HELP: Trojan on pc which is now removed but so is AVG

Jo4

Pc repair people must really have an awful lot of patience as well as brains to know how to sort these kind of things!

Jo4

Apparently the report log is about to pop up!!!!

Jo4

Here is the log, I hope you can make sense of it!

ComboFix 11-10-11.03 - charley 11/10/2011 22:27:32.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1022.433 [GMT 1:00]
Running from: c:\users\charley\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\ResultBar
c:\programdata\ResultBar
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
.
Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - The cat found it
Infected copy of c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!Program Files!Common Files!Apple!Mobile Device Support!AppleMobileDeviceService.exe
.
Infected copy of c:\program files\Bonjour\mDNSResponder.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!Program Files!Bonjour!mDNSResponder.exe
.
c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe . . . is infected!!
c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!Program Files!Intel!Intel Matrix Storage Manager!IAANTmon.exe
.
Infected copy of c:\program files\iPod\bin\iPodService.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!Program Files!iPod!bin!iPodService.exe
.
c:\program files\Common Files\LightScribe\LSSrvc.exe . . . is infected!!
c:\program files\Common Files\LightScribe\LSSrvc.exe . . . was deleted!! You should re-install the program it pertains to
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.

---

\Service_834756f8

---

\Service_ResultBar Service
.
.
((((((((((((((((((((((((( Files Created from 2011-09-11 to 2011-10-11 )))))))))))))))))))))))))))))))
.
.
2011-10-11 22:42 . 2011-10-11 22:42 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B97BB7CF-C9E1-4305-AD27-BCD3EA22BEF1}\offreg.dll
2011-10-11 22:38 . 2011-10-11 22:43

---

d

---

w- c:\users\charley\AppData\Local\temp
2011-10-11 22:38 . 2011-10-11 22:38

---

d

---

w- c:\users\IUSR_NMPR\AppData\Local\temp
2011-10-11 22:38 . 2011-10-11 22:38

---

d

---

w- c:\users\Default\AppData\Local\temp
2011-10-11 20:35 . 2009-04-11 04:45 185856 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-10-11 19:30 . 2011-06-21 04:09 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-10-11 18:49 . 2011-10-11 18:51 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-11 18:36 . 2011-10-11 18:36

---

d

---

w- c:\program files\Malwarebytes' Anti-Malware 11 October 2011 JOE
2011-10-11 18:36 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-11 16:05 . 2011-10-11 17:55

---

d

---

w- c:\programdata\MFAData
2011-10-11 09:21 . 2011-09-21 08:00 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B97BB7CF-C9E1-4305-AD27-BCD3EA22BEF1}\mpengine.dll
2011-10-08 18:40 . 2011-10-11 15:44

---

d-sh--w- c:\users\charley\AppData\Local\834756f8
2011-09-28 11:01 . 2011-09-28 11:04

---

d

---

w- C:\ba69323f8f18ecf555d89a
2011-09-15 03:38 . 2011-08-10 12:14 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-19 19:24 . 2011-06-30 22:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-22 02:54 . 2011-08-12 12:55 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-07-22 02:48 . 2011-08-12 12:55 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-07-22 02:44 . 2011-08-12 12:55 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{c55f5517-246e-4426-b745-ee25b08eb8b4}"= "c:\program files\TranslatorBar_3.2\tbTra0.dll" [2010-10-18 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{c55f5517-246e-4426-b745-ee25b08eb8b4}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-18 12:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c55f5517-246e-4426-b745-ee25b08eb8b4}]
2010-10-18 12:26 3908192 ----a-w- c:\program files\TranslatorBar_3.2\tbTra0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{c55f5517-246e-4426-b745-ee25b08eb8b4}"= "c:\program files\TranslatorBar_3.2\tbTra0.dll" [2010-10-18 3908192]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-10-18 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{c55f5517-246e-4426-b745-ee25b08eb8b4}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{C55F5517-246E-4426-B745-EE25B08EB8B4}"= "c:\program files\TranslatorBar_3.2\tbTra0.dll" [2010-10-18 3908192]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-10-18 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{c55f5517-246e-4426-b745-ee25b08eb8b4}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"AROReminder"="c:\program files\Advanced Registry Optimizer\ARO.exe" [2007-03-23 2074752]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-11 39408]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2008-06-02 178712]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-08-28 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-28 8473120]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-28 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYAMwBaAEMAOQAtAEUASwBBAFIAUwAtADYAUgBXAEcAQQAtAEEAQQBUAEMAVQAtAFYAUAA5AEYATgA&inst=NwA3AC0ANwA2ADcANgA0ADIAOAAzADgALQBUADUALQBLAFYAMwArADcALQBCAEEAKwAxAC0AWABMACsAMQAtAFUAQwBBAEwATAArADEALQBTAFQAMQArADIALQBGAFAAOQAyACsANgAtAEIAQQBSADkARwArADEALQBUAEIAOQArADIALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQAxADAAQQArADEALQBDAEkAQQA5ADAAKwAyAC0AWABPADkAKwAxAC0ARgA5AE0AMgArADEALQBEAEQAVAArADEANgAzADAAMgAtAEQARAA5ADAARgArADEALQBTAFQAOQAwAEYAQQBQAFAAKwAxAC0AUwBUADEAMgBGAE8ASQArADEA&prod=90&ver=9.0.894" [?]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-25 44136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [x]
R2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [2006-05-10 29696]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 EterlogicVirtualSerialDriver;EterlogicVirtualSerialDriver;c:\windows\system32\drivers\VSPE.sys [2010-02-22 25984]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://uk.mc870.mail.yahoo.com/mc/welcome?.partner=bt-1&.gx=1&.tm=1264589797&.rand=cvru7fou2v4c3#_pg=showFolder&fid=Inbox&order=down&tt=646&pSize=25&.rand=456487921&.jsrand=4265129
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=Presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: download.com
TCP: DhcpNameServer = 192.168.1.254
DPF: {A9CF3378-D60E-40A8-927D-7EA0D5B0AA98} - hxxp://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader6.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-HPADVISOR - c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.

---

LOCKED REGISTRY KEYS

---

.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.

---

Other Running Processes

---

.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\windows\system32\WUDFHost.exe
c:\windows\RtHDVCpl.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-10-11 23:53:18 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-11 22:52
.
Pre-Run: 71,711,354,880 bytes free
Post-Run: 74,439,380,992 bytes free
.
- - End Of File - - 9D0066959C5782010B6E976DE5EBDF93

waddler_8

There might be some other things to sort out - We can do that tomorrow evening if you wish. In the meantime try not to use the PC if at all possible so as to avoid reinfection.

Jo4

waddler_8 wrote: »

There might be some other things to sort out - We can do that tomorrow evening if you wish. In the meantime try not to use the PC if at all possible so as to avoid reinfection.

That would be fantastic, it sounds like a date! :rotfl: :rotfl: :rotfl:

What time tomorrow evening?

waddler_8

Anytime. I'll be online from around five onwards I would think - Not continually, but occasionally checking in.

That was the problem with the file it was stuck on. It was infected and couldn't be replaced. The time delay was searching for a replacement which couldn't be found so had to be deleted.

'til tomorrow...

Jo4

waddler_8 wrote: »

Anytime. I'll be online from around five onwards I would think - Not continually, but occasionally checking in.

That was the problem with the file it was stuck on. It was infected and couldn't be replaced. The time delay was searching for a replacement which couldn't be found so had to be deleted.

'til tomorrow...

Thanks! :T I'll try to be online about 5pm tomorrow then!

waddler_8

Good Afternoon.

Can you post attach.txt for me.

It was on of the two logs that were created along with DDS.txt when you first ran DDS.

Ta.

Jo4

Sorry just seen your message. I won't be near the pc to about 7:30 this evening, sorry!

waddler_8

That's not a problem.