paulh45

A guy at work gave me his laptop, newly bought, which has become infected with Win PC Defender - constatnt pop ups and page blocks it's totally infuriating.

Here's his DDS log as requested -


DDS (Ver_09-05-14.01) - NTFSx86
Run by User at 13:41:52.82 on 10/06/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.509 [GMT 1:00]

AV: PCguard Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: PCguard Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\87IBY8S6\dds[1].scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: WinInet Class: {39fc2065-c9c7-49cd-8942-44cc2dedc844} - c:\windows\ieocx.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\virgin broadband\pcguard\pkR.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [sysav] c:\documents and settings\user\application data\pcdefender.exe
uRun: [Loaris Trojan Remover] "c:\program files\loaris trojan remover\TrojanRemover.exe" 0
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [SetDefPrt] c:\program files\brother\brmfl06b\BrStDvPt.exe
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [Broadbandadvisor.exe] "c:\program files\virgin broadband\advisor\Broadbandadvisor.exe" /AUTORUN
mRun: [PCguard] "c:\program files\virgin broadband\pcguard\Rps.exe"
mRun: [-FreedomNeedsReboot] "c:\program files\virgin broadband\pcguard\ZkRunOnceR.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-29 130936]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-5-29 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-5-29 1095560]
S2 gupdate1c9afdf49a6b640;Google Update Service (gupdate1c9afdf49a6b640);c:\program files\google\update\GoogleUpdate.exe [2009-3-28 133104]
S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\windows\system32\dllhost.exe [2008-4-14 5120]

=============== Created Last 30 ================

2009-06-10 13:10 <DIR> --d----- c:\program files\Trend Micro
2009-05-29 19:32 <DIR> --d----- c:\program files\Loaris Trojan Remover
2009-05-29 18:34 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-05-29 18:34 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-05-29 18:34 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-29 18:34 <DIR> --d----- c:\program files\common files\PC Tools
2009-05-29 18:34 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-05-29 18:34 <DIR> --d----- c:\program files\Spyware Doctor
2009-05-29 18:34 <DIR> --d----- c:\docume~1\user\applic~1\PC Tools
2009-05-29 18:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-05-28 16:58 28,672 a------- c:\windows\ieocx.dll
2009-05-27 12:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Hazard Perception Training
2009-05-27 12:05 282 a------- c:\windows\ft3.ini
2009-05-27 12:05 <DIR> --d----- C:\FastTrak
2009-05-27 12:03 299,520 a------- c:\windows\uninst.exe
2009-05-27 12:02 <DIR> --d----- c:\documents and settings\user\WINDOWS
2009-05-27 11:59 <DIR> --d----- c:\program files\Hazard Perception 2003-2004
2009-05-27 08:22 <DIR> --d----- c:\program files\TachographSimulator
2009-05-26 18:56 1,021,952 a------- c:\docume~1\user\applic~1\pcdefender.exe
2009-05-19 12:20 <DIR> --d----- c:\docume~1\user\applic~1\TSO
2009-05-19 12:06 <DIR> --d----- c:\program files\DSA LGV & PCV Theory Test
2009-05-19 12:02 <DIR> --d----- c:\program files\PowerISO
2009-05-15 17:47 <DIR> --d----- c:\program files\ROUTE66
2009-05-15 17:44 306,688 a------- c:\windows\IsUninst.exe
2009-05-15 11:18 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-15 11:17 <DIR> --d----- c:\program files\MSXML 4.0
2009-05-12 06:58 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-05-12 06:55 208,744 a------- c:\windows\system32\muweb.dll
2009-05-12 06:55 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-05-12 06:55 268,648 a------- c:\windows\system32\mucltui.dll

==================== Find3M ====================

2009-04-01 14:19 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-16 21:30 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 13:42:52.46 ===============

Many thanks

Attached Files

Attach.zip (12.2 KB, 2 views)

chemist

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

While Spybot's TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• If TeaTimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

------------------------------------------------------

Download ResetTeaTimer

• and Save it to your Desktop.
• Double-click ResetTeaTimer.zip
• Double-click ResetTeaTimer.bat and click Run to remove all entries set by TeaTimer.
• A DOS window will open and close again, this is normal.

------------------------------------------------------

If for some reason during these fixes you receive prompts from Spybot about whether to Allow or Deny any changes, please Allow them all.

------------------------------------------------------

Download ComboFix from any of the links below. You must rename it to Combo-Fix before saving it. Save it to your Desktop.

If you are using Firefox, go to Tools > Options > Main and select 'Always ask me where to save files' and click OK.

Link 1
Link 2
Link 3





* IMPORTANT !!! Save Combo-Fix.exe to your Desktop

------------------------------------------------------

• Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.
  
• Get help here
  
• Double-click on Combo-Fix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes to continue scanning for malware.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

------------------------------------------------------

chemist

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------