a-w-   C:\Windows\SysWow64\npDeployJava1.dll
2012-05-31 09:39:10   419488   ----a-w-   C:\Windows\SysWow64\FlashPlayerApp.exe
.
==================== Find3M  ====================
.
2012-06-08 07:39:41   499712   ----a-w-   C:\Windows\SysWow64\msvcp71.dll
2012-06-08 07:39:41   348160   ----a-w-   C:\Windows\SysWow64\msvcr71.dll
2012-06-06 08:56:32   839112   ----a-w-   C:\Windows\System32\deployJava1.dll
2012-06-03 07:06:25   687560   ----a-w-   C:\Windows\SysWow64\deployJava1.dll
2012-05-31 09:39:10   70304   ----a-w-   C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-18 02:06:48   2311680   ----a-w-   C:\Windows\System32\jscript9.dll
2012-05-18 01:59:14   1392128   ----a-w-   C:\Windows\System32\wininet.dll
2012-05-18 01:58:39   1494528   ----a-w-   C:\Windows\System32\inetcpl.cpl
2012-05-18 01:55:22   173056   ----a-w-   C:\Windows\System32\ieUnatt.exe
2012-05-18 01:51:30   2382848   ----a-w-   C:\Windows\System32\mshtml.tlb
2012-05-17 22:45:37   1800192   ----a-w-   C:\Windows\SysWow64\jscript9.dll
2012-05-17 22:35:47   1129472   ----a-w-   C:\Windows\SysWow64\wininet.dll
2012-05-17 22:35:39   1427968   ----a-w-   C:\Windows\SysWow64\inetcpl.cpl
2012-05-17 22:29:45   142848   ----a-w-   C:\Windows\SysWow64\ieUnatt.exe
2012-05-17 22:24:45   2382848   ----a-w-   C:\Windows\SysWow64\mshtml.tlb
2012-04-19 08:50:26   28480   ----a-w-   C:\Windows\System32\drivers\avgidsha.sys
2012-04-19 00:56:30   94208   ----a-w-   C:\Windows\SysWow64\QuickTimeVR.qtx
2012-04-19 00:56:30   69632   ----a-w-   C:\Windows\SysWow64\QuickTime.qts
2012-04-03 08:22:15   4699520   ----a-w-   C:\Windows\System32\ntoskrnl.exe
2012-03-30 12:45:03   1423744   ----a-w-   C:\Windows\System32\drivers\tcpip.sys
2012-03-20 23:34:30   72576   ----a-w-   C:\Windows\System32\drivers\partmgr.sys
2012-03-19 09:17:26   383808   ----a-w-   C:\Windows\System32\drivers\avgtdia.sys
.
============= FINISH: 13:46:56.88 ===============

Offline Sojourner

  • Jr. Member
  • **
  • Posts: 23
    • View Profile
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #4 on: June 15, 2012, 05:20:10 PM »
Now here is ATTACH.TXT

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 5/12/2011 11:18:19 AM
System Uptime: 6/15/2012 1:14:53 PM (0 hours ago)
.
Motherboard: Dell Inc. |  | 0R849J
Processor: Intel(R) Core(TM) i7 CPU         920  @ 2.67GHz | CPU 1 | 2668/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 916 GiB total, 242.664 GiB free.
D: is FIXED (NTFS) - 15 GiB total, 7.609 GiB free.
E: is CDROM (UDF)
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP365: 5/24/2012 12:00:02 AM - Scheduled Checkpoint
RP366: 5/30/2012 12:40:13 AM - Scheduled Checkpoint
RP367: 5/31/2012 1:33:31 AM - Scheduled Checkpoint
RP368: 6/1/2012 10:59:23 AM - Scheduled Checkpoint
RP369: 6/2/2012 4:37:28 AM - Scheduled Checkpoint
RP370: 6/3/2012 - Scheduled Checkpoint
RP371: 6/3/2012 2:56:42 AM - Removed Java(TM) 6 Update 22
RP372: 6/3/2012 2:57:11 AM - Removed Java(TM) 6 Update 29
RP373: 6/3/2012 2:57:57 AM - Removed Java(TM) 6 Update 31 (64-bit)
RP374: 6/3/2012 3:06:12 AM - Installed Java(TM) 7 Update 4
RP375: 6/4/2012 12:36:46 PM - Scheduled Checkpoint
RP376: 6/5/2012 2:36:43 PM - Scheduled Checkpoint
RP377: 6/6/2012 4:56:02 AM - Installed Java(TM) 7 Update 4 (64-bit)
RP378: 6/7/2012 2:50:54 AM - Windows Update
RP379: 6/7/2012 10:48:23 AM - Removed Ad-Aware
RP380: 6/7/2012 10:53:11 AM - Device Driver Package Install: GFI Software Network Service
RP381: 6/8/2012 6:19:23 AM - Scheduled Checkpoint
RP382: 6/9/2012 12:00:01 AM - Scheduled Checkpoint
RP383: 6/9/2012 12:21:20 PM - Windows Update
RP384: 6/9/2012 3:33:17 PM - Windows Update
RP385: 6/14/2012 2:04:40 AM - Scheduled Checkpoint
RP386: 6/14/2012 8:35:17 AM - Windows Update
RP387: 6/14/2012 9:59:15 PM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
µTorrent
AbiWord 2.8.6
ActiveState ActivePython 2.7.2.5 (32-bit)
Ad-Aware Antivirus
Ad-Aware Browsing Protection
Adobe AIR
Adobe Digital Editions
Adobe Flash Player 10 ActiveX
Adobe Reader X (10.1.3)
Apple Application Support
Apple Software Update
Aquaria
ATI Catalyst Control Center
Avadon: The Black Fortress
Avidemux 2.5
Baldur's Gate(TM) II - Shadows of Amn(TM) Bonus CD
Baldur's Gate(TM) II - Throne of Bhaal (TM)
Banctec Service Agreement
Bastion
Bejeweled Deluxe
BitPim 1.0.7
calibre
Canon MP Navigator EX 2.1
Canon Utilities Solution Menu
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Turkish
ccc-core-static
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
D3DX10
Desktop Icon Position Saver (64-bit)
Dragon Age II
Dragon Age: Origins
Dragon Age: Origins - Awakening
Dragonsphere
Dropbox
Dungeon Defenders
Equalify v2.1.2 (admin setup)
Europa Universalis III
gImageReader
GIMP 2.6.11
Google Book Downloader
Google Chrome
Guild Wars
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Indeo® Software
Indiana Jones and the Fate of Atlantis
Indiana Jones and the Last Crusade
Java Auto Updater
Java(TM) 7 Update 4
King's Bounty: Armored Princess
King's Bounty: Crossworlds
King's Bounty: The Legend
Loom
Lugaru HD
Lure of the Temptress
Magicka
Malwarebytes' Anti-Malware
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
Microsoft XNA Framework Redistributable 3.1
Mobipocket Creator 4.2
MOG
Monkey Island 2: Special Edition
Mount & Blade
Mount & Blade: Warband
Mount & Blade: With Fire and Sword
Mozilla Firefox 11.0 (x86 en-US)
Mozilla Thunderbird 13.0 (x86 en-US)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA PhysX
Oblivion mod manager 1.1.12
OpenOffice.org 3.3
PDF ePub DRM Removal
Pidgin
Planescape Torment
Psychonauts
Python 2.7 pycrypto-2.3
Quest for Glory II: Trial by Fire (2.0)
Quest for Glory Pack
QuickTime
Real Myst
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.1
Recettear: An Item Shop's Tale
Riven
Runes of Magic
Sacred Gold
Sam & Max 101: Culture Shock
Sam & Max 102: Situation: Comedy
Sam & Max 103: The Mole, the Mob and the Meatball
Sam & Max 104: Abe Lincoln Must Die!
Sam & Max 105: Reality 2.0
Sam & Max 106: Bright Side of the Moon
Sam & Max 201: Ice Station Santa
Sam & Max 202: Moai Better Blues
Sam & Max 203: Night of the Raving Dead
Sam & Max 204: Chariots of the Dogs
Sam & Max 205: What's New Beelzebub?
Sam & Max 301: The Penal Zone
Sam & Max 302: The Tomb of Sammun-Mak
Sam & Max 303: They Stole Max's Brain!
Sam & Max 304: Beyond the Alley of the Dolls
Sam & Max 305: The City that Dares not Sleep
Samorost 2
Samsung PC Studio 3 USB Driver Installer
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Segoe UI
Sid Meier's Civilization III: Complete
Sid Meier's Civilization IV
Sid Meier's Civilization V
Sid Meier's Civilization V SDK
SimpleOCR 3.1
Skins
SpeedFan (remove only)
Spotify
Steam
StreamTransport version: 1.0.2.2171
Tales of Monkey Island: Chapter 1 - Launch of the Screaming Narwhal
Tales of Monkey Island: Chapter 2 - The Siege of Spinner Cay
Tales of Monkey Island: Chapter 3 - Lair of the Leviathan
Tales of Monkey Island: Chapter 4 - The Trial and Execution of Guybrush Threepwood
Tales of Monkey Island: Chapter 5 - Rise of the Pirate God
Tesseract-OCR 3.01 - open source OCR engine
The Dig
The Elder Scrolls IV: Oblivion
The Elder Scrolls V: Skyrim
The Longest Journey
The Secret of Monkey Island: Special Edition
The Whispered World
The Witcher 2
The Witcher 2: Bonus Content
The Witcher: Enhanced Edition
Titan Quest
Titan Quest: Immortal Throne
Torchlight
TRAUMA
Treasure Adventure Game
Trine
Ultima 4 - Quest of the Avatar
Unofficial Oblivion Patch v3.2.0
Unofficial Official Mods Patch v15
Unofficial Shivering Isles Patch v1.4.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Visual Studio 2008 x64 Redistributables
VLC media player 2.0.1
Winamp
Winamp Detector Plug-in
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
X3: Reunion
.
==== Event Viewer Messages From Past Week ========
.
6/15/2012 7:26:57 AM, Error: Service Control Manager [7034]  - The Ad-Aware service terminated unexpectedly.  It has done this 1 time(s).
6/15/2012 1:11:36 AM, Error: EventLog [6008]  - The previous system shutdown at 1:09:38 AM on 6/15/2012 was unexpected.
6/14/2012 10:06:34 AM, Error: Service Control Manager [7043]  - The AVGIDSAgent service did not shut down properly after receiving a preshutdown control.
6/14/2012 1:09:13 AM, Error: EventLog [6008]  - The previous system shutdown at 1:07:16 AM on 6/14/2012 was unexpected.
6/11/2012 4:06:41 PM, Error: EventLog [6008]  - The previous system shutdown at 4:04:56 PM on 6/11/2012 was unexpected.
.
==== End Of File ===========================

Offline Sojourner

  • Jr. Member
  • **
  • Posts: 23
    • View Profile
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #5 on: June 15, 2012, 05:20:48 PM »
And finally here is CHECKUP.TXT

 Results of screen317's Security Check version 0.99.41 
 Windows Vista Service Pack 2 x64 (UAC is disabled!) 
 Internet Explorer 9 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Firewall Disabled! 
Lavasoft Ad-Aware                 
AVG Anti-Virus Free Edition 2012   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````[/u]
 Ad-Aware
 Java(TM) 7 Update 4 
 Adobe Flash Player 10 Flash Player out of date!
 Adobe Reader X (10.1.3)
 Mozilla Firefox 11.0 Firefox out of Date! 
 Mozilla Thunderbird (13.0.)
 Google Chrome 12.0.742.100 
 Google Chrome 12.0.742.91 
````````Process Check: objlist.exe by Laurent````````[/u] 
 Ad-Aware AAWService.exe is disabled!
 Ad-Aware AAWTray.exe is disabled!
 AVG avgwdsvc.exe
 AVG avgtray.exe
 Utilities Ad-Aware Antivirus AdAwareService.exe 
 Utilities Ad-Aware Antivirus SBAMSvc.exe 
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````[/u]

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14701
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #6 on: June 15, 2012, 06:02:14 PM »
Hi, Sojourner.

There is a CounterSpy driver installed on your computer.  I am wondering if it came with the Java update as I understand that the Java installer now provides a check-box for "Optional 3rd-Party Installations" --- without specifying (on that screen) what they are.  Previously, the installer would specify what was being offered, e.g., Google Toolbar.  As atieclxx.exe has been associated with malicious software, it is also possible that a rogue is using a legitimate driver.

That aside, you need to uninstall Ad-Aware since it is also an anti-virus software now.   

I would be negligent if I didn't warn you about uTorrent.   P2P programs form a direct conduit on to your computer. They have always been a target of malware writers and are increasingly so of late. P2P security measures are easily circumvented and if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program. Use of P2P programs can result in Identity Theft.

Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1
Link 2

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. 

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications.

Now, please run ComboFix:
  • Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click "Yes" to continue scanning for malware.
  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Sojourner

  • Jr. Member
  • **
  • Posts: 23
    • View Profile
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #7 on: June 15, 2012, 07:52:38 PM »
uTorrent is rarely used and then only to download compressed text files - which are nonetheless aggressively scanned before being unpacked.  Except for being fired up to see if it could still get out even when the browsers are blocked, it hadn't been run at all in months.  It shares NO files and never has.

I don't use it to pirate software (there's plenty of open source stuff) or to pirate movies or songs (that's what Netflix and MOG are for, not to pirate, but to let me access music and videos).  I strongly doubt I picked this virus up from the GK Chesterton collection I downloaded from a torrent 9 months ago (at which time it was triple-scanned before it was ever even unpacked, then scanned again after unpacking).

At any rate - given AdAware has changed and since it also apparently silently installed leechware, it's been unistalled.  I guess I'll have to hunt up some other anti malware program that won't interfere with AVG.

Be back shortly with the latest results, thanks.

Offline Sojourner

  • Jr. Member
  • **
  • Posts: 23
    • View Profile
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #8 on: June 15, 2012, 09:39:24 PM »
K I had to run combofix twice - the first time it generated an empty log file.  I also got a notification that time that "Windows Defender" had crashed.

BTW I totally unistalled AVG as well - apparently AVG 2012 has no "exit program" option, only "temporarily disable scanning" - I feel it is far far safer to do this sort of thing with no virus processes loaded in memory at all, so to accomplish that apparently you have to actually uninstall the whole thing.  Or at least that was the quickest way to accomplish what I intended.  Anyway, both AdAware and AVG are gone at this point.

Here's the results of run #2:

ComboFix 12-06-15.06 - Sojourner 06/15/2012  18:18:10.2.8 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.6134.4332 [GMT -4:00]
Running from: c:\users\Sojourner\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2012-05-15 to 2012-06-15  )))))))))))))))))))))))))))))))
.
.
2012-06-15 22:23 . 2012-06-15 22:23   --------   d-----w-   c:\users\Sojourner\AppData\Local\temp
2012-06-15 22:23 . 2012-06-15 22:23   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-06-15 21:02 . 2012-06-15 21:02   --------   d-----w-   c:\users\Sojourner\.config
2012-06-15 20:47 . 2012-06-15 20:47   --------   d-----w-   c:\programdata\GFI Software
2012-06-14 16:31 . 2012-06-14 16:31   --------   d-----w-   c:\users\Sojourner\AppData\Roaming\Thunderbird
2012-06-14 16:31 . 2012-06-14 16:31   --------   d-----w-   c:\users\Sojourner\AppData\Local\Thunderbird
2012-06-14 05:23 . 2012-06-14 13:26   --------   d-----w-   c:\users\Sojourner\AppData\Roaming\Nico Mak Computing
2012-06-14 05:23 . 2011-11-10 14:33   18760   ----a-w-   c:\windows\system32\roboot64.exe
2012-06-14 05:23 . 2012-06-14 13:27   --------   d-----w-   c:\program files (x86)\WinZip Registry Optimizer
2012-06-14 05:20 . 2012-05-01 14:29   209920   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-06-14 05:20 . 2012-05-15 20:15   2767360   ----a-w-   c:\windows\system32\win32k.sys
2012-06-11 10:04 . 2012-06-11 10:04   --------   d-----w-   c:\program files (x86)\Dropbox
2012-06-09 16:21 . 2012-06-09 16:21   --------   d-----w-   c:\program files (x86)\MSXML 4.0
2012-06-08 07:40 . 2012-06-08 07:40   --------   d-----w-   c:\program files (x86)\Common Files\xing shared
2012-06-08 07:39 . 2012-06-08 07:39   129144   ----a-w-   c:\program files (x86)\Mozilla Firefox\plugins\nprpplugin.dll
2012-06-08 06:27 . 2012-06-08 06:30   --------   d-----w-   c:\users\Sojourner\AppData\Local\adawarebp
2012-06-06 08:56 . 2012-06-06 08:56   955848   ----a-w-   c:\windows\system32\npDeployJava1.dll
2012-06-06 08:56 . 2012-06-06 08:56   --------   d-----w-   c:\program files\Java
2012-06-03 07:07 . 2012-06-03 07:07   --------   d-----w-   c:\program files (x86)\Common Files\Java
2012-06-03 07:07 . 2012-06-03 07:06   772552   ----a-w-   c:\windows\SysWow64\npDeployJava1.dll
2012-05-31 09:39 . 2012-05-31 09:39   419488   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-08 07:39 . 2012-03-27 16:35   499712   ----a-w-   c:\windows\SysWow64\msvcp71.dll
2012-06-08 07:39 . 2012-03-27 16:35   348160   ----a-w-   c:\windows\SysWow64\msvcr71.dll
2012-06-06 08:56 . 2011-05-12 20:37   839112   ----a-w-   c:\windows\system32\deployJava1.dll
2012-06-03 07:06 . 2011-05-12 20:37   687560   ----a-w-   c:\windows\SysWow64\deployJava1.dll
2012-05-31 09:39 . 2011-05-13 18:41   70304   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-19 00:56 . 2012-04-19 00:56   94208   ----a-w-   c:\windows\SysWow64\QuickTimeVR.qtx
2012-04-19 00:56 . 2012-04-19 00:56   69632   ----a-w-   c:\windows\SysWow64\QuickTime.qts
2012-04-03 08:22 . 2012-05-10 01:35   4699520   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-03-30 12:45 . 2012-05-10 01:36   1423744   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2012-03-20 23:34 . 2012-05-10 01:35   72576   ----a-w-   c:\windows\system32\drivers\partmgr.sys
.
.
(((((((((((((((((((((((((((((   SnapShot@2012-06-15_21.35.55   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 02:23 . 2012-06-15 21:37   53418              c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2012-06-15 21:37   93264              c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2011-05-13 15:24 . 2012-06-15 21:37   14226              c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1474229224-1477735228-1670432976-1000_UserData.bin
- 2012-06-15 21:35 . 2012-06-15 21:35   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-06-15 22:24 . 2012-06-15 22:24   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-06-15 22:24 . 2012-06-15 22:24   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-06-15 21:35 . 2012-06-15 21:35   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-05-16 20:56 . 2012-06-15 22:23   270356              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-05-16 20:56 . 2012-06-15 21:34   270356              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-06-13 05:49 . 2012-06-15 22:23   37211955              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1474229224-1477735228-1670432976-1000-12288.dat
- 2011-06-13 05:49 . 2012-06-15 21:08   37211955              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1474229224-1477735228-1670432976-1000-12288.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{2adefb8e-b923-35e6-86e2-2b7841f5d6a4}]
2009-11-08 14:55   297808   ----a-w-   c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   94208   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   94208   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   94208   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   94208   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"Spotify Web Helper"="c:\users\Sojourner\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-05-14 932528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2011-03-22 74752]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files (x86)\Media\Quicktime\QTTask.exe" [2012-04-19 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2012-06-08 296056]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"adaware"="reg.exe delete HKCU\Software\AppDataLow\Software\adaware" [X]
"adaware_XP"="reg.exe delete HKCU\Software\adaware" [X]
.
c:\users\Sojourner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Sojourner\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-6-6 27502520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
R4 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-02-24 88576]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-29 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
2012-06-15 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   97792   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   97792   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   97792   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   97792   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-02-24 6975520]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [BU]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 2244680]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 2206280]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Sojourner\AppData\Roaming\Mozilla\Firefox\Profiles\6ae0q1en.default\
FF - prefs.js: browser.search.selectedEngine - DuckDuckGo
FF - prefs.js: browser.startup.homepage - hxxp://www.kingarthurflour.com/customerservice/promotions.html|http://www.jigidi.com/login.php|http://www.jigzone.com/|http://www.allexperts.com/expertx.cgi
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
------- File Associations -------
.
.reg=Regedit.Document
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1474229224-1477735228-1670432976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*w*a*9DÀ*<*ˆàRtÐ?Rt demux: access='file' demux='' path='c:\users\Sojourner\Desktop\My Files\Music\Singing Bowls\100 15 E Master.mp3'*þ„*DÀ**€Ü]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1474229224-1477735228-1670432976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*w*a*9DÀ*<*ˆàRtÐ?Rt demux: access='file' demux='' path='c:\users\Sojourner\Desktop\My Files\Music\Singing Bowls\100 15 E Master.mp3'*þ„*DÀ**€Ü\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1474229224-1477735228-1670432976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*w*a*·¬£^\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1474229224-1477735228-1670432976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*w*a*9DÀ*<*ˆàRtÐ?Rt demux: access='file' demux='' path='c:\users\Sojourner\Desktop\My Files\Music\Singing Bowls\100 15 E Master.mp3'*þ„*DÀ**€Ü]
@Allowed: (Read) (RestrictedCode)
"0"=hex:43,3a,5c,55,73,65,72,73,5c,53,6f,6a,6f,75,72,6e,65,72,5c,44,65,73,6b,
   74,6f,70,5c,4d,79,20,46,69,6c,65,73,5c,4d,75,73,69,63,5c,53,69,6e,67,69,6e,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-06-15  18:29:35 - machine was rebooted
ComboFix-quarantined-files.txt  2012-06-15 22:29
ComboFix2.txt  2012-06-15 21:41
.
Pre-Run: 268,020,228,096 bytes free
Post-Run: 268,607,688,704 bytes free
.
- - End Of File - - A5751155F197758F2C7CEEB8BA6DE675

Offline Sojourner

  • Jr. Member
  • **
  • Posts: 23
    • View Profile
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #9 on: June 15, 2012, 10:34:40 PM »
You said: "There is a CounterSpy driver installed on your computer. "

Well that explains where the GFI errors were coming from!  That's a defunct GFI product that was discontinued in May of 2011.

I still have no idea where it came from.

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14701
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #10 on: June 15, 2012, 11:10:45 PM »
Hi, Sojourner.

Regarding WinZip Registry Optimizer, Windows is a closed source system. Developers of registry cleaners do not have the core code of Windows and are not working on definitive information, but rather they are going on past knowledge and experience. Automatic cleaners will usually have to do some guesswork.

Modifying registry keys incorrectly can cause Windows instability, or make Windows unbootable. No registry cleaner is completely safe and the potential is ever present to cause more problems than they claim to fix.

Registry cleaners cannot distinguish between good and bad. If you run a registry cleaner, it will delete all those keys which are obsolete and sitting idle; but in reality, those keys may well be needed by some programs or windows at a later time.

If you run a registry cleaner and do not know precisely what you are doing, you will have problems down the road. There are no gains to be had from using a registry cleaner and the risk is great.

From Microsoft at Increase PC speed: Optimize your computer, help your PC run faster:

Quote
Note: This article does not address or recommend tinkering with the registry files. Such activities can be detrimental to your computer and should only be attempted by properly trained professionals.

Also see Are registry cleaners necessary?

Should you at any time tinker with the registry, first create a backup.  See Back up the registry



Is "Singing Bowls" part of the GK Chesterton collection?  I note what appears to be registry issues there, which we'll take a look at with the next ComboFix run.  We'll also take care of the left-over GFI software.

There was a previous log with deletions.  Please post a copy of C:\ComboFix-quarantined-files.txt  2012-06-15 22:29 so I can see what ComboFix removed.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Sojourner

  • Jr. Member
  • **
  • Posts: 23
    • View Profile
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #11 on: June 16, 2012, 12:10:11 AM »
Singing bowls is either a directory of MP3s or a play list.  I have no idea why it would appear in the registry at all.

I'm not sure why you're telling me about registry cleaners - I've never voluntarily run a registry cleaner in my life.  I cancelled whatever the thing was that shouldn't have been on my system as soon as I saw it going.  (Started by an accidental double click when I noticed the extra icon on my desktop that didn't belong - what can I say, I have dexterity issues).


Here's the file requested

2012-06-15 21:41:04 . 2012-06-15 21:41:04               80 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Skytel.reg.dat
2012-06-15 21:41:04 . 2012-06-15 21:41:04               80 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Windows Defender.reg.dat
2012-06-15 21:40:55 . 2012-06-15 21:40:55              159 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKCU-Run-MUpdates.reg.dat
2012-06-15 21:29:36 . 2012-06-15 22:21:56            4,171 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-06-15 21:16:42 . 2012-06-15 22:14:11              102 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2008-04-11 12:03:48 . 2008-04-11 12:03:48          562,688 ----a-w-  C:\Qoobox\Quarantine\C\Install.exe.vir


And here's a file called ComboFix2.txt that was apparently from the first iteration that crashed

ComboFix 12-06-15.06 - Sojourner 06/15/2012  17:21:36.1.8 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.6134.4867 [GMT -4:00]
Running from: c:\users\Sojourner\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
.
.
(((((((((((((((((((((((((   Files Created from 2012-05-15 to 2012-06-15  )))))))))))))))))))))))))))))))
.
.
2012-06-15 21:33 . 2012-06-15 21:33   --------   d-----w-   c:\users\Sojourner\AppData\Local\temp
2012-06-15 21:33 . 2012-06-15 21:33   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-06-15 21:02 . 2012-06-15 21:02   --------   d-----w-   c:\users\Sojourner\.config
2012-06-15 20:47 . 2012-06-15 20:47   --------   d-----w-   c:\programdata\GFI Software
2012-06-14 16:31 . 2012-06-14 16:31   --------   d-----w-   c:\users\Sojourner\AppData\Roaming\Thunderbird
2012-06-14 16:31 . 2012-06-14 16:31   --------   d-----w-   c:\users\Sojourner\AppData\Local\Thunderbird
2012-06-14 05:23 . 2012-06-14 13:26   --------   d-----w-   c:\users\Sojourner\AppData\Roaming\Nico Mak Computing
2012-06-14 05:23 . 2011-11-10 14:33   18760   ----a-w-   c:\windows\system32\roboot64.exe
2012-06-14 05:23 . 2012-06-14 13:27   --------   d-----w-   c:\program files (x86)\WinZip Registry Optimizer
2012-06-14 05:20 . 2012-05-01 14:29   209920   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-06-14 05:20 . 2012-05-15 20:15   2767360   ----a-w-   c:\windows\system32\win32k.sys
2012-06-11 10:04 . 2012-06-11 10:04   --------   d-----w-   c:\program files (x86)\Dropbox
2012-06-09 16:21 . 2012-06-09 16:21   --------   d-----w-   c:\program files (x86)\MSXML 4.0
2012-06-08 07:40 . 2012-06-08 07:40   --------   d-----w-   c:\program files (x86)\Common Files\xing shared
2012-06-08 07:39 . 2012-06-08 07:39   129144   ----a-w-   c:\program files (x86)\Mozilla Firefox\plugins\nprpplugin.dll
2012-06-08 06:27 . 2012-06-08 06:30   --------   d-----w-   c:\users\Sojourner\AppData\Local\adawarebp
2012-06-06 08:56 . 2012-06-06 08:56   955848   ----a-w-   c:\windows\system32\npDeployJava1.dll
2012-06-06 08:56 . 2012-06-06 08:56   --------   d-----w-   c:\program files\Java
2012-06-03 07:07 . 2012-06-03 07:07   --------   d-----w-   c:\program files (x86)\Common Files\Java
2012-06-03 07:07 . 2012-06-03 07:06   772552   ----a-w-   c:\windows\SysWow64\npDeployJava1.dll
2012-05-31 09:39 . 2012-05-31 09:39   419488   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-08 07:39 . 2012-03-27 16:35   499712   ----a-w-   c:\windows\SysWow64\msvcp71.dll
2012-06-08 07:39 . 2012-03-27 16:35   348160   ----a-w-   c:\windows\SysWow64\msvcr71.dll
2012-06-06 08:56 . 2011-05-12 20:37   839112   ----a-w-   c:\windows\system32\deployJava1.dll
2012-06-03 07:06 . 2011-05-12 20:37   687560   ----a-w-   c:\windows\SysWow64\deployJava1.dll
2012-05-31 09:39 . 2011-05-13 18:41   70304   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-19 00:56 . 2012-04-19 00:56   94208   ----a-w-   c:\windows\SysWow64\QuickTimeVR.qtx
2012-04-19 00:56 . 2012-04-19 00:56   69632   ----a-w-   c:\windows\SysWow64\QuickTime.qts
2012-04-03 08:22 . 2012-05-10 01:35   4699520   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-03-30 12:45 . 2012-05-10 01:36   1423744   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2012-03-20 23:34 . 2012-05-10 01:35   72576   ----a-w-   c:\windows\system32\drivers\partmgr.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{2adefb8e-b923-35e6-86e2-2b7841f5d6a4}]
2009-11-08 14:55   297808   ----a-w-   c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   94208   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   94208   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   94208   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   94208   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"Spotify Web Helper"="c:\users\Sojourner\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-05-14 932528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2011-03-22 74752]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files (x86)\Media\Quicktime\QTTask.exe" [2012-04-19 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2012-06-08 296056]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"adaware"="reg.exe delete HKCU\Software\AppDataLow\Software\adaware" [X]
"adaware_XP"="reg.exe delete HKCU\Software\adaware" [X]
.
c:\users\Sojourner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Sojourner\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-6-6 27502520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
R4 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-02-24 88576]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-29 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
2012-06-15 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   97792   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   97792   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   97792   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   97792   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-02-24 6975520]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 2244680]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 2206280]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Sojourner\AppData\Roaming\Mozilla\Firefox\Profiles\6ae0q1en.default\
FF - prefs.js: browser.search.selectedEngine - DuckDuckGo
FF - prefs.js: browser.startup.homepage - hxxp://www.kingarthurflour.com/customerservice/promotions.html|http://www.jigidi.com/login.php|http://www.jigzone.com/|http://www.allexperts.com/expertx.cgi
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
------- File Associations -------
.
.reg=Regedit.Document
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-MUpdates - c:\users\Sojourner\AppData\Roaming\MCommon\MUpdates_new.exe
HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
HKLM-Run-Skytel - c:\program files\Realtek\Audio\HDA\Skytel.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1474229224-1477735228-1670432976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*w*a*9DÀ*<*ˆàRtÐ?Rt demux: access='file' demux='' path='c:\users\Sojourner\Desktop\My Files\Music\Singing Bowls\100 15 E Master.mp3'*þ„*DÀ**€Ü]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1474229224-1477735228-1670432976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*w*a*9DÀ*<*ˆàRtÐ?Rt demux: access='file' demux='' path='c:\users\Sojourner\Desktop\My Files\Music\Singing Bowls\100 15 E Master.mp3'*þ„*DÀ**€Ü\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1474229224-1477735228-1670432976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*w*a*·¬£^\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1474229224-1477735228-1670432976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*w*a*9DÀ*<*ˆàRtÐ?Rt demux: access='file' demux='' path='c:\users\Sojourner\Desktop\My Files\Music\Singing Bowls\100 15 E Master.mp3'*þ„*DÀ**€Ü]
@Allowed: (Read) (RestrictedCode)
"0"=hex:43,3a,5c,55,73,65,72,73,5c,53,6f,6a,6f,75,72,6e,65,72,5c,44,65,73,6b,
   74,6f,70,5c,4d,79,20,46,69,6c,65,73,5c,4d,75,73,69,63,5c,53,69,6e,67,69,6e,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-06-15  17:41:47 - machine was rebooted
ComboFix-quarantined-files.txt  2012-06-15 21:41
.
Pre-Run: 260,908,331,008 bytes free
Post-Run: 269,034,684,416 bytes free
.
- - End Of File - - C9E22B70B6833ABE7B93E91017F3CA3D


Offline Sojourner

  • Jr. Member
  • **
  • Posts: 23
    • View Profile
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #12 on: June 16, 2012, 12:16:15 AM »
BTW, the "GK Chesterton collection" is a bunch of mobi files originally sourced from Project Gutenberg - etext of 100 year old books, basically.

Offline Sojourner

  • Jr. Member
  • **
  • Posts: 23
    • View Profile
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #13 on: June 16, 2012, 01:08:35 AM »
BTW it occurs to me to wonder - about that "Singing Bowls" file or directory or whatever - the MOG desktop application may be responsible for that.  It's flash, and it may be leveraging one of the browsers to run.  I'm trying to find out - have e-mailed MOG trying to find out just exactly what that thing is, since the only thing I can find is a 286 byte file called MOG with no extension.  At any rate, I have a playlist on MOG called "Singing Bowls" which I frequently access - perhaps whatever you are seeing is an artifact of MOG...

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14701
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #14 on: June 16, 2012, 10:52:39 PM »
Hi, Sojourner. 

Since you don't use registry cleaners, it appears that "WinZip Registry Optimizer" was another uninvited install with something you did on June 14:  2012-06-14 05:23 . 2012-06-14 13:27   --------   d-----w-   c:\program files (x86)\WinZip Registry Optimizer.  We'll take care of that and the GFI left-overs.

As long as "Singing Bowls" is working correctly, I'm going to leave that entry alone.  As you indicated it is related to MOG, the unicode in the log may be due to that.

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:
Code: [Select]
File::
C:\Windows\system32\DRIVERS\SBFWIM.sys
C:\Windows\system32\drivers\sbhips.sys
C:\Windows\system32\DRIVERS\sbwtis.sys

Driver::
SBFWIM.sys
sbhips.sys
sbwtis.sys

Folder::
c:\program files (x86)\WinZip Registry Optimizer
c:\programdata\GFI Software
  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.




  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.