Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with SuspiciousCloud.7.L and HeurEngine.MalPE


  • This topic is locked This topic is locked
2 replies to this topic

#1 MeKD

MeKD

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 30 November 2012 - 08:16 AM

Just a quick note here... This is not my computer, it is a friend's. The language on it is Dutch and the DDS txt files have some Dutch in them. However the program names all appear to be in English. If it needs to be translated, let me know and I will get that done as soon as possible. I really appreciate any help you can give me. Thanks.

The PCTools keeps showing infections of SuspiciousCloud.7.L and HeurEngine.MalPE. The internet has been getting slower and eventually says it can't connect. Using the cleaning tools listed below and running in safe mode, I have been able to get the internet back, but it is already slowing down again.
(also, as a side note, these same problems are showing up on their server, which is running server 2003) should i start another post for that machine?

I have tried PCTools, Malwarebytes, Spybot Search and Destroy, ESET online scanner, Norton Power Eraser to try and remove these, but after running TFC and disk cleanup and reboots, they keep showing back up in PCTools.

Posting DDS files
DDS

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by jpd at 13:46:54 on 2012-11-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.2046.1112 [GMT 1:00]
.
AV: PC Tools AntiVirus Free *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: COMODO Firewall *Enabled*
.
============== Running Processes ================
.
C:\WIN_XP\system32\Ati2evxx.exe
C:\WIN_XP\system32\Ati2evxx.exe
C:\WIN_XP\system32\spoolsv.exe
C:\Program Files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe
C:\Program Files\PC Tools\PC Tools Security\pctsAuxs.exe
C:\Program Files\PC Tools\PC Tools Security\pctsSvc.exe
C:\WIN_XP\system32\SearchIndexer.exe
C:\WIN_XP\system32\wuauclt.exe
C:\Program Files\PC Tools\PC Tools Security\pctsGui.exe
C:\WIN_XP\Explorer.EXE
C:\WIN_XP\RTHDCPL.EXE
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\WIN_XP\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\BingBar\7.1.391.0\BingApp.exe
C:\Program Files\Microsoft\BingBar\7.1.391.0\BingBar.exe
c:\WIN_XP\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Microsoft\BingBar\7.1.391.0\BingSurrogate.exe
C:\Program Files\Microsoft\BingBar\7.1.391.0\BingSurrogate.exe
C:\WIN_XP\system32\SearchProtocolHost.exe
C:\WIN_XP\system32\SearchFilterHost.exe
C:\WIN_XP\system32\wbem\wmiprvse.exe
C:\WIN_XP\system32\svchost.exe -k netsvcs
C:\WIN_XP\system32\svchost.exe -k NetworkService
C:\WIN_XP\system32\svchost.exe -k LocalService
C:\WIN_XP\system32\svchost.exe -k LocalService
C:\WIN_XP\system32\svchost.exe -k imgsvc
C:\WIN_XP\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: PC Tools Browser Guard: {472734EA-242A-422b-ADF8-83D1E48CC825} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - <orphaned>
BHO: Windows Live Aanmelden - Help: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\microsoft\bingbar\7.1.391.0\BingExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
TB: PC Tools Browser Guard: {472734EA-242A-422B-ADF8-83D1E48CC825} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
TB: PC Tools Browser Guard: {472734EA-242A-422B-ADF8-83D1E48CC825} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
uRun: [CTFMON.EXE] c:\win_xp\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Aeria Ignite] "c:\program files\aeria games\ignite\aeriaignite.exe" silent
mRun: [ISTray] "c:\program files\pc tools\pc tools security\pctsGui.exe" /hideGUI
dRun: [CTFMON.EXE] c:\win_xp\system32\ctfmon.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1.win\menust~1\progra~1\opstar~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1277233698730
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 208.67.222.123 208.67.220.123
TCP: Interfaces\{DB4B2020-E786-4B5A-9E47-638BF05F94C1} : DHCPNameServer = 208.67.222.123 208.67.220.123
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs= c:\win_xp\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\win_xp\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jpd.g0a68ad0b7c364\application data\mozilla\firefox\profiles\kgws9tuh.default\
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\win_xp\system32\macromed\flash\NPSWF32_11_4_402_287.dll
FF - plugin: c:\win_xp\system32\npdeployJava1.dll
FF - plugin: c:\win_xp\system32\npptools.dll
FF - ExtSQL: 2012-11-03 08:40; {cb84136f-9c44-433a-9048-c5cd9df1dc16}; c:\program files\pc tools security\bdt\Firefox
FF - ExtSQL: 2012-11-03 09:06; jqs@sun.com; c:\program files\java\jre6\lib\deploy\jqs\ff
FF - ExtSQL: 2012-11-03 09:07; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF - ExtSQL: 2012-11-27 13:59; {4ED1F68A-5463-4931-9384-8FFF5ED91D92}; c:\program files\mcafee\SiteAdvisor
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\win_xp\system32\drivers\PCTCore.sys [2012-11-29 368616]
R0 pctDS;PC Tools Data Store;c:\win_xp\system32\drivers\pctDS.sys [2012-11-29 342168]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\win_xp\system32\drivers\cmdGuard.sys [2011-1-6 497952]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\win_xp\system32\drivers\cmdhlp.sys [2011-1-6 32640]
R1 pctgntdi;pctgntdi;c:\win_xp\system32\drivers\pctgntdi.sys [2012-11-29 260760]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\win_xp\system32\drivers\PCTSD.sys [2012-11-29 202280]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools\pc tools security\bdt\BDTUpdateService.exe [2012-11-29 580728]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2011-1-17 1990464]
R2 fssfltr;FssFltr;c:\win_xp\system32\drivers\fssfltr_tdi.sys [2010-6-24 54760]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools\pc tools security\pctsAuxs.exe [2012-11-29 403416]
R2 sdCoreService;PC Tools Security Service;c:\program files\pc tools\pc tools security\pctsSvc.exe [2012-11-29 1162360]
R3 PCTBD;PC Tools Browser Defender Driver;c:\win_xp\system32\drivers\PCTBD.sys [2012-11-29 62688]
R3 pctplsm;pctplsm;c:\win_xp\system32\drivers\pctplsm.sys [2012-11-29 68272]
S3 apf001;apf001;\??\c:\aeriagames\wolfteam\apf001.sys --> c:\aeriagames\wolfteam\apf001.sys [?]
S3 fsssvc;De service Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 npggsvc;nProtect GameGuard Service;c:\win_xp\system32\gamemon.des -service --> c:\win_xp\system32\GameMon.des -service [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\win_xp\system32\svchost.exe -k WINRM [2008-4-15 14336]
S4 0077861354159425mcinstcleanup;McAfee Application Installer Cleanup (0077861354159425);c:\docume~1\jpd~1.g0a\locals~1\temp\007786~1.exe -cleanup -nolog --> c:\docume~1\jpd~1.g0a\locals~1\temp\007786~1.EXE -cleanup -nolog [?]
S4 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.1.391.0\BBSvc.EXE [2012-6-11 193616]
S4 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.1.391.0\SeaPort.EXE [2012-6-11 240208]
S4 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\aeriagames\tribesascend\HiPatchService.exe [2012-10-9 8704]
.
=============== Created Last 30 ================
.
2012-11-30 07:44:49 -------- d-----w- c:\program files\ESET
2012-11-29 18:41:51 62688 ----a-w- c:\win_xp\system32\drivers\PCTBD.sys
2012-11-29 18:41:50 769144 ----a-w- c:\win_xp\BDTSupport.dll
2012-11-29 18:41:50 2280568 ----a-w- c:\win_xp\PCTBDCore.dll
2012-11-29 18:41:50 1690744 ----a-w- c:\win_xp\PCTBDRes.dll
2012-11-29 18:41:50 150648 ----a-w- c:\win_xp\SGDetectionTool.dll
2012-11-29 18:41:02 260760 ----a-w- c:\win_xp\system32\drivers\pctgntdi.sys
2012-11-29 18:40:53 71752 ----a-w- c:\win_xp\system32\drivers\pctplsg.sys
2012-11-29 18:40:53 68272 ----a-w- c:\win_xp\system32\drivers\pctplsm.sys
2012-11-29 18:40:47 -------- d-----w- c:\program files\PC Tools
2012-11-29 18:38:49 909728 ----a-w- c:\win_xp\system32\drivers\pctEFA.sys
2012-11-29 18:38:49 342168 ----a-w- c:\win_xp\system32\drivers\pctDS.sys
2012-11-29 18:38:47 368616 ----a-w- c:\win_xp\system32\drivers\PCTCore.sys
2012-11-29 18:38:47 163288 ----a-w- c:\win_xp\system32\drivers\PCTAppEvent.sys
2012-11-29 18:38:46 202280 ----a-w- c:\win_xp\system32\drivers\PCTSD.sys
2012-11-29 14:28:56 -------- d-----w- c:\documents and settings\jpd.g0a68ad0b7c364\local settings\application data\NPE
2012-11-29 14:28:56 -------- d-----w- c:\documents and settings\all users.win_xp\application data\Norton
2012-11-29 13:54:27 -------- d-----w- c:\documents and settings\jpd.g0a68ad0b7c364\application data\PC Tools
2012-11-29 06:34:34 22856 ----a-w- c:\win_xp\system32\drivers\mbam.sys
2012-11-29 06:34:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-11-27 13:07:13 -------- d-----w- c:\documents and settings\jpd.g0a68ad0b7c364\local settings\application data\Mozilla
2012-11-27 13:07:04 -------- d--h--r- c:\documents and settings\jpd.g0a68ad0b7c364\Onlangs geopend
2012-11-23 16:19:52 -------- d-----w- c:\documents and settings\all users.win_xp\application data\Firefly Studios
2012-11-23 13:02:15 -------- d-----w- C:\Documents
2012-11-23 12:59:21 -------- d-----w- c:\documents and settings\all users.win_xp\application data\Hi-Rez Studios
2012-11-16 19:29:44 -------- d-----w- C:\Download
2012-11-03 10:52:12 -------- d-----w- c:\documents and settings\jpd.g0a68ad0b7c364\local settings\application data\Identities
2012-11-03 10:52:06 -------- d-----w- c:\documents and settings\jpd.g0a68ad0b7c364\application data\Windows Desktop Search
2012-11-03 10:02:10 -------- d-----w- c:\win_xp\system32\winrm
2012-11-03 10:01:59 -------- dc-h--w- c:\win_xp\$968930Uinstall_KB968930$
2012-11-03 09:50:19 -------- d-----w- c:\program files\Windows Desktop Search
2012-11-03 09:50:17 -------- d-----w- c:\win_xp\system32\GroupPolicy
2012-11-03 08:33:02 14048 ------w- c:\win_xp\system32\spmsg2.dll
2012-11-03 08:06:58 477168 ----a-w- c:\win_xp\system32\npdeployJava1.dll
2012-11-03 07:38:37 19464 ----a-w- c:\win_xp\system32\drivers\pctBTFix.sys
2012-11-03 07:37:10 -------- d-----w- C:\c4f5ea20c90b290f3b70750838
2012-11-03 07:35:02 -------- d-----w- c:\documents and settings\jpd.g0a68ad0b7c364\application data\TestApp
2012-11-03 07:25:19 -------- d-sh--w- c:\documents and settings\jpd.g0a68ad0b7c364\PrivacIE
2012-11-03 06:46:52 -------- d-----w- c:\documents and settings\jpd.g0a68ad0b7c364\local settings\application data\Threat Expert
2012-11-02 09:27:08 -------- d-----w- c:\documents and settings\jpd.g0a68ad0b7c364\application data\Malwarebytes
.
==================== Find3M ====================
.
2012-11-16 19:29:24 233 -c--a-w- c:\win_xp\system32\nxEuUninstall.bat
2012-11-16 19:29:20 446464 -c--a-w- c:\win_xp\NEXON_EU_DownloaderUpdater.exe
2012-11-07 23:38:16 32640 ----a-w- c:\win_xp\system32\drivers\cmdhlp.sys
2012-11-07 23:38:14 497952 ----a-w- c:\win_xp\system32\drivers\cmdGuard.sys
2012-11-07 23:38:13 18096 ----a-w- c:\win_xp\system32\drivers\cmderd.sys
2012-11-07 23:37:35 34024 ----a-w- c:\win_xp\system32\cmdcsr.dll
2012-11-07 23:37:34 301264 ----a-w- c:\win_xp\system32\guard32.dll
2012-11-03 08:06:30 473072 ----a-w- c:\win_xp\system32\deployJava1.dll
2012-10-22 19:57:06 1866496 ----a-w- c:\win_xp\system32\win32k.sys
2012-10-11 15:04:39 696760 ----a-w- c:\win_xp\system32\FlashPlayerApp.exe
2012-10-11 15:04:38 73656 ----a-w- c:\win_xp\system32\FlashPlayerCPLApp.cpl
2012-10-11 15:04:26 10220472 ----a-w- c:\win_xp\system32\FlashPlayerInstaller.exe
2012-10-03 14:13:13 98304 ----a-w- c:\win_xp\system32\CmdLineExt.dll
2012-10-02 18:04:35 58368 ----a-w- c:\win_xp\system32\synceng.dll
.
============= FINISH: 13:48:34.50 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:45 PM

Posted 04 December 2012 - 04:45 PM

Hi and welcome to the forums :)

Do you have a log from PC Tools that tells us more information about the detections "SuspiciousCloud.7.L" and "HeurEngine.MalPE"?

If so, please attach and/or post the contents of it here.
Your DDS log looks fine by the way.

#3 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:45 PM

Posted 07 December 2012 - 02:41 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users