HELP: Trojan on pc which is now removed but so is AVG

Jo4 · 11 October 2011 at 8:55PM

It is downloaded and running!

santer_2 · 11 October 2011 at 8:56PM

It won't be a problem, there are rescue discs to go yet, though not good for slow broadband, however, they run before windows loads, so will be able to remove things more easily

http://support.kaspersky.com/viruses/rescuedisk

See how the other two go first

Jo4 · 11 October 2011 at 8:58PM

5% complete after 3 minutes of running and 0 threats found!

Jo4 · 11 October 2011 at 9:03PM

I don't believe it it stopped running after 6 minutes and it remained on 5%. Going to try waddler_8's suggestion!

Jo4 · 11 October 2011 at 9:12PM

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 9.0.8112.16421
Run by charley at 21:06:53 on 2011-10-11
Microsoft® Windows Vista™ Home Premium
6.0.6002.2.1252.44.1033.18.1022.258 [GMT
1:00]
.
SP: Windows Defender *Enabled/Updated*
{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes
===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k
DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\4166403971:2092476679.exe
C:\Windows\System32\svchost.exe -k
LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k
LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k
NetworkService
C:\Windows\system32\svchost.exe -k
LocalService
C:\Windows\system32\svchost.exe -k
LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k
NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media
Player\wmpnscfg.exe
C:\Program Files\Internet
Explorer\iexplore.exe
C:\Program Files\Internet
Explorer\iexplore.exe
C:\Program Files\Internet
Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report
===============
.
uStart Page =
hxxp://uk.mc870.mail.yahoo.com/mc/welcome?.
partner=bt-
1&.gx=1&.tm=1264589797&.rand=cvru7fou2v4c3#
_pg=showFolder&fid=Inbox&order=down&tt=646&
pSize=25&.rand=456487921&.jsrand=4265129
mStart Page =
hxxp://ie.redirect.hp.com/svs/rdr?
TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=Presa
rio&pf=desktop
mDefault_Page_URL =
hxxp://ie.redirect.hp.com/svs/rdr?
TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=Presa
rio&pf=desktop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: TranslatorBar 3.2 Toolbar:
{c55f5517-246e-4426-b745-ee25b08eb8b4} -
c:\program files\translatorbar_3.2
\tbTra0.dll
mURLSearchHooks: TranslatorBar 3.2 Toolbar:
{c55f5517-246e-4426-b745-ee25b08eb8b4} -
c:\program files\translatorbar_3.2
\tbTra0.dll
mURLSearchHooks: H - No File
uWinlogon:
Shell=c:\users\charley\appdata\local\834756
f8\X
BHO: Adobe PDF Reader Link Helper:
{06849e9f-c8d7-4d59-b87d-784b7d6be0b3} -
c:\program files\common
files\adobe\acrobat\activex\AcroIEHelper.dl
l
BHO: ALOT Toolbar Helper: {14ceeaff-96dd-
4101-ae37-d5ecdc23c3f6} - c:\program
files\alot\bin\bho\alotBHO.dll
BHO: Conduit Engine: {30f9b915-b755-4826-
820b-08fba6bd249d} - c:\program
files\conduitengine\ConduitEngine.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-
a66e-4e65e497c8c0} - c:\program
files\avg\avg9\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd
-4d91-8333-cf10577473f7} - c:\program
files\google\google
toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO:
{af69de43-7d58-4638-b6fa-ce66b5ad205d} -
c:\program
files\google\googletoolbarnotifier\5.7.6308
.1122\swg.dll
BHO: TranslatorBar 3.2 Toolbar: {c55f5517-
246e-4426-b745-ee25b08eb8b4} - c:\program
files\translatorbar_3.2\tbTra0.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829}
- No File
TB: Google Toolbar: {2318c2b1-4965-11d4-
9b18-009027a5cd4f} - c:\program
files\google\google
toolbar\GoogleToolbar_32.dll
TB: TranslatorBar 3.2 Toolbar: {c55f5517-
246e-4426-b745-ee25b08eb8b4} - c:\program
files\translatorbar_3.2\tbTra0.dll
TB: Conduit Engine: {30f9b915-b755-4826-
820b-08fba6bd249d} - c:\program
files\conduitengine\ConduitEngine.dll
TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620
-69ab0fa17ae7} - c:\program
files\alot\bin\alot.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E}
- No File
uRun: [Sidebar] c:\program files\windows
sidebar\sidebar.exe /autoRun
uRun: [AROReminder] c:\program
files\advanced registry optimizer\ARO.exe
-rem
uRun: [swg] "c:\program
files\google\googletoolbarnotifier\GoogleTo
olbarNotifier.exe"
uRun: [ISUSPM Startup] c:\progra~1
\common~1\instal~1\update~1\isuspm.exe -
startup
uRun: [HPADVISOR] c:\program files\hewlett
-packard\hp advisor\HPAdvisor.exe
autorun=AUTORUN
uRun: [ehTray.exe]
c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows
media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%
\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CCUTRAYICON] FactoryMode
mRun: [<NO NAME>]
mRun: [Adobe Photo Downloader] "c:\program
files\adobe\photoshop album starter
edition\3.2\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher]
"c:\program files\adobe\reader 8.0
\reader\Reader_sl.exe"
mRun: [IAAnotif] "c:\program
files\intel\intel matrix storage
manager\Iaanotif.exe"
mRun: [NvSvc] RUNDLL32.EXE
c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE
c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE
c:\windows\system32
\NvMcTray.dll,NvTaskbarInit
mRun: [HP Software Update] c:\program
files\hp\hp software update\HPWuSchd2.exe
mRun: [Malwarebytes Anti-Malware (reboot)]
"c:\program files\malwarebytes' anti-
malware\mbam.exe" /runcleanupscript
mRun: [iTunesHelper] "c:\program
files\itunes\iTunesHelper.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c
start http://www.avg.com/ww.special-
uninstallation-feedback-appf?
lic=OQBBAFYARgBSAEUARQAtAFYAMwBaAEMAOQAtAEU
ASwBBAFIAUwAtADYAUgBXAEcAQQAtAEEAQQBUAEMAVQ
AtAFYAUAA5AEYATgA"&"inst=NwA3AC0ANwA2ADcANg
A0ADIAOAAzADgALQBUADUALQBLAFYAMwArADcALQBCA
EEAKwAxAC0AWABMACsAMQAtAFUAQwBBAEwATAArADEA
LQBTAFQAMQArADIALQBGAFAAOQAyACsANgAtAEIAQQB
SADkARwArADEALQBUAEIAOQArADIALQBGAEwAKwA5AC
0AWABPADMANgArADEALQBGADkATQAxADAAQQArADEAL
QBDAEkAQQA5ADAAKwAyAC0AWABPADkAKwAxAC0ARgA5
AE0AMgArADEALQBEAEQAVAArADEANgAzADAAMgAtAEQ
ARAA5ADAARgArADEALQBTAFQAOQAwAEYAQQBQAFAAKw
AxAC0AUwBUADEAMgBGAE8ASQArADEA"&"prod=90"&"
ver=9.0.894
mRunOnce: [Launcher] %WINDIR%
\SMINST\launcher.exe
mRunOnce: [Malwarebytes' Anti-Malware]
c:\program files\malwarebytes' anti-malware
11 october 2011 joe\mbamgui.exe /install
/silent
mRunOnce: [GrpConv] grpconv -o
mPolicies-explorer:
BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle =
0 (0x0)
IE: E&xport to Microsoft Excel -
c:\progra~1\micros~3\office12
\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program
files\google\google
toolbar\component\GoogleToolbarDynamic_mui_
en_60D6097707281E79.dll/cmsidewiki.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263}
- {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -
c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: download.com
DPF: {A9CF3378-D60E-40A8-927D-7EA0D5B0AA98}
-
hxxp://webalbum.bonusprint.com/ukipc01/down
loads//ImageUploader6.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{244F178A-DB61-45FD-ABFA-
7F5A37EFD71F} : DhcpNameServer =
192.168.1.254
.
============= SERVICES / DRIVERS
===============
.
S1
EterlogicVirtualSerialDriver;EterlogicVirtu
alSerialDriver;c:\windows\system32
\drivers\VSPE.sys [2010-2-22 25984]
S2 clr_optimization_v4.0.30319_32;Microsoft
.NET Framework NGEN
v4.0.30319_X86;c:\windows\microsoft.net\fra
mework\v4.0.30319\mscorsvw.exe [2010-3-18
130384]
S2 DQLWinService;DQLWinService;c:\program
files\common
files\intel\inteldh\nms\adpplugins\DQLWinSe
rvice.exe [2006-9-3 212992]
S2 FontCache;Windows Font Cache
Service;c:\windows\system32\svchost.exe -k
LocalServiceAndNoImpersonation [2008-7-29
21504]
S2 IntelDHSvcConf;Intel DH
Service;c:\program
files\intel\inteldh\intel media
server\tools\IntelDHSvcConf.exe [2006-5-10
29696]
S2 ResultBar Service;ResultBar
Service;"c:\programdata\resultbar\resultbar
113.exe" "c:\program
files\resultbar\resultbar.dll" axamiwavuxa
omexuzafiqe -->
c:\programdata\resultbar\resultbar113.exe
[?]
S3 MCLServiceATL;Intel(R) Application
Tracker;c:\program
files\intel\inteldh\intel media
server\shells\MCLServiceATL.exe [2006-9-12
167936]
S3 WPFFontCache_v0400;Windows Presentation
Foundation Font Cache
4.0.0.0;c:\windows\microsoft.net\framework\
v4.0.30319\wpf\WPFFontCache_v0400.exe
[2010-3-18 753504]
.
=============== Created Last 30
================
.
2011-10-11 19:30:48 200976 ----a-w-
c:\windows\system32\drivers\tmcomm.sys
2011-10-11 19:18:02 56200 ----a-w-
c:\programdata\microsoft\windows
defender\definition updates\{b97bb7cf-c9e1
-4305-ad27-bcd3ea22bef1}\offreg.dll
2011-10-11 18:49:54 41272 ----a-w-
c:\windows\system32
\drivers\mbamswissarmy.sys
2011-10-11 18:36:01 22216 ----a-w-
c:\windows\system32\drivers\mbam.sys
2011-10-11 18:36:01

d-
----w- c:\program files\Malwarebytes'
Anti-Malware 11 October 2011 JOE
2011-10-11 16:05:21

d-
----w- c:\programdata\MFAData
2011-10-11 09:21:47 7269712 ----a-w-
c:\programdata\microsoft\windows
defender\definition updates\{b97bb7cf-c9e1
-4305-ad27-bcd3ea22bef1}\mpengine.dll
2011-10-08 18:40:17

d-
sh--w-
c:\users\charley\appdata\local\834756f8
2011-09-28 11:01:12

d-
----w- C:\ba69323f8f18ecf555d89a
2011-09-15 03:38:40 2409784 ----a-w-
c:\program files\windows
mail\OESpamFilter.dat
.
==================== Find3M
====================
.
2011-08-19 19:24:31 404640 ----a-w-
c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-22 02:54:43 1797632 ----a-w-
c:\windows\system32\jscript9.dll
2011-07-22 02:48:26 1126912 ----a-w-
c:\windows\system32\wininet.dll
2011-07-22 02:44:36 2382848 ----a-w-
c:\windows\system32\mshtml.tlb
.
============= FINISH: 21:07:55.88
===============

waddler_8 · 11 October 2011 at 9:17PM

Yes, it's ZeroAccess

Go here and read through the instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Double click combofix.exe & follow the prompts.
It may prompt you that it will reboot if rootkit activity is detected.
When it's finished, it'll produce a log. Post the contents of that log.
I'll be found on your C:\ drive named combofix.txt

Above all, BE PATIENT! and let it run it's course.

Jo4 · 11 October 2011 at 9:21PM

waddler_8 wrote: »

Yes, it's ZeroAccess

Go here and read through the instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial
Double click combofix.exe & follow the prompts.

It may prompt you that it will reboot if rootkit activity is detected.

When it's finished, it'll produce a log. Post the contents of that log.

I'll be found on your C:\ drive named combofix.txt

Above all, BE PATIENT! and let it run it's course.

THANKS! I am trying to get it done as fast as yous are sooooooooooooo kindly providing me the instructions because I know yous all have better things to be doing than helping me.

I am grateful for the help believe it or not. My Dad is too!

waddler_8 · 11 October 2011 at 9:24PM

If there's any problems let us know. This is a serious infection - Take your time with it.

Jo4 · 11 October 2011 at 9:36PM

It is after stating that it is ZeroAccess like you said! It is rebooting now!

Jo4 · 11 October 2011 at 9:39PM

I don't believe it I didn't get a log and the pc is on again in normal mode! Oh no, what can I possibly do to find the log?

HELP: Trojan on pc which is now removed but so is AVG

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free