PDA

View Full Version : zzz Folders ?



darkduskie
2011-11-27, 12:49
Hello, several of these zzz folders (as shown in the PDF attached) have appeared in one of my external drives ~not sure wher they came from or if they have contributed to my pc booting issues. My PC has been hangin & rebootin at random; at times, no way to even start up my pc as it will just hang while starting up.

Many thanks in advance for advice!

DDS log as requested:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Ethylis Liew at 18:38:53 on 2011-11-27
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2144 [GMT 8:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Samsung\Kies\KiesTrayAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Vtune\TBPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Ethylis Liew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ethylis Liew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ethylis Liew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ethylis Liew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ethylis Liew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RewardsArcade: {597a9974-8cb0-4f41-b61f-ed065738a397} - c:\program files\rewardsarcade\RewardsArcade.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [TBPanel] c:\program files\vtune\TBPanel.exe /A
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\ethylis liew\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [KiesPDLR] c:\program files\samsung\kies\external\firmwareupdate\KiesPDLR.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [GEST]
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [PMBVolumeWatcher] c:\program files\sony\pmb\PMBVolumeWatcher.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KiesHelper] c:\program files\samsung\kies\KiesHelper.exe /s
mRun: [KiesTrayAgent] c:\program files\samsung\kies\KiesTrayAgent.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1307185602140
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E1AC9563-A1E3-45B8-A5CE-5C19E34EC6AC} - hxxp://www.arirang.co.kr/AlwaysTop.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{9F4BCEBA-32BB-451E-A46A-1708AFE55613} : DhcpNameServer = 192.168.1.254
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-10-25 64512]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-4 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-6-4 320856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-6-4 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-6-4 44768]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2011-6-4 80392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-5-25 2152152]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2011-3-15 428384]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-5-25 15232]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-11-27 41272]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 sscebus;SAMSUNG USB Composite Device V2 driver (WDM);c:\windows\system32\drivers\sscebus.sys [2011-6-18 98560]
S3 sscemdfl;SAMSUNG Mobile Modem V2 Filter;c:\windows\system32\drivers\sscemdfl.sys [2011-6-18 14848]
S3 sscemdm;SAMSUNG Mobile Modem V2 Drivers;c:\windows\system32\drivers\sscemdm.sys [2011-6-18 123648]
S3 ssceserd;SAMSUNG Mobile Modem Diagnostic Serial Port V2 (WDM);c:\windows\system32\drivers\ssceserd.sys [2011-6-18 100352]
.
=============== Created Last 30 ================
.
2011-11-27 09:39:35 -------- d-----w- C:\_OTL
2011-11-27 09:21:04 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-11-27 09:20:57 -------- d-----w- c:\documents and settings\ethylis liew\application data\Malwarebytes
2011-11-27 09:20:46 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-27 09:20:43 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-27 09:20:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-21 11:42:49 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-11-21 11:42:49 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-11-21 11:42:49 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-11-21 11:42:49 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-11-21 11:42:49 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-11-21 11:42:49 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-11-21 11:42:49 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-11-21 11:40:09 -------- d-----w- c:\program files\iPod
2011-10-30 04:40:15 821824 ----a-w- c:\windows\system32\dgderapi.dll
2011-10-30 04:40:15 319456 ----a-w- c:\windows\system32\DIFxAPI.dll
2011-10-30 04:40:15 20032 ----a-w- c:\windows\system32\drivers\dgderdrv.sys
.
==================== Find3M ====================
.
2011-11-27 09:45:54 16608 ----a-w- c:\windows\gdrv.sys
2011-11-21 11:02:03 414368 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 06:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 06:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-02 21:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-02 18:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 03:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 03:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 03:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-16 03:55:10 4659712 ----a-w- c:\windows\system32\Redemption.dll
2011-09-16 03:54:48 90112 ----a-w- c:\windows\MAMCityDownload.ocx
2011-09-16 03:54:48 325552 ----a-w- c:\windows\MASetupCaller.dll
2011-09-16 03:54:48 30568 ----a-w- c:\windows\MusiccityDownload.exe
2011-09-10 10:35:52 26112 ----a-w- c:\windows\system32\userinit.exe
2011-09-10 10:31:51 252316 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-09-10 10:31:51 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-09-10 10:31:39 252316 -c--a-w- c:\windows\system32\nvdrsdb1.bin
2011-09-06 20:45:29 41184 ----a-w- c:\windows\avastSS.scr
2011-09-06 20:38:05 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-30 15:05:04 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-30 15:05:04 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-30 15:05:04 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-30 15:05:04 178536 ----a-w- c:\windows\system32\dnssdX.dll
.
============= FINISH: 18:39:33.51 ===============

mambass
2011-12-03, 16:31
Hi darkduskie, :)

Welcome to Safer-Networking's Malware Removal forum.

My nickname is mambass and I'll be helping you with any malware problems.

Before we begin...please read and follow these important guidelines so things will proceed smoothly.


If you haven't done so already, please read the topic BEFORE You POST (http://forums.spybot.info/showthread.php?t=288) where the conditions for receiving help here are explained.
The instructions being given are for YOUR computer and system only!
Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
Please read all instructions carefully before executing them and perform the steps in the order given.
lf you have any questions or problems executing these instructions then <<STOP>> do not proceed but rather post back with the question or problem.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured that any links I give are safe.
You must have Administrator rights permissions for this computer.
DO NOT run any other fix or removal tools unless instructed to do so!
DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
Only post your problem at one (1) help site. Applying fixes from multiple help sites can cause problems.
Only reply to this thread. Do not start another thread.
The absence of symptoms does not imply the absence of malware. Please continue responding until I give you the "All Clean".
You might want to place a link to this thread in your Favorites/Bookmarks for easy access.
No Reply Within 3 Days Will Result In Your Topic Being Closed! Please let me know in advance if you will not be able to reply within this time limit.
The logs I request can take a while to research so please be patient.
I am currently in training at Malware Removal University (http://www.malwareremoval.com/). Each set of instructions that I provide will be reviewed by a faculty member before being posted to this thread. This process may add a small amount of time to my replies. On the positive side you will have two people working together to resolve your malware issues.


Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection. I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system or to necessitate you taking your computer to a repair shop.
Because of this I advise you to backup any personal files and folders before you start.

How to back up or transfer your data on a Windows-based computer (http://support.microsoft.com/kb/971759)

-----------------------------------------------------------

I am currently reviewing your log and will return as soon as possible with additional instructions.

Thanks,

mambass

mambass
2011-12-04, 21:55
Hi darkduskie, :)

Avast and Ad-Aware are installed. Both are legitimate antivirus products however only one antivirus product should be installed at any time. I'm providing instructions below to remove Ad-Aware.

The zzz folders may be related to CCleaner. CCleaner is a legitimate program however I would like to remove it for now to see if that helps with your situation.

Please print these instructions because you will not have access to the Internet while performing some of the tasks below.


Download the OTL Scanner
Please download OTL ( http://oldtimer.geekstogo.com/OTL.exe) by OldTimer and save it to your desktop.
Find the icon on your Desktop so you'll know where to look later.
Do not run the program yet.



Remove Programs Using Control Panel
From Start, Control Panel, double-click on Add or Remove Programs.
Click the entry for Ad-Aware, then click the entry's Remove button.
Click the entry for CCleaner, then click the entry's Remove button.
Take extra care in answering questions posed by any Uninstaller.



REBOOT (RESTART) Your Machine



Check Hard Disk For Errors
Press Start->Run, then type or copy/paste the following command into the box and press OK:

cmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt" A blank command window will open on your desktop, then close in a few minutes. This is normal.
A file and icon named checkhd.txt should appear on your Desktop. Please post the contents of this file.



Run a Scan with OTL

Double click on the OTL icon on your Desktop to run it.
Check the boxes labeled : Scan All Users
LOP check
Purity check
Extra Registry > Use SafeList
Make sure all other windows are closed to let it run uninterrupted.
Click on the Run Scan button at the top left hand corner. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. (desktop)
The Extras.txt file will only appear the very first time you run OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them as a reply. Use separate replies if more convenient.



Please include in your reply:

The text of any error messages and/or a description of any problems you encountered while performing these steps.
The contents of checkhd.txt on your Desktop.
The contents of the OTL.txt and Extras.txt logs.
A description of how your computer is running and any Malware symptoms that are still present.



mambass

mambass
2011-12-07, 21:55
Hi darkduskie,

It's been 72 hours since I posted my instructions. I just wanted to remind you that, per Forum policy here (http://forums.spybot.info/showthread.php?t=288), this thread may now be closed.

Could you please let me know if you still need help and, if so, if you require additional time to perform the requested tasks?

Thank you,

mambass

Cypher
2011-12-08, 12:48
This topic has been archived due to inactivity.

If it has been three days or more since your last post, and the helper assisting you posted a response to which you did not reply, your thread will not be re-opened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested previously, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send your helper a private message (pm). A valid, working link to the closed topic is required.

Edit
http://forums.spybot.info/showthread.php?p=417608#post417608