Trojan.BHO.H

KimP · November 11, 2010

**I think I've attached/copied the requested logs. Thank you for any help.**

DDS (Ver_10-11-10.01) - NTFSx86

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5038

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18975

11/10/2010 12:22:43 PM

mbam-log-2010-11-10 (12-22-43).txt

Scan type: Quick scan

Objects scanned: 165088

Time elapsed: 8 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Heidi\AppData\Local\Temp\low\COUPON~1.DLL (Trojan.BHO.H) -> No action taken.

Run by Heidi at 14:13:32.94 on Wed 11/10/2010

Internet Explorer: 8.0.6001.18975

Microsoft

Attach.zip

Maniac · November 12, 2010

Hello KimP! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

The process of cleaning your system may take some time, so please be patient.
Follow my instructions step by step if there is a problem somewhere, stop and tell me.
Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
If you don't know or can't understand something please ask.
Do not install or uninstall any software or hardware, while work on.
Keep me informed about any changes.

Step 1

First of all, you should not have more than one anti-virus program installed as they will conflict and cause problems. You have two so you need to uninstall one of them. Of the two, I would recommend keeping Avira AntiVir Personal , so please uninstall AVG Free 9.0 .

Step 2

Your database version of Malwarebytes' Anti-Malware is old, so please:

Launch Malwarebytes' Anti-Malware
Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

Malwarebytes' Anti-Malware log
a new fresh DDS log only

KimP · November 12, 2010

First of all, you should not have more than one anti-virus program installed as they will conflict and cause problems. You have two so you need to uninstall one of them. Of the two, I would recommend keeping Avira AntiVir Personal , so please uninstall AVG Free 9.0 .

** I downloaded Avira at the recommendation of this website when I couldn't get the AVG to respond in any way, including uninstallation. I tried to uninstall again just now and here is the error I got:***

Installer initialization failed due to following error:

Error: Initialization of the language file "C:\Program Files\AVG\AVG9" failed.

Initialization of languages failed or files count is zero.

**Here is the Malwarebytes' Anti-Malware log that shows it quarantined and successfully deleted. It always shows up again after I restart the computer.**

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5102

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18975

11/12/2010 11:24:48 AM

mbam-log-2010-11-12 (11-24-48).txt

Scan type: Quick scan

Objects scanned: 166444

Time elapsed: 7 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Heidi\AppData\Local\Temp\low\COUPON~1.DLL (Trojan.BHO.H) -> Quarantined and deleted successfully.

DDS (Ver_10-11-10.01) - NTFSx86

Run by Heidi at 11:33:27.49 on Fri 11/12/2010

Internet Explorer: 8.0.6001.18975

Microsoft

Maniac · November 14, 2010

Okay, step by step... let's fix this issue with AVG. Follow these instructions and let me know:

http://forums.avg.com/ww-en/avg-free-forum...4013#post_44013

KimP · November 14, 2010

By the way, I didn't say "Hello, nice to meet you" last time.

I followed the instructions for a 32-bit (since that was what worked). After restart, I deleted c:\program files\AVG, as instructed. The other four files listed for Windows Vista, I did not find:

C:\ProgramData\AVG8

C:\ProgramData\AVG9

C:\Users\<user>\AppData\Roaming\AVG8

C:\Users\<user>\AppData\Roaming\AVG9

I do, however, see file c:\AVG Temp with "delete_ndis" inside (looks like an execute file, but I'm not sure). I got this computer from a friend, and that file is dated previous to my receipt of the computer. Shall I delete that file too?

Thanks for your help.

Maniac · November 15, 2010

Yes, please.

KimP · November 15, 2010

It has been deleted.

Maniac · November 15, 2010

Please post a new fresh DDS log only.

KimP · November 15, 2010

DDS (Ver_10-11-10.01) - NTFSx86

Run by Heidi at 13:17:18.78 on Mon 11/15/2010

Internet Explorer: 8.0.6001.18975

Microsoft

Maniac · November 16, 2010

You follow all the steps, right?

http://forums.avg.com/ww-en/avg-free-forum...4013#post_44013

KimP · November 16, 2010

I followed all the steps up until it says "stop here if not re-installing", so I didn't understand why it still looked like it was showing up somewhere.

As I stated before, there were four folders I couldn't find to remove:

I followed the instructions for a 32-bit (since that was what worked). After restart, I deleted c:\program files\AVG, as instructed. The other four files listed for Windows Vista, I did not find:

C:\ProgramData\AVG8

C:\ProgramData\AVG9

C:\Users\<user>\AppData\Roaming\AVG8

C:\Users\<user>\AppData\Roaming\AVG9

I just restarted the computer and did a search for anything that included "AVG8" or "AVG9" and the only thing that came up were previous DDS logs I had saved and posted here (excluding the one I posted yesterday).

Maniac · November 17, 2010

I see...

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Standard Registry box change it to All.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

KimP · November 17, 2010

OTL logfile created on: 11/17/2010 11:31:38 AM - Run 1

OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\Heidi\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18975)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 70.00% Memory free

7.00 Gb Paging File | 6.00 Gb Available in Paging File | 87.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 288.27 Gb Total Space | 189.51 Gb Free Space | 65.74% Space Free | Partition Type: NTFS

Drive D: | 9.82 Gb Total Space | 4.45 Gb Free Space | 45.30% Space Free | Partition Type: NTFS

Computer Name: TREVOR | User Name: Heidi | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Heidi\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)

PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)

PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)

PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)

PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

PRC - C:\Windows\explorer.exe (Microsoft Corporation)

PRC - C:\Windows\System32\audiodg.exe (Microsoft Corporation)

PRC - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe (SonicWALL, Inc.)

PRC - C:\Windows\System32\CSHelper.exe ()

PRC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe (WDC)

PRC - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)

PRC - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe ()

PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)

========== Modules (SafeList) ==========

MOD - C:\Users\Heidi\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)

SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)

SRV - (WPFFontCache_v0400) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe (Microsoft Corporation)

SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)

SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)

SRV - (SWGVCSvc) -- C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe (SonicWALL, Inc.)

SRV - (GameConsoleService) -- C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe (WildTangent, Inc.)

SRV - (CSHelper) -- C:\Windows\System32\CSHelper.exe ()

SRV - (WDBtnMgrSvc.exe) -- C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe (WDC)

SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)

SRV - (PrismXL) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)

SRV - (AlertService) Intel® -- C:\Program Files\Intel\IntelDH\CCU\AlertService.exe (Intel® Corporation)

SRV - (Remote UI Service) Intel® -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe (Intel® Corporation)

SRV - (MCLServiceATL) Intel® -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe (Intel® Corporation)

SRV - (ISSM) Intel® -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe (Intel® Corporation)

SRV - (M1 Server) Intel® Viiv -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe ()

SRV - (DQLWinService) -- C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe ()

SRV - (IAANTMON) Intel® -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)

========== Driver Services (SafeList) ==========

DRV - (USBAAPL) -- C:\Windows\System32\Drivers\usbaapl.sys File not found

DRV - (SDDMI2) -- C:\Windows\System32\DDMI2.sys File not found

DRV - (RimUsb) -- C:\Windows\System32\Drivers\RimUsb.sys File not found

DRV - (rcvpn) -- C:\Windows\System32\DRIVERS\rcvpn.sys File not found

DRV - (NwlnkFwd) -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys File not found

DRV - (NwlnkFlt) -- C:\Windows\System32\DRIVERS\nwlnkflt.sys File not found

DRV - (IpInIp) -- C:\Windows\System32\DRIVERS\ipinip.sys File not found

DRV - (blbdrive) -- C:\Windows\System32\drivers\blbdrive.sys File not found

DRV - (AgereSoftModem) -- C:\Windows\System32\DRIVERS\AGRSM.sys File not found

DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)

DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH)

DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)

DRV - (SWIPsec) -- C:\Windows\System32\drivers\SWIPsec.sys (SonicWALL, Inc.)

DRV - (SWVNIC) -- C:\Windows\System32\drivers\SWVNIC.sys (SonicWALL, Inc.)

DRV - (DNE) -- C:\Windows\System32\drivers\dne2000.sys (Deterministic Networks, Inc.)

DRV - (Point32) -- C:\Windows\System32\drivers\point32k.sys (Microsoft Corporation)

DRV - (WDC_SAM) -- C:\Windows\System32\drivers\wdcsam.sys (Western Digital Technologies)

DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)

DRV - (atkdisplf) -- C:\Windows\System32\drivers\ATKDispLowFilter.sys (ASUSTeK Computer Inc.)

DRV - (asusgsb) -- C:\Windows\System32\drivers\asusgsb.sys (ASUSTeK Computer Inc.)

DRV - (IntelDH) -- C:\Windows\System32\drivers\IntelDH.sys (Intel Corporation)

DRV - (igfx) -- C:\Windows\System32\drivers\igdkmd32.sys (Intel Corporation)

DRV - (ialm) -- C:\Windows\System32\drivers\igdkmd32.sys (Intel Corporation)

DRV - (TSHWMDTCP) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.sys ()

DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)

DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)

DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)

DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)

DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)

DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)

DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)

DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)

DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)

DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)

DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)

DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)

DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)

DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)

DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)

DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)

DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)

DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)

DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)

DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)

DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)

DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)

DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)

DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)

DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)

DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)

DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)

DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)

DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)

DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)

DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)

DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation)

DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)

DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)

DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)

DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)

DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)

DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)

DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)

DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)

DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)

DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)

DRV - (ac97intc) Intel® 82801 Audio Driver Install Service (WDM) -- C:\Windows\System32\drivers\ac97intc.sys (Intel Corporation)

DRV - (NETw2v32) Intel® -- C:\Windows\System32\drivers\NETw2v32.sys (Intel

KimP · November 17, 2010

After I pasted the last info and could see where "AVG8" and "AVG9" showed up, I decided the files I needed to delete were hidden.

I somehow found some (no idea how!), located c:\programdata\AVG9 and deleted it. Then I figured out how to show hidden icons and found C:\Users\<user>\AppData\Roaming\AVG9 and deleted it also. The recycle bin was hidden, so I figured out how to show it and emptied it as well. I still see folder c:\$AVG\$Vault - shall I delete that too?

I'm posting OTL log again. For some reason, the "extras" screen didn't pop up this time.

OTL logfile created on: 11/17/2010 12:22:41 PM - Run 3

OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\Heidi\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18975)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 70.00% Memory free

7.00 Gb Paging File | 6.00 Gb Available in Paging File | 87.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 288.27 Gb Total Space | 204.08 Gb Free Space | 70.80% Space Free | Partition Type: NTFS

Drive D: | 9.82 Gb Total Space | 4.45 Gb Free Space | 45.30% Space Free | Partition Type: NTFS

Drive F: | 1005.72 Mb Total Space | 571.84 Mb Free Space | 56.86% Space Free | Partition Type: FAT