Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware sorted but left with unhanded DLLs


  • This topic is locked This topic is locked
7 replies to this topic

#1 Tizzer

Tizzer

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 03 January 2009 - 10:33 AM

Any help on this problem would be appreciated. My nephew got a new netbook for Christmas and managed to last a day before filling it with various malware. I have managed to stop IE7 from jumping from page to page through Spybot and Malwarebytes AntiMalware and there are no more pop-ups but on start up we are hit with the following error messages...

Posted Image

All folders are present but empty of content.

The DDS.txt file shows the following -

DDS (Version 1.1.0) - NTFSx86
Run by Admin at 13:26:28.76 on 03/01/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.501.44 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\System Control Manager\MSIService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=DSGI&bmod=DSGI
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-26 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-26 26824]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-3 38496]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2008-5-30 153600]
R3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter;c:\windows\system32\drivers\rtl8187Se.sys [2008-5-30 306176]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-26 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-26 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-26 76040]
R4 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2008-9-18 159744]

=============== Created Last 30 ================


==================== Find3M ====================

2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 13:27:24.60 ===============

Let me know if you need anything further. Thanks for looking.

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:01:31 AM

Posted 05 January 2009 - 06:02 AM

Hello Tizzer and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Tizzer

Tizzer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 07 January 2009 - 03:51 PM

Thanks for taking the time to reply Thunder. The log reads as...

ComboFix 09-01-07.01 - Admin 2009-01-07 20:31:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.501.285 [GMT 0:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

2009-01-03 13:18 . 2009-01-03 13:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 13:18 . 2009-01-03 13:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-03 13:18 . 2009-01-03 13:18 <DIR> d-------- c:\documents and settings\Admin\Application Data\Malwarebytes
2009-01-03 13:18 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-03 13:18 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-03 12:48 . 2009-01-03 12:48 <DIR> d-------- c:\program files\Trend Micro
2009-01-02 18:05 . 2009-01-02 18:05 109 --a------ c:\windows\wininit.ini
2009-01-02 13:16 . 2009-01-02 13:16 <DIR> d-------- c:\program files\Lavasoft
2009-01-02 13:16 . 2009-01-02 13:16 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-02 13:16 . 2009-01-02 13:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-02 13:15 . 2009-01-03 01:18 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-02 13:15 . 2009-01-03 01:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-02 00:56 . 2009-01-02 00:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2008-12-28 14:37 . 2008-10-16 20:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-12-28 14:37 . 2007-04-17 09:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-28 14:37 . 2007-03-08 05:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-28 14:37 . 2008-10-16 20:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-12-28 14:37 . 2008-10-16 20:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-28 14:37 . 2008-10-16 20:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-12-28 14:37 . 2008-10-16 20:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-12-28 14:37 . 2008-10-16 20:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-28 14:37 . 2008-10-16 13:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-12-28 14:02 . 2008-12-28 14:02 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-28 13:01 . 2008-06-13 11:05 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-28 13:01 . 2008-06-13 11:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-28 13:00 . 2008-08-14 10:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-28 13:00 . 2008-08-14 10:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-28 13:00 . 2008-08-14 09:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-28 13:00 . 2008-08-14 09:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-28 12:59 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-28 12:53 . 2008-12-29 20:22 <DIR> d--h----- c:\windows\$hf_mig$
2008-12-27 17:34 . 2009-01-02 00:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\supilime
2008-12-27 17:34 . 2008-12-28 15:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\lamisefi
2008-12-27 17:34 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-12-27 17:34 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2008-12-27 17:34 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-12-27 01:43 . 2008-12-27 20:34 <DIR> d-------- c:\documents and settings\Admin\Contacts
2008-12-27 01:38 . 2008-12-27 01:39 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-12-27 01:37 . 2008-12-27 01:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-26 21:18 . 2009-01-02 13:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\yoguyutu
2008-12-26 21:18 . 2009-01-02 13:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\bulopazo
2008-12-26 11:55 . 2009-01-02 18:45 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-26 10:09 . 2008-12-26 10:09 <DIR> d-------- c:\program files\VideoLAN
2008-12-26 10:00 . 2009-01-07 19:58 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-26 10:00 . 2008-12-26 10:00 <DIR> d-------- c:\program files\AVG
2008-12-26 10:00 . 2008-12-26 10:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-26 10:00 . 2008-12-26 10:00 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-26 10:00 . 2008-12-26 10:00 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-26 10:00 . 2008-12-26 10:00 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-26 09:18 . 2009-01-02 01:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\sisazibo
2008-12-26 09:18 . 2009-01-02 01:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\dezubebo
2008-12-26 09:13 . 2009-01-02 13:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\wuyojogi
2008-12-26 09:13 . 2008-12-28 12:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\ronihuni
2008-12-26 09:13 . 2009-01-02 13:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\kofirawa
2008-12-25 22:21 . 2008-12-25 22:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\CyberLink
2008-12-25 22:20 . 2008-12-25 22:20 <DIR> d--hs---- c:\documents and settings\Elliot Smallshaw\UserData
2008-12-25 22:15 . 2008-12-25 22:15 <DIR> d-------- c:\documents and settings\Elliot Smallshaw\Application Data\Nero
2008-12-25 21:36 . 2007-04-09 13:23 28,040 --a------ c:\windows\system32\mdimon.dll
2008-12-25 21:36 . 2008-12-25 22:11 376 --a------ c:\windows\ODBC.INI
2008-12-25 21:34 . 2008-12-25 21:34 <DIR> d-------- c:\program files\Common Files\L&H
2008-12-25 21:33 . 2008-12-25 21:33 <DIR> d-------- c:\program files\Microsoft ActiveSync
2008-12-25 21:32 . 2008-12-25 22:02 <DIR> d-------- c:\windows\SHELLNEW
2008-12-25 21:31 . 2008-12-25 21:31 <DIR> d-------- c:\program files\Microsoft.NET
2008-12-25 21:30 . 2008-12-25 21:30 <DIR> dr-h----- C:\MSOCache
2008-12-25 21:27 . 2008-12-25 21:27 <DIR> d-------- c:\documents and settings\Admin\Application Data\Nero
2008-12-25 21:23 . 2008-12-25 21:23 <DIR> d-------- c:\program files\Nero
2008-12-25 21:23 . 2008-12-25 21:25 <DIR> d-------- c:\program files\Common Files\Nero
2008-12-25 21:23 . 2008-12-25 21:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2008-12-25 20:06 . 2008-12-25 20:06 <DIR> d-------- c:\program files\D-Tools
2008-12-25 20:06 . 2004-08-22 16:31 155,136 --a------ c:\windows\system32\drivers\d347bus.sys
2008-12-25 20:06 . 2004-08-22 16:31 5,248 --a------ c:\windows\system32\drivers\d347prt.sys
2008-12-25 20:05 . 2008-12-25 20:05 <DIR> d-------- c:\windows\Downloaded Installations
2008-12-25 20:01 . 2008-12-25 20:01 <DIR> d--hs---- c:\documents and settings\Admin\UserData
2008-12-25 19:17 . 2008-12-25 19:17 <DIR> d-------- c:\documents and settings\Admin\Application Data\vlc
2008-12-25 11:11 . 2008-09-10 17:30 <DIR> d-------- c:\documents and settings\Admin\Application Data\The TechGuys
2008-12-25 11:11 . 2008-05-30 15:24 <DIR> d-------- c:\documents and settings\Admin\Application Data\InstallShield
2008-12-25 11:11 . 2009-01-02 12:59 <DIR> d-------- c:\documents and settings\Admin
2008-12-25 10:53 . 2008-12-25 10:53 664 --a------ c:\windows\system32\d3d9caps.dat
2008-12-25 09:43 . 2008-09-10 17:30 <DIR> d-------- c:\documents and settings\Elliot Smallshaw\Application Data\The TechGuys
2008-12-25 09:43 . 2008-05-30 15:24 <DIR> d-------- c:\documents and settings\Elliot Smallshaw\Application Data\InstallShield
2008-12-25 09:43 . 2008-12-25 22:20 <DIR> d-------- c:\documents and settings\Elliot Smallshaw
2008-12-25 09:40 . 2008-12-25 09:40 8,192 --a------ c:\windows\REGLOCS.OLD

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 13:15 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-28 14:06 --------- d-----w c:\program files\Microsoft Works
2008-12-25 20:45 --------- d-----w c:\program files\Google
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-11 1028096]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-26 1261336]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Boot_Recovery.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Boot_Recovery.lnk
backup=c:\windows\pss\Boot_Recovery.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Launch.lnk
backup=c:\windows\pss\Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-12 05:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-08-03 12:51 202024 c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google EULA Launcher]
--a------ 2008-08-06 10:30 20480 c:\program files\Google\Google EULA\GoogleEULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-12-19 18:08 159744 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-12-19 18:08 135168 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MGSysCtrl]
--a------ 2008-08-07 22:57 684032 c:\program files\System Control Manager\MGSysCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-08-08 09:25 1828136 c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-12-19 18:07 131072 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-04 01:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-26 97928]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2008-05-30 153600]
R3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter;c:\windows\system32\drivers\rtl8187Se.sys [2008-05-30 306176]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-26 76040]
R4 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [2008-09-18 159744]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-26 875288]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-26 231704]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
MSConfigStartUp-AntispywareBot - c:\program files\AntispywareBot\AntispywareBot.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 20:33:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(804)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2009-01-07 20:34:54
ComboFix-quarantined-files.txt 2009-01-07 20:34:52

Pre-Run: 65,373,855,744 bytes free
Post-Run: 65,484,034,048 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

208 --- E O F --- 2008-12-29 20:30:20

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:01:31 AM

Posted 07 January 2009 - 05:46 PM

Hello Tizzer,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:Folder::
c:\documents and settings\All Users\Application Data\supilime
c:\documents and settings\All Users\Application Data\lamisefi
c:\documents and settings\All Users\Application Data\yoguyutu
c:\documents and settings\All Users\Application Data\bulopazo
c:\documents and settings\All Users\Application Data\sisazibo
c:\documents and settings\All Users\Application Data\dezubebo
c:\documents and settings\All Users\Application Data\wuyojogi
c:\documents and settings\All Users\Application Data\ronihuni
c:\documents and settings\All Users\Application Data\kofirawa

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Tizzer

Tizzer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 08 January 2009 - 04:01 PM

Thunder, the problem is still evident but only on my nephews account. I have an admin account that doesn't show on, I mistakenly thought he wouldn't get into bother on a limited account. Is it not worth creating another account for him and delete the problem one? Have any of the above steps sorted out the underlying problem? There is nothing on the nephew's account (apart from junk) he has only had it a day.

The second combofix log is...

ComboFix 09-01-07.01 - Admin 2009-01-08 20:32:02.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.501.258 [GMT 0:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\bulopazo
c:\documents and settings\All Users\Application Data\bulopazo\ozapolub.ini
c:\documents and settings\All Users\Application Data\dezubebo
c:\documents and settings\All Users\Application Data\dezubebo\obebuzed.ini
c:\documents and settings\All Users\Application Data\kofirawa
c:\documents and settings\All Users\Application Data\lamisefi
c:\documents and settings\All Users\Application Data\ronihuni
c:\documents and settings\All Users\Application Data\sisazibo
c:\documents and settings\All Users\Application Data\supilime
c:\documents and settings\All Users\Application Data\supilime\emilipus.ini
c:\documents and settings\All Users\Application Data\wuyojogi
c:\documents and settings\All Users\Application Data\yoguyutu

.
((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.

2009-01-03 13:18 . 2009-01-03 13:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 13:18 . 2009-01-03 13:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-03 13:18 . 2009-01-03 13:18 <DIR> d-------- c:\documents and settings\Admin\Application Data\Malwarebytes
2009-01-03 13:18 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-03 13:18 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-03 12:48 . 2009-01-03 12:48 <DIR> d-------- c:\program files\Trend Micro
2009-01-02 18:05 . 2009-01-02 18:05 109 --a------ c:\windows\wininit.ini
2009-01-02 13:16 . 2009-01-02 13:16 <DIR> d-------- c:\program files\Lavasoft
2009-01-02 13:16 . 2009-01-02 13:16 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-02 13:16 . 2009-01-02 13:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-02 13:15 . 2009-01-03 01:18 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-02 13:15 . 2009-01-03 01:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-02 00:56 . 2009-01-02 00:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2008-12-28 14:37 . 2008-10-16 20:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-12-28 14:37 . 2007-04-17 09:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-28 14:37 . 2007-03-08 05:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-28 14:37 . 2008-10-16 20:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-12-28 14:37 . 2008-10-16 20:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-28 14:37 . 2008-10-16 20:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-12-28 14:37 . 2008-10-16 20:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-12-28 14:37 . 2008-10-16 20:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-28 14:37 . 2008-10-16 13:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-12-28 14:02 . 2008-12-28 14:02 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-28 13:01 . 2008-06-13 11:05 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-28 13:01 . 2008-06-13 11:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-28 13:00 . 2008-08-14 10:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-28 13:00 . 2008-08-14 10:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-28 13:00 . 2008-08-14 09:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-28 13:00 . 2008-08-14 09:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-28 12:59 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-28 12:53 . 2008-12-29 20:22 <DIR> d--h----- c:\windows\$hf_mig$
2008-12-27 17:34 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-12-27 17:34 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2008-12-27 17:34 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-12-27 01:43 . 2008-12-27 20:34 <DIR> d-------- c:\documents and settings\Admin\Contacts
2008-12-27 01:38 . 2008-12-27 01:39 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-12-27 01:37 . 2008-12-27 01:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-26 11:55 . 2009-01-02 18:45 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-26 10:09 . 2008-12-26 10:09 <DIR> d-------- c:\program files\VideoLAN
2008-12-26 10:00 . 2009-01-08 20:26 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-26 10:00 . 2008-12-26 10:00 <DIR> d-------- c:\program files\AVG
2008-12-26 10:00 . 2008-12-26 10:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-26 10:00 . 2008-12-26 10:00 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-26 10:00 . 2008-12-26 10:00 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-26 10:00 . 2008-12-26 10:00 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-25 22:21 . 2008-12-25 22:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\CyberLink
2008-12-25 22:20 . 2008-12-25 22:20 <DIR> d--hs---- c:\documents and settings\Elliot Smallshaw\UserData
2008-12-25 22:15 . 2008-12-25 22:15 <DIR> d-------- c:\documents and settings\Elliot Smallshaw\Application Data\Nero
2008-12-25 21:36 . 2007-04-09 13:23 28,040 --a------ c:\windows\system32\mdimon.dll
2008-12-25 21:36 . 2008-12-25 22:11 376 --a------ c:\windows\ODBC.INI
2008-12-25 21:34 . 2008-12-25 21:34 <DIR> d-------- c:\program files\Common Files\L&H
2008-12-25 21:33 . 2008-12-25 21:33 <DIR> d-------- c:\program files\Microsoft ActiveSync
2008-12-25 21:32 . 2008-12-25 22:02 <DIR> d-------- c:\windows\SHELLNEW
2008-12-25 21:31 . 2008-12-25 21:31 <DIR> d-------- c:\program files\Microsoft.NET
2008-12-25 21:30 . 2008-12-25 21:30 <DIR> dr-h----- C:\MSOCache
2008-12-25 21:27 . 2008-12-25 21:27 <DIR> d-------- c:\documents and settings\Admin\Application Data\Nero
2008-12-25 21:23 . 2008-12-25 21:23 <DIR> d-------- c:\program files\Nero
2008-12-25 21:23 . 2008-12-25 21:25 <DIR> d-------- c:\program files\Common Files\Nero
2008-12-25 21:23 . 2008-12-25 21:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2008-12-25 20:06 . 2008-12-25 20:06 <DIR> d-------- c:\program files\D-Tools
2008-12-25 20:06 . 2004-08-22 16:31 155,136 --a------ c:\windows\system32\drivers\d347bus.sys
2008-12-25 20:06 . 2004-08-22 16:31 5,248 --a------ c:\windows\system32\drivers\d347prt.sys
2008-12-25 20:05 . 2008-12-25 20:05 <DIR> d-------- c:\windows\Downloaded Installations
2008-12-25 20:01 . 2008-12-25 20:01 <DIR> d--hs---- c:\documents and settings\Admin\UserData
2008-12-25 19:17 . 2008-12-25 19:17 <DIR> d-------- c:\documents and settings\Admin\Application Data\vlc
2008-12-25 11:11 . 2008-09-10 17:30 <DIR> d-------- c:\documents and settings\Admin\Application Data\The TechGuys
2008-12-25 11:11 . 2008-05-30 15:24 <DIR> d-------- c:\documents and settings\Admin\Application Data\InstallShield
2008-12-25 11:11 . 2009-01-02 12:59 <DIR> d-------- c:\documents and settings\Admin
2008-12-25 10:53 . 2008-12-25 10:53 664 --a------ c:\windows\system32\d3d9caps.dat
2008-12-25 09:43 . 2008-09-10 17:30 <DIR> d-------- c:\documents and settings\Elliot Smallshaw\Application Data\The TechGuys
2008-12-25 09:43 . 2008-05-30 15:24 <DIR> d-------- c:\documents and settings\Elliot Smallshaw\Application Data\InstallShield
2008-12-25 09:43 . 2008-12-25 22:20 <DIR> d-------- c:\documents and settings\Elliot Smallshaw
2008-12-25 09:40 . 2008-12-25 09:40 8,192 --a------ c:\windows\REGLOCS.OLD

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 13:15 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-28 14:06 --------- d-----w c:\program files\Microsoft Works
2008-12-25 20:45 --------- d-----w c:\program files\Google
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-11 1028096]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-26 1261336]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Boot_Recovery.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Boot_Recovery.lnk
backup=c:\windows\pss\Boot_Recovery.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Launch.lnk
backup=c:\windows\pss\Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-12 05:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-08-03 12:51 202024 c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google EULA Launcher]
--a------ 2008-08-06 10:30 20480 c:\program files\Google\Google EULA\GoogleEULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-12-19 18:08 159744 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-12-19 18:08 135168 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MGSysCtrl]
--a------ 2008-08-07 22:57 684032 c:\program files\System Control Manager\MGSysCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-08-08 09:25 1828136 c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-12-19 18:07 131072 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-04 01:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-26 97928]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2008-05-30 153600]
R3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter;c:\windows\system32\drivers\rtl8187Se.sys [2008-05-30 306176]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-26 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-26 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-26 76040]
R4 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [2008-09-18 159744]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 20:34:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(800)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2009-01-08 20:36:11
ComboFix-quarantined-files.txt 2009-01-08 20:36:07
ComboFix2.txt 2009-01-07 20:34:56

Pre-Run: 65,541,730,304 bytes free
Post-Run: 65,527,123,968 bytes free

206 --- E O F --- 2008-12-29 20:30:20

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:01:31 AM

Posted 09 January 2009 - 05:42 PM

Hello Tizzer,

the problem is still evident but only on my nephews account. I have an admin account that doesn't show on, I mistakenly thought he wouldn't get into bother on a limited account. Is it not worth creating another account for him and delete the problem one? Have any of the above steps sorted out the underlying problem? There is nothing on the nephew's account (apart from junk) he has only had it a day.


Your log looks fine now.

Removing your nephews account would be the fastest way to deal with any problems left there, especially if he's the only one left wit problems,
and there's nothing worth saving on that account.

Another way to do this, is upgrading the account to one with admin rights, and running ComboFix from that one,
although there's always a risk this may reinfect other accounts as well.

Your choice. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 Tizzer

Tizzer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 12 January 2009 - 02:56 PM

Thanks a million Thunder. I have gone with a new account (and a clip around the ear), fingers crossed he lasts longer than 24 hours this time.

I appreciate all of your effort, thanks again.

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:01:31 AM

Posted 13 January 2009 - 03:35 AM

Glad we could help, Tizzer :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users