help with cid and other pop ups - HJT log included

angelfire

I've completely removed the log on I set up for my daughter, as she had files on there - photos and music, that she'd downloaded from her phone, from friends who use limewire and allsorts. There was little on there as she's only used it for a few days so I thought it best to just remove her log on completely, sort the laptop out and then start again from scratch....

Unsure what to try next tho - still have CID pop ups ad the system is slow...

Browntoa

Next download ComboFix :

• BleepingComputer.com

Double click combofix.exe & follow the prompts.

Note >> Do not mouseclick combofix's window while it's running. That may cause it to stall.

When finished, it will produce a log for you. The report is called ComboFix.txt.

Post that log in your next reply along

angelfire

Browntoa wrote: »

Next download ComboFix :

• BleepingComputer.com

Double click combofix.exe & follow the prompts.

Note >> Do not mouseclick combofix's window while it's running. That may cause it to stall.

When finished, it will produce a log for you. The report is called ComboFix.txt.

Post that log in your next reply along

I've tried to download and run this but get a message up on screen saying that i'm unable to change it's name? Then it stops and there is no log file?

Browntoa

guide here and more links

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

whoops, must check cut and paste !!

leosayer39

Browntoa wrote: »

guide here and more links

Browntoa, No clicky links there.

Leo

angelfire

Okay, after muchos faffing around, here is the combofix log!

ComboFix 08-12-31.01 - Charlie-Dee 2009-01-01 13:31:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.189 [GMT 0:00]
Running from: c:\documents and settings\Charlie-Dee\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run

---

.
c:\windows\system32\a.exe
c:\windows\system32\obokodip.ini
c:\windows\system32\pidokobo.dll
c:\windows\system32\wifufulu.dll
.
((((((((((((((((((((((((( Files Created from 2008-12-01 to 2009-01-01 )))))))))))))))))))))))))))))))
.
2009-01-01 13:14 . 2009-01-01 13:14 <DIR> d

---

c:\program files\Microsoft CAPICOM 2.1.0.2
2009-01-01 11:10 . 2009-01-01 11:10 <DIR> d

---

C:\NoLopBackups
2008-12-30 21:10 . 2008-12-30 21:10 <DIR> d

---

c:\program files\Trend Micro
2008-12-30 20:15 . 2008-12-30 20:15 <DIR> d

---

c:\documents and settings\Charlie-Dee\Application Data\Malwarebytes
2008-12-30 20:12 . 2008-10-16 20:38 6,066,176

---

c--- c:\windows\system32\dllcache\ieframe.dll
2008-12-30 20:12 . 2007-04-17 09:32 2,455,488

---

c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-30 20:12 . 2007-03-08 05:10 991,232

---

c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-30 20:12 . 2008-10-16 20:38 459,264

---

c--- c:\windows\system32\dllcache\msfeeds.dll
2008-12-30 20:12 . 2008-10-16 20:38 383,488

---

c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-30 20:12 . 2008-10-16 20:38 267,776

---

c--- c:\windows\system32\dllcache\iertutil.dll
2008-12-30 20:12 . 2008-10-16 20:38 63,488

---

c--- c:\windows\system32\dllcache\icardie.dll
2008-12-30 20:12 . 2008-10-16 20:38 52,224

---

c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-30 20:12 . 2008-10-16 13:11 13,824

---

c--- c:\windows\system32\dllcache\ieudinit.exe
2008-12-30 19:39 . 2008-10-16 14:06 268,648 --a

---

c:\windows\system32\mucltui.dll
2008-12-30 19:39 . 2008-10-16 14:06 208,744 --a

---

c:\windows\system32\muweb.dll
2008-12-30 19:39 . 2008-10-16 14:06 27,496 --a

---

c:\windows\system32\mucltui.dll.mui
2008-12-26 13:36 . 2008-12-26 13:36 <DIR> d

---

c:\documents and settings\Charlie-Dee\Contacts
2008-12-26 13:09 . 2008-12-26 13:34 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-12-26 13:01 . 2008-12-26 13:01 <DIR> d

---

c:\documents and settings\Charlie-Dee\Application Data\MSNInstaller
2008-12-25 15:13 . 2008-12-25 15:13 <DIR> d

---

c:\documents and settings\Charlie-Dee_2\Application Data\Apple Computer
2008-12-25 10:10 . 2003-02-28 18:26 139,536 --a

---

c:\windows\system32\javaee.dll
2008-12-25 09:55 . 2008-12-30 21:11 <DIR> d

---

c:\documents and settings\Charlie-Dee\Application Data\AVGTOOLBAR
2008-12-25 09:52 . 2008-12-26 13:36 <DIR> d

---

c:\documents and settings\Charlie-Dee
2008-12-25 09:03 . 2008-12-25 10:05 <DIR> d

---

c:\documents and settings\Charlie-Dee_2\Application Data\AVGTOOLBAR
2008-12-25 09:01 . 2009-01-01 12:27 <DIR> d

---

c:\documents and settings\Charlie-Dee_2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-01 13:28

---

d

---

w c:\documents and settings\All Users\Application Data\avg8
2008-12-26 13:05

---

d

---

w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-25 09:01

---

d

---

w c:\program files\Spybot - Search & Destroy
2008-11-21 15:00

---

d

---

w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-21 14:05

---

d

---

w c:\program files\Malwarebytes' Anti-Malware
2008-11-21 14:04

---

d

---

w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-21 13:41 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-11-21 13:41 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-11-21 13:41 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-11-21 13:41

---

d

---

w c:\program files\AVG
2008-11-21 13:02

---

d

---

w c:\program files\Messenger Plus! Live
2008-11-20 20:54

---

d

---

w c:\documents and settings\All Users\Application Data\Grisoft
2008-11-20 20:38

---

d

---

w c:\documents and settings\All Users\Application Data\Long slow road itch
2008-11-20 20:37

---

d

---

w c:\program files\Glue Fork Mix
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2005-08-01 1093632]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-11-17 1077327]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"SSC_UserPrompt"="c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 218240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"ROAD ITCH AMOK PING"="c:\documents and settings\All Users\Application Data\Long slow road itch\jugs sect.exe" [2009-01-01 9551360]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-26 1261336]
"NDSTray.exe"="NDSTray.exe" [BU]
"CFSServ.exe"="CFSServ.exe" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgwdsvc.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-21 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-21 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-21 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-21 76040]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2005-08-04 211200]
.
Contents of the 'Scheduled Tasks' folder
2009-01-01 c:\windows\Tasks\A7089902918B0FC2.job
- c:\docume~1\admini~1\applic~1\gluefo~1\readme soft curb.exe []
2008-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
.
- - - - ORPHANS REMOVED - - - -
BHO-{cc7e2566-0a2a-4938-9f04-69dbd6deaa63} - c:\windows\system32\refemope.dll
HKLM-Run-Workflow - \Workflow.exe
HKLM-Run-fejehapofo - c:\windows\system32\heridoga.dll

.

---

Supplementary Scan

---

.
O16 -: Microsoft XML Parser for Java - [URL]file://c:\windows\Java\classes\xmldso.cab[/URL]
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-01 13:33:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

---

DLLs Loaded Under Running Processes

---

- - - - - - - > 'winlogon.exe'(516)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-01 13:34:24
ComboFix-quarantined-files.txt 2009-01-01 13:34:20
Pre-Run: 30,927,220,736 bytes free
Post-Run: 30,915,735,552 bytes free
144 --- E O F --- 2009-01-01 13:15:42

I had to run the log without disabling AVG 8.0, simply because every time I did, the combo fix seemed to stop running. I then aborted, rebooted and tried to uninstall AVG completely, but it wouldn't let me for some reason. so the combofix has run and produced this log with AVG still on. Hope this is ok?

angelfire

K, I've had a littl surf around and 'touch wood', it seems to be running much better now with no pop ups etc. Before I give the laptop back to my daughter though, I coud really do with some advice on what protection to install on it and rules for her using it.

I really believe that her downloading infected files from hers and other people's phones is what has cused alot of the problems i've just encountered. This, together with the installation of MSN messenger. So, my first rule will be not to download anything from hers or anyone else's phone. The second, no MSN messenger.

Other than this, what else should I do? As I've said before it's running AVG 8.0 and AVG anti-spyware. Are these okay? Or should I use something different?

I want to keep this passworded admin log-on for myself and set her up with her own log on again - are there any precaustions I should take with this - parental controls and such?

I really ould like to thank everyone who has helped me with this, your advice and time spent helping is very much appreciated and this machine would definately have been chucked though the window without you!

thomas01155

I would uninstall AVG and install AntiVir instead http://www.filehippo.com/download_antivir/

Make her account a limited user so she cant install anything on her account.

Trillian can be used instead of MSN
http://www.filehippo.com/download_trillian/

Install SpywareBlaster, update it then press Enable All Protection on the protection status screen.
http://www.filehippo.com/download_spywareblaster/

You could install MSN but make sure not to install MSN plus which is how you got cid (the sponsor)

Browntoa

boot to safe mode

http://www.pchell.com/support/safemode.shtml

log on using the Administrator user that appears only in safe mode and password that as well ( don't forget the password) otherwise a savvy teenager can go in and alter their profile settings from limited

angelfire

Browntoa wrote: »

boot to safe mode

http://www.pchell.com/support/safemode.shtml

log on using the Administrator user that appears only in safe mode and password that as well ( don't forget the password) otherwise a savvy teenager can go in and alter their profile settings from limited

Fab, thanks for this! Right, so I've installed antivir, already had spybot S&d and I've installed Comodo firewall-told it I didn't want anti-virus and it has installed the firewall and defence plus - the defence plus bit isn't anti-virus is it? If so, do I need to uninstall it?