PDA

View Full Version : Need help removing malware


Onychophoran
2012-09-10, 12:04
Greetings,
I was reading this thread http://forums.spybot.info/showthread.php?t=60825 and found I had exactly the same issue with my PC. I can see the folder C:\3590F75ABA9E485486C100C1A9D4FF06ZZZ..Z.....ZZZZZ which contains many folders within it labelled with various iterations of a period and Zs.

I am running Vista 32-bit, Quad-core 2.4 Ghz, 4 Gb RAM, Nvidia 8600 GTS. The system hangs randomly for about 30 to 40 secs before continuing along.

Would someone be able to run through the process that was conducted in the thread I pasted above? I have downloaded OTL which seemed to be the program that cleared things up for the owner of that thread.

Cheers,
Jason

Attach.zip has been attached.

Here is the DDS log report:


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by OEMuser at 20:18:53 on 2012-09-10
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3326.1158 [GMT 10:00]
.
AV: PC Tools Spyware Doctor with AntiVirus *Enabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: PC Tools Spyware Doctor with AntiVirus *Enabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ASUS\AASP\1.00.81\aaCenter.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SecCopy\SecCopy.exe
C:\Users\OEMuser\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Second Copy] "c:\program files\seccopy\SecCopy.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsGui.exe" /hideGUI
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\oemuser\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\oemuser\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\oemuser\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-gb.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://teds.lifepics.com/NET/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-gb.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{6FCAE459-69BA-4A7D-A83D-EBFB2800A316} : DhcpNameServer = 192.168.1.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-4-8 383368]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-1-6 342168]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-1-6 909728]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2012-9-8 54328]
R0 TFSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2012-9-8 574424]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-4-8 254944]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [2011-11-11 203120]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-28 63960]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-6-30 575448]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2011-11-11 402368]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2011-11-11 1118680]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
R3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\drivers\PCTBD.sys [2011-11-11 70768]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-4-8 70568]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2012-9-8 35264]
R3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c988e6db5c7e84;Google Update Service (gupdate1c988e6db5c7e84);c:\program files\google\update\GoogleUpdate.exe [2009-2-7 133104]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-6 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-2-7 133104]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-09-10 07:48:22 -------- d-----w- c:\users\oemuser\appdata\roaming\NVIDIA
2012-09-09 10:51:04 -------- d-----w- c:\users\oemuser\appdata\roaming\Auslogics
2012-09-09 10:50:47 -------- d-----w- c:\program files\Auslogics
2012-09-08 12:26:34 -------- d-----w- C:\2fae363671e7d90997a43bdd9d15e4a0
2012-09-08 12:22:39 -------- d--h--w- c:\windows\msdownld.tmp
2012-09-08 12:22:24 -------- d-----w- c:\windows\system32\directx
2012-09-08 11:56:58 24576 ----a-w- c:\windows\system32\AsIO.dll
2012-09-08 11:56:58 12400 ----a-w- c:\windows\system32\drivers\AsIO.sys
2012-09-08 11:56:52 -------- d-----w- c:\program files\ASUS
2012-09-08 09:25:02 -------- d-----w- c:\windows\pss
2012-09-08 09:16:53 -------- d-----w- c:\program files\CCleaner
2012-09-08 05:49:54 574424 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2012-09-08 05:49:54 54328 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2012-09-08 05:49:54 35264 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2012-09-08 05:39:41 7022536 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{3e6eac97-2cff-4de5-92ec-8ee8f031ee64}\mpengine.dll
2012-08-15 03:17:05 623616 ----a-w- c:\windows\system32\localspl.dll
.
==================== Find3M ====================
.
2012-08-15 07:28:13 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-15 07:28:13 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-15 07:28:08 9232584 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-07-04 14:02:46 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-06-29 00:16:58 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-06-29 00:09:01 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-29 00:08:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-29 00:04:43 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-29 00:00:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-22 05:35:16 70568 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2012-06-22 05:34:52 203120 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-06-22 05:29:42 107896 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2012-06-22 05:29:36 254944 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2012-06-22 01:39:14 70768 ----a-w- c:\windows\system32\drivers\PCTBD.sys
2012-06-22 01:39:02 149464 ----a-w- c:\windows\SGDetectionTool.dll
2012-06-22 01:39:00 2267096 ----a-w- c:\windows\PCTBDCore.dll
2012-06-22 01:39:00 1689560 ----a-w- c:\windows\PCTBDRes.dll
2012-06-22 01:38:38 767960 ----a-w- c:\windows\BDTSupport.dll
.
============= FINISH: 20:20:40.34 ===============

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-09-10 20:25:54
-----------------------------
20:25:54.493 OS Version: Windows 6.0.6002 Service Pack 2
20:25:54.493 Number of processors: 4 586 0xF0B
20:25:54.494 ComputerName: SMITHPC UserName: OEMuser
20:25:56.305 Initialize success
20:36:00.266 AVAST engine defs: 12091000
20:37:06.140 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-6
20:37:06.143 Disk 0 Vendor: WDC_WD6400AACS-00G8B0 05.04C05 Size: 610480MB BusType: 3
20:37:06.187 Disk 0 MBR read successfully
20:37:06.189 Disk 0 MBR scan
20:37:06.194 Disk 0 Windows VISTA default MBR code
20:37:06.199 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 610478 MB offset 2048
20:37:06.205 Disk 0 scanning sectors +1250260992
20:37:06.336 Disk 0 scanning C:\Windows\system32\drivers
20:37:17.372 Service scanning
20:37:37.433 Modules scanning
20:37:52.096 Disk 0 trace - called modules:
20:37:52.115 ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
20:37:52.119 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8f136588]
20:37:52.448 3 CLASSPNP.SYS[93fa18b3] -> nt!IofCallDriver -> [0x8f033088]
20:37:52.454 5 PCTCore.sys[9381b82d] -> nt!IofCallDriver -> [0x8e5af918]
20:37:52.461 7 acpi.sys[936cb6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T1L0-6[0x8e5a9b98]
20:37:53.867 AVAST engine scan C:\Windows
20:38:23.397 AVAST engine scan C:\Windows\system32
20:41:11.180 AVAST engine scan C:\Windows\system32\drivers
20:41:25.245 AVAST engine scan C:\Users\OEMuser
20:54:01.291 AVAST engine scan C:\ProgramData
20:55:59.933 Scan finished successfully
21:19:56.707 Disk 0 MBR has been saved successfully to "C:\Users\OEMuser\Documents\MBR.dat"
21:19:56.712 The log file has been saved successfully to "C:\Users\OEMuser\Documents\aswMBR.txt"
Onychophoran
2012-09-11, 13:12
Remove this thread. 0 replies... maybe the title wasn't interesting enough.
tashi
2012-09-11, 16:17
Hello Onychophoran,

Remove this thread. 0 replies... maybe the title wasn't interesting enough.
:blink:

This topic was started yesterday, three posts were merged.

Your new topic: http://forums.spybot.info/showthread.php?t=66713




Please do not start more than one topic for the same computer during the same period. It will either be removed, closed or merged with your original thread.



Posting additional comments or logs before a volunteer responds can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count, they look for topics with a 0 response. For that reason we may merge such posts but please do not count on it.

"BEFORE You POST"(Please read this Procedure Before Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Help in this forum is provided by volunteers, it is not a shop. :wink:

Waiting for help in the Malware Forum FOUR days or longer? (http://forums.spybot.info/showthread.php?t=1137)

Best regards.