WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] abetterintrnt

Started by jrduck1 , Jun 01 2008 01:43 PM

This topic is locked

39 replies to this topic

#31 DFW

Authentic Member

Visiting Fellow
170 posts

Posted 19 June 2008 - 12:51 PM

Hi james, we are getting there.

I'd like you to check a file for Viruses.

Go to VirusTotal or Jotti's

C:\WINDOWS\Drivers\AD1981B\mcrh.tmp

Copy/Paste the first file on the list into the white Upload a file box.
Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Note details of any viruses found.

Run Combofix

Very Important!, before running Combofix Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Now please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

File::
C:\WINDOWS\Drivers\AD1981B\crba.tmp 
C:\WINDOWS\Drivers\AD1981B\crba.ini

Registry:: 
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{88E50F1D-4790-4C6B-BEE3-D54E46B6EEF6}]

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Reboot your system, then run HJT and create a new log.

Please post the new HJT Log
Result of file scan
Combofix log

Member of UNITE and ASAP

Advertisements

Register to Remove

#32 jrduck1

Authentic Member

Authentic Member
27 posts

Posted 19 June 2008 - 03:43 PM

HJT log Per post #31 scans

Logfile of HijackThis v1.99.1
Scan saved at 5:34:37 PM, on 6/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\SONY\sHotKey\sHotKey.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\FilmLoop Player\FilmLoop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe
C:\Program Files\MTV Networks\VOpt\MTVOptQueue.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Admin\Application Data\Mozilla\Profiles\default\7bd40tps.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [VAIO Recovery] "C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe"
O4 - HKLM\..\Run: [sHotKey] "C:\Program Files\SONY\sHotKey\sHotKey.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] "C:\Program Files\Microsoft Works\WksSb.exe" /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Microsoft Works\WkDetect.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [FilmLoop] "C:\Program Files\FilmLoop Player\FilmLoop.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [PhotoExplosionCalCheck] "C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: 360Share On Startup.lnk = C:\Program Files\360Share\Gui\360Share.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: MTV Networks Video Optimizer.lnk = C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {0E5A40E7-1D73-4B1F-BB71-69C59B80C205} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Virus Total Scan Result of file.

C:\WINDOWS\Drivers\AD1981B\mcrh.tmp

C:\WINDOWS\Drivers\AD1981B\mcrh.tmp
File mcrh.tmp received on 06.19.2008 22:38:59 (CET)
Current status: finished
Result: 0/33 (0%)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CF Log
ComboFix 08-06-08.8 - Admin 2008-06-19 16:54:47.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.165 [GMT -4:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\Drivers\AD1981B\crba.ini
C:\WINDOWS\Drivers\AD1981B\crba.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Drivers\AD1981B\crba.ini
C:\WINDOWS\Drivers\AD1981B\crba.tmp

.
((((((((((((((((((((((((( Files Created from 2008-05-19 to 2008-06-19 )))))))))))))))))))))))))))))))
.

2008-06-18 14:41 . 2008-06-18 14:41 <DIR> d-------- C:\Program Files\CCleaner
2008-06-18 14:01 . 2008-06-18 14:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-18 08:56 . 2008-06-18 08:56 <DIR> d-------- C:\Program Files\Avira
2008-06-18 08:56 . 2008-06-18 08:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-18 08:46 . 2008-06-18 08:46 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-06-18 08:46 . 2008-06-18 08:46 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-06-18 08:32 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-17 08:41 . 2008-06-17 08:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 08:41 . 2008-06-17 08:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 08:41 . 2008-06-17 08:41 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-06-17 08:41 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-17 08:41 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-17 07:45 . 2008-04-14 07:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 09:23 . 2008-06-08 09:23 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-06-03 12:40 . 2008-06-03 12:40 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-03 12:39 . 2008-06-03 12:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-03 01:36 . 2008-06-03 01:36 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-06-03 01:36 . 2008-06-03 01:36 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-06-02 21:58 . 2008-06-08 12:53 8 --a------ C:\WINDOWS\msoffice.ini
2008-05-31 15:39 . 2008-05-31 15:39 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-30 11:28 . 2008-05-30 11:34 <DIR> d-------- C:\Documents and Settings\Admin\.housecall6.6
2008-05-30 11:14 . 2008-06-02 15:12 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-30 10:41 . 2008-04-23 00:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-30 10:41 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-30 10:41 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-30 10:41 . 2008-04-23 00:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-30 10:41 . 2008-04-23 00:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-30 10:41 . 2008-04-23 00:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-30 10:41 . 2008-04-23 00:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-30 10:41 . 2008-04-23 00:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-30 10:41 . 2008-04-22 03:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-29 09:20 . 2008-05-29 09:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-29 08:36 . 2008-06-08 12:39 53,924 --a------ C:\VETlog.dmp
2008-05-28 14:10 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-05-28 12:41 . 2008-05-31 11:24 <DIR> d-------- C:\mcafee_mcpr
2008-05-28 12:29 . 2008-06-09 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-28 12:23 . 2008-06-08 12:53 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\AOL
2008-05-28 09:02 . 2007-06-15 04:12 1,498,112 --a------ C:\WINDOWS\system32\shdocvw.bak
2008-05-28 09:01 . 2003-08-27 11:24 1,044,480 --a------ C:\WINDOWS\system32\roboex32.dll
2008-05-28 09:01 . 2003-08-27 11:24 54,784 --a------ C:\WINDOWS\system32\Inetwh32.dll
2008-05-28 09:01 . 2003-08-27 11:22 29,184 --a------ C:\WINDOWS\system32\popup.ocx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-19 21:00 --------- d-----w C:\Program Files\Plaxo
2008-06-18 17:33 --------- d-----w C:\Program Files\Yahoo!
2008-06-18 17:13 --------- d-----w C:\Documents and Settings\Admin\Application Data\MSN6
2008-06-18 12:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-18 12:32 --------- d-----w C:\Program Files\Java
2008-06-08 16:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-08 16:05 --------- d-----w C:\Program Files\Flock
2008-06-08 15:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-06-03 02:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-06-02 14:32 --------- d-----w C:\Documents and Settings\Admin\Application Data\Flock
2008-06-02 14:24 --------- d-----w C:\Program Files\IrfanView
2008-06-02 14:22 --------- d-----w C:\Program Files\Google
2008-05-29 15:47 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2006-01-23 15:24 128,656 ---ha-w C:\Documents and Settings\Admin\Application Data\ptads.bin
2005-08-16 03:09 2,729 ---h--w C:\Documents and Settings\All Users\Application Data\mssaru.dat
.

((((((((((((((((((((((((((((( snapshot_2008-06-18_23.17.40.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-19 03:07:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-19 21:00:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe" [2006-11-16 13:42 183367]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [2000-07-19 10:00 176183]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 14:29 40960]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [2004-01-17 07:36 135168]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 01:08 28672]
"sHotKey"="C:\Program Files\SONY\sHotKey\sHotKey.exe" [2003-08-22 13:22 45056]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 03:56 33280 C:\WINDOWS\system32\rundll32.exe]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2004-02-04 15:33 294912]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-04 03:56 50176]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2002-06-20 06:28 725046]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-15 21:25 28739]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-05-11 21:53 180269]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00 49152]
"FilmLoop"="C:\Program Files\FilmLoop Player\FilmLoop.exe" [2006-07-25 21:10 3719168]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"PhotoExplosionCalCheck"="C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe" [2006-05-10 12:32 69632]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 14:43 88363 C:\WINDOWS\AGRSMMSG.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 03:22:40 757760]
MTV Networks Video Optimizer.lnk - C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe [2005-04-01 12:19:34 221184]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-10-02 18:08:08 57344]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-05-11 22:28:05 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\CCleaner\\CCleaner.exe"=

R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [2004-03-12 20:32]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe [2004-03-12 19:57]

.
Contents of the 'Scheduled Tasks' folder
"2004-08-07 03:50:00 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2004-08-12 02:20:00 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2004-08-22 03:50:00 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2008-06-19 20:16:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-19 17:01:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\eHome\ehsched.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\eHome\ehrec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MTV Networks\VOpt\MTVOptQueue.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe
.
**************************************************************************
.
Completion time: 2008-06-19 17:10:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-19 21:10:44
ComboFix2.txt 2008-06-19 03:18:03
ComboFix3.txt 2008-06-17 12:32:11
ComboFix4.txt 2008-06-09 16:19:13
ComboFix5.txt 2008-06-06 13:21:27

Pre-Run: 213,607,616,512 bytes free
Post-Run: 213,589,880,832 bytes free

192 --- E O F --- 2008-06-18 07:03:18
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Glad to hear we are getting there, this is a pain. But learning alot.

Thanks James

#33 DFW

Authentic Member

Visiting Fellow
170 posts

Posted 20 June 2008 - 01:38 AM

Hi James, your logs are good and you are clean, How is your system running, if everything is ok carry on with cleaning up and adding some more protection from the instructions below,
If not please post back before you do anything.

we just need to clean up a little, also add a little more protection, and then you are good to go.

I would keep CCleaner and run it every few days, to keep your system free of useless files, also keep Malwarebytes Anti-Malware, update
it and run a full scan once a week or more if required.

UNINSTALL COMBOFIX

Click START then RUN
Now type Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

You can also delete any logs we have produced, and empty your Recycle bin.

You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this site. http://surfthenetsaf.../ieseczone8.htm

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

You need to be a little carefull in what you download and install, before you install a program search online to see what experience
other users have had with it, also a very good program that you can install is EULAlyzer 1.2 from the makers of spyware blaster,
It works by Analyze license agreements of software for interesting words and phrases, before you install the software,
Here's the link and some more information on it.

http://www.javacools.../eulalyzer.html

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately,
reboot your computer, and revisit the site until there are no more critical updates.

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.

Please post back letting me know all went ok with this.

Happy surfing

Member of UNITE and ASAP

#34 jrduck1

Authentic Member

Authentic Member
27 posts

Posted 20 June 2008 - 05:30 AM

Ok Thank You very much, I will do all this and post back after I reboot and enable all firewalls and protections, run scans and see what all shows up. just wanted to to know what all I should delete off here, Glad we got it done, suppose to start a new job on Monday maybe if the interview goes well. I will be giving it back to my sister, she is not very computer savy. So how bad was it, me and my sister want to know how bad it was on a scale of 1 to 10, 10 being worst. It says to install SP3, but I was a little leary of that, what do you think, or should I just stay with SP2. Can I delete the recovery console icon that's on the desktop that we installed or leave it? since we saved the file to the desktop and dragged it onto the ComboFix icon, will it delete the console also off the computer or just the icon. The same ? with the Malwaebytes -(mbam-setup) icon that we put on the desktop. Should I leave HJT on here or delete it and the icons on the desktop. Thanks James

#35 jrduck1

Authentic Member

Authentic Member
27 posts

Posted 20 June 2008 - 05:35 AM

CCleaner still will not update when I click on the (check for update) button on the bottom right of the CCleaner window, it takes me to a blank Windows Internet Explorer window, but does nothing, why is this. Thanks, James

#36 DFW

Authentic Member

Visiting Fellow
170 posts

Posted 20 June 2008 - 06:39 AM

Hi James

CCleaner will only update when there is a update for the program it's self, I do not know why you are taken to a blank page when trying
to update, mine is working fine, this is the page it should take you to, please click on the link, to see if you can veiw it.

http://www.ccleaner....2.06.567&l=1033

When it comes to SP3, a lot of people have updated and lots have not, some are waiting until any bugs are ironed out, it up to you if you
update or not, just check with your hardware and software vender's websites for any bugs beforehand.

Yes delete the recovery console download from the desktop, it will not affect the Recovery console it's self,
I would leave that installed, same with mbam-setup.

With HJT I would remove it if the system is going back to your sister, just go to add/remove and remove HJT,
Delete it's icon from the desktop and the installer if it's still there.

Member of UNITE and ASAP

#37 DFW

Authentic Member

Visiting Fellow
170 posts

Posted 21 June 2008 - 08:57 AM

Hi James How are getting on with the clean up.

Member of UNITE and ASAP

#38 jrduck1

Authentic Member

Authentic Member
27 posts

Posted 21 June 2008 - 01:31 PM

I'm all done with the Sony, I'm putting it back together and going to call my sister to come get it, if were done with it. Do you feel like doing my Gateway 570NX laptop next, it is running slow now also, might be because of ll the surfing I did to fix hers. Thanks for all your help, James.

#39 DFW

Authentic Member

Visiting Fellow
170 posts

Posted 21 June 2008 - 04:50 PM

Hi James

Sure I have a look at your Gateway, but you will need to start a new Topic, Give it a title something like "jrduck1 2nd Log For DFW" Post a Highjackthis log and I will keep it up, I be offline now for about 10 hours now.

Member of UNITE and ASAP

#40 DFW

Authentic Member

Visiting Fellow
170 posts

Posted 21 June 2008 - 04:51 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Member of UNITE and ASAP

Body Background

skin color theme