Help with possible virus

[dp25]

Hello community,

I am hoping that you will be able to provide me with a solution to a problem with friends family PC.  They are having the following problems:
the Desktop is a DELL running Windows Media Centre (fully updated):

- the PC is unable to connect to the internet despite the router working fine (their netbook connects wirelessly without any issues)
- no connections are showing when attempting to access them through control panel
- the PC is crashing to the attached screen when attempting to do a fresh install of Windows
[img]BlueScreen.JPG/img]

I have attempted the following to remedy their issues but to no avail:
- Full scan with Avast
- Spybot Search & Destroy
- Malwarebytes Anti-Malware
- Multiple attempted re-installs of Windows
 
Below is the Hijack This log I ran off the system.

Any help you could offer would be greatly appreciated.

Regards
Dale

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 16:26:28, on 29/06/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\lxdwcoms.exe
C:\WINDOWS\system32\lxedcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lexmark S600 Series\lxedmon.exe
C:\Program Files\Lexmark S600 Series\ezprint.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll
O3 - Toolbar: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [lxedmon.exe] "C:\Program Files\Lexmark S600 Series\lxedmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark S600 Series\ezprint.exe"
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs:     C:\WINDOWS\system32\guard32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: lxdw_device -   - C:\WINDOWS\system32\lxdwcoms.exe
O23 - Service: lxed_device -   - C:\WINDOWS\system32\lxedcoms.exe

--
End of file - 4500 bytes

[com155]

hello dale we first need to see ots log so

Download OTS to your Desktop and double-click on it to run it

• Make sure you close all other programs and don't use the PC while the scan runs.
  
• Select All Users
  
• Under additional scans select the following

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

• Under the Custom Scan box paste this in

%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  
• When the scan is complete Notepad will open with the report file loaded in it.
• Please attach the log in your next post.

Edited to add custom scans

Please ensure that all logs are saved in the ANSI format

[polonus]

Hi dp25,

Where hjt as a detection tool is now obsolete and left, I still tried to give you the analysis results I could find on your scan log:

You could fix the following entries as PUP or possibly unwanted riskware:

R3 - URLSearchHook: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll

O2 - BHO: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll

O3 - Toolbar: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll

uTorrentBar Toolbar <--If you do have some malware on your system and this is most likely,
this is the way how you got infected.
I would further check on the following system tasks:
lxedcoms.exe and lxedmon.exe, they  probably valid printer device monitor files,
but just check at virustotal for their respectable MD5 hashes to be genuine (5 definitions)

Do a full scan with MBAM after updating the software: http://www.malwarebytes.org/mbam-download-exe.php  and give the log as an attached txt file.

Now also scan with this tool and attach the logfile:  http://www.resplendence.com/download/sanitySetup.exe

If anything else is found we should inform essexboy here for a more in-depth investigation through the latest appropriate tools, and he might perform a cleansing routine,

polonus

[dp25]

Hello com155 and polonus

thanks for the responses and my apologies for not responding sooner.  I have the logs both of you haver requested, however, being a complete noob I am unsure how to attach them through the posting menu!?

Could you please explain how this is done please?

Regards
Dale

[Asyn]

...being a complete noob I am unsure how to attach them through the posting menu!?

Could you please explain how this is done please?

Additional Options - Attach

[dp25]

Hi Asyn,

that made me feel a tad foolish - thanks.

Com155 please find attached the OTS log.

Polonus I have also attached the MBAM and sanitycheck.

Thanks for the help.
Dale

[essexboy]

Hi were you doing an unattended installation ?

Also was the problem apparent before or after you installed the comodo firewall ?

Are there any yellow markers within Device manager ?

[dp25]

Hi essexboy, the issue occurred well after the installation of Comodo.

I can check tomorrow if there are any yellow markers in device manager.

Apologies but I am unfamiliar with the term unattended install. I was attempting to boot from CD and was planning
to do a fresh install of Windows that way.

Thanks
Dale

[polonus]

Hi dp25,

Essexboy will now help you solve your problems. With him you are in the best of hands as he is the top qualified remover here. Follow his instructions to the dot and all will be well in the end. Do not hesitate to ask him thing as we are here to guide you step by step in this process, all the best,

polonus

[com155]

looks like some adware infestation[uTorrent bar] from the ots logs anyway wait for essexboy to come.

[essexboy]

The reason I asked about the unattended install as there are some windows migration folders on the root of your drive.  I could remove them and that should help with a re-install

The info about device manager would be very usefull

Please download SINO by Artellos.

• Save SINO to a place you can remember and run SINO.exe. (If you downloaded the ZIP version you will need to extract it first)
  
• Then please check the following checkboxes:

System Info
Services
Boot Check
Tasklist
Startup Items
Event Log
Ipconfig
Ping
Netstat
Hosts file
Shares
Routing Table

• Once checked, hit the Run Scan! button and wait for the program to finish the scan.
  
• A notepad window will pop up. Please copy all of the content into your next reply.

Note: If you try to interact with the program once it’s started scanning it might appear to hang. The scan however will continue.