TechSpot

Norton IS reports Tracur Trojan activity after removing with Malewarebytes

By needtechpros
Aug 21, 2011
  1. Tracur Trojan Activity keeps being blocked by Norton IS after I think I have removed the malware with Malewarebytes. Runing XP Pro.

    Following are scans from Malwarebytes GMER log and DDS log DDS.txt. (DDS did not produce an "Attache.txt"?)

    Thanks in advance for help.


    ---------------------
    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7531

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    8/21/2011 7:33:37 PM
    mbam-log-2011-08-21 (19-33-37).txt

    Scan type: Quick scan
    Objects scanned: 240182
    Time elapsed: 4 minute(s), 6 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\system32\0200000070de5b951406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\0200000070de5b951406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\0200000070de5b951406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\0200000070de5b951406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
    ---------------------------------------------
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-08-21 20:12:21
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD7501AALS-00E3A0 rev.05.01D05
    Running: 9rgqo3mr.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pxtdipoc.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
    -------------------------------------
    .
    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
    Run by Owner at 20:36:04 on 2011-08-21
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2349 [GMT -7:00]
    .
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\FsUsbExService.Exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
    C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
    C:\WINDOWS\system32\NLSSRV32.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\ZuneBusEnum.exe
    C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\stsystra.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\WINDOWS\V0230Mon.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\SecCopy\SecCopy.exe
    C:\WINDOWS\system32\ctfmon.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = <local>
    BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: MakeItLive Plugin: {56361a71-4e9f-401d-9e12-8aeaa3d7a672} - c:\program files\makeitlive\makeitlive_toolbar.dll
    BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
    BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.6.0.29\ips\IPSBHO.DLL
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
    BHO: PDF-XChange Viewer IE-Plugin: {c5d07eb6-bbce-4dae-acbb-d13a8d28cb1f} - c:\program files\tracker software\pdf-xchange viewer\pdf-viewer\PDFXCviewIEPlugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
    TB: MakeItLive Plugin: {56361a71-4e9f-401d-9e12-8aeaa3d7a672} - c:\program files\makeitlive\makeitlive_toolbar.dll
    TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [Second Copy] "c:\program files\seccopy\SecCopy.exe" /InitialWait=10
    uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
    mRun: [V0230Mon.exe] c:\windows\V0230Mon.exe
    mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
    mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    StartupFolder: c:\docume~1\owner\startm~1\programs\startup\phonet~1.lnk - c:\program files\classic phonetools\Phontool.exe
    IE: {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - c:\program files\amazon\add to wish list ie extension\run.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\miff9c~1\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
    DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
    DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
    DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1204237991031
    DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} - hxxps://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=5fca2ead3f7b1eb64618af2d840edc55&url=http%3A%2F%2Fd.64.69.14.226.downloads.estara.com.%2Fas%2FOneCCDM.php&template=384172&sessionid=1676394464_64.69.14.226_47979&=&req=1264998944592OneCC.cab
    DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {8DF017CF-BEDB-4869-9C30-164AB58F1E17} - hxxps://www.lacertesoftware.com/MyAccount/WebDownloads/bin/05prepinstall.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://intuitevents.webex.com/client/T27L/event/ieatgpc.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
    TCP: Interfaces\{58C1ACA1-6C76-4EA1-BD76-240C25789DCE} : NameServer = 192.168.1.1
    Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\qb08\HelpAsyncPluggableProtocol.dll
    Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\qb09\HelpAsyncPluggableProtocol.dll
    Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
    Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\qb11\HelpAsyncPluggableProtocol.dll
    Handler: makeitlivechrome - {51472043-0170-45F9-BCCF-19FCFC676D18} - c:\program files\makeitlive\makeitlive_toolbar.dll
    Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\nh0y3y1x.default\
    FF - prefs.js: browser.startup.homepage - google.com
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\coffplgn\components\coFFPlgn.dll
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
    FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\nh0y3y1x.default\extensions\{d02b1e87-a8c6-433f-9b5c-2cec4a072736}\components\susfox3.dll
    FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071502000008.dll
    FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\nh0y3y1x.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
    FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\veetle\player\npvlc.dll
    FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
    FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
    FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: SignupShield: {D02B1E87-A8C6-433f-9B5C-2CEC4A072736} - %profile%\extensions\{D02B1E87-A8C6-433f-9B5C-2CEC4A072736}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: XULRunner: {F744F437-9DFE-49B7-8F52-52E970DE95D8} - c:\documents and settings\owner\local settings\application data\{F744F437-9DFE-49B7-8F52-52E970DE95D8}
    FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
    FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\owner\application data\Move Networks
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-2-9 64512]
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\SymDS.sys [2011-8-13 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\SymEFA.sys [2011-8-13 744568]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.6.0.29\definitions\bashdefs\20110812.001\BHDrvx86.sys [2011-8-15 815736]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-5-28 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 67656]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\Ironx86.sys [2011-8-13 136312]
    R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-5-11 233472]
    R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.6.0.29\ccSvcHst.exe [2011-8-13 130008]
    R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2011-3-21 196928]
    R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2011-3-21 68928]
    R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\opencase\opencase media agent\MediaAgent.exe [2008-1-16 814728]
    R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2010-12-2 1251840]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-8-18 105592]
    R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-5-11 36608]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.6.0.29\definitions\ipsdefs\20110819.030\IDSXpx86.sys [2011-8-20 355256]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.6.0.29\definitions\virusdefs\20110821.003\NAVENG.SYS [2011-8-21 86136]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.6.0.29\definitions\virusdefs\20110821.003\NAVEX15.SYS [2011-8-21 1576312]
    R3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [2006-3-24 6272]
    R3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [2006-9-29 500480]
    S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2008-2-28 20160]
    S3 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2010-12-31 401920]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 2151640]
    S3 MSSQL$LACERTEDB;MSSQL$LACERTEDB;c:\program files\microsoft sql server\mssql$lacertedb\binn\sqlservr.exe -slacertedb --> c:\program files\microsoft sql server\mssql$lacertedb\binn\sqlservr.exe -sLACERTEDB [?]
    S3 QuickBooksDB19;QuickBooksDB19;c:\progra~1\intuit\qb09\qbdbmgrn.exe -hvquickbooksdb19 --> c:\progra~1\intuit\qb09\QBDBMgrN.exe -hvQuickBooksDB19 [?]
    S3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb20 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB20 [?]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 12872]
    S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB;c:\program files\microsoft sql server\mssql$lacertedb\binn\sqlagent.exe -i lacertedb --> c:\program files\microsoft sql server\mssql$lacertedb\binn\sqlagent.EXE -i LACERTEDB [?]
    .
    =============== Created Last 30 ================
    .
    2011-08-20 18:12:51 0 ---ha-w- c:\documents and settings\owner\wfseaheqoi.tmp
    2011-08-16 18:10:14 -------- d-----w- C:\DriveKey
    2011-08-14 05:24:47 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
    2011-08-14 05:24:46 105472 -c----w- c:\windows\system32\dllcache\mup.sys
    .
    ==================== Find3M ====================
    .
    2011-08-14 05:17:33 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2011-08-14 05:17:33 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-08-13 22:11:06 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-29 13:21:13 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
    2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 20:37:00.71 ===============
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! It is rare that running one scan removes all malware entries. It is possible that if the source of the malware is still on the system, it may be activated again on a reboot.
    ------------------------------
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you, including a Registry Cleaner or make changes in the Registry.
      [o] Please Do not Attach logs or put in code boxes
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    DDS always produces 2 logs. Please search the system for Attach.txt. 'Attach' is a name only so do not 'attach' the file> paste it in like you have done with the others and don't zip it. There is valuable information in that log which will help me help you.
    ==============================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    =========================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
     
  3. needtechpros

    needtechpros TS Rookie Topic Starter

    Update on Tracur Tojan after running DDS, Combofix and ESET

    Sorry it took so long to post again. Had to run some of this over night.

    Here are results. Thanks again!

    attach.txt, followed by Combofix log and ESET Scan log:

    ATTACH:
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2/28/2008 1:08:31 PM
    System Uptime: 8/21/2011 8:13:29 PM (14 hours ago)
    .
    Motherboard: Dell Inc. | | 0CT017
    Processor: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz | Microprocessor | 2394/1066mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 699 GiB total, 459.469 GiB free.
    D: is CDROM ()
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1313: 5/24/2011 12:33:34 PM - System Checkpoint
    RP1314: 5/25/2011 1:04:27 PM - System Checkpoint
    RP1315: 5/26/2011 1:33:47 PM - System Checkpoint
    RP1316: 5/26/2011 2:16:17 PM - Software Distribution Service 3.0
    RP1317: 5/27/2011 4:29:25 PM - System Checkpoint
    RP1318: 5/28/2011 4:29:42 PM - System Checkpoint
    RP1319: 5/29/2011 5:41:42 PM - System Checkpoint
    RP1320: 5/30/2011 6:29:42 PM - System Checkpoint
    RP1321: 5/31/2011 7:00:54 PM - System Checkpoint
    RP1322: 6/1/2011 7:44:35 PM - System Checkpoint
    RP1323: 6/2/2011 7:56:09 PM - System Checkpoint
    RP1324: 6/3/2011 8:08:09 PM - System Checkpoint
    RP1325: 6/5/2011 12:38:51 AM - System Checkpoint
    RP1326: 6/6/2011 1:44:27 AM - System Checkpoint
    RP1327: 6/7/2011 2:48:49 AM - System Checkpoint
    RP1328: 6/8/2011 3:22:08 AM - System Checkpoint
    RP1329: 6/9/2011 3:34:16 AM - System Checkpoint
    RP1330: 6/10/2011 4:34:16 AM - System Checkpoint
    RP1331: 6/11/2011 5:34:16 AM - System Checkpoint
    RP1332: 6/12/2011 6:34:17 AM - System Checkpoint
    RP1333: 6/13/2011 7:22:16 AM - System Checkpoint
    RP1334: 6/14/2011 11:26:21 AM - System Checkpoint
    RP1335: 6/15/2011 11:29:50 AM - System Checkpoint
    RP1336: 6/16/2011 12:13:12 PM - System Checkpoint
    RP1337: 6/17/2011 4:00:21 PM - System Checkpoint
    RP1338: 6/18/2011 5:51:46 PM - System Checkpoint
    RP1339: 6/19/2011 6:02:58 PM - System Checkpoint
    RP1340: 6/20/2011 6:48:56 PM - System Checkpoint
    RP1341: 6/21/2011 7:20:52 PM - System Checkpoint
    RP1342: 6/22/2011 7:27:15 PM - System Checkpoint
    RP1343: 6/23/2011 8:00:18 PM - System Checkpoint
    RP1344: 6/24/2011 9:00:19 PM - System Checkpoint
    RP1345: 6/25/2011 9:12:19 PM - System Checkpoint
    RP1346: 6/26/2011 10:00:18 PM - System Checkpoint
    RP1347: 6/27/2011 10:12:16 PM - System Checkpoint
    RP1348: 6/28/2011 11:12:19 PM - System Checkpoint
    RP1349: 6/30/2011 12:41:52 AM - System Checkpoint
    RP1350: 7/1/2011 12:55:04 AM - System Checkpoint
    RP1351: 7/2/2011 2:07:03 AM - System Checkpoint
    RP1352: 7/3/2011 2:55:03 AM - System Checkpoint
    RP1353: 7/4/2011 4:07:03 AM - System Checkpoint
    RP1354: 7/5/2011 5:07:03 AM - System Checkpoint
    RP1355: 7/6/2011 5:55:03 AM - System Checkpoint
    RP1356: 7/7/2011 5:57:55 AM - System Checkpoint
    RP1357: 7/8/2011 6:41:55 AM - System Checkpoint
    RP1358: 7/9/2011 7:17:26 AM - System Checkpoint
    RP1359: 7/10/2011 7:34:43 AM - System Checkpoint
    RP1360: 7/11/2011 8:22:43 AM - System Checkpoint
    RP1361: 7/12/2011 8:52:51 AM - System Checkpoint
    RP1362: 7/13/2011 2:22:09 PM - System Checkpoint
    RP1363: 7/14/2011 4:28:51 PM - System Checkpoint
    RP1364: 7/15/2011 5:54:53 PM - System Checkpoint
    RP1365: 7/16/2011 7:01:57 PM - System Checkpoint
    RP1366: 7/17/2011 7:54:30 PM - System Checkpoint
    RP1367: 7/18/2011 10:34:14 PM - System Checkpoint
    RP1368: 7/19/2011 11:37:53 PM - System Checkpoint
    RP1369: 7/21/2011 12:16:31 AM - System Checkpoint
    RP1370: 7/22/2011 12:16:59 AM - System Checkpoint
    RP1371: 7/23/2011 1:28:55 AM - System Checkpoint
    RP1372: 7/24/2011 1:50:34 AM - System Checkpoint
    RP1373: 7/25/2011 2:50:33 AM - System Checkpoint
    RP1374: 7/26/2011 4:02:34 AM - System Checkpoint
    RP1375: 7/27/2011 4:15:48 AM - System Checkpoint
    RP1376: 7/28/2011 4:27:56 AM - System Checkpoint
    RP1377: 7/29/2011 4:46:03 AM - System Checkpoint
    RP1378: 7/30/2011 5:34:04 AM - System Checkpoint
    RP1379: 7/31/2011 6:46:03 AM - System Checkpoint
    RP1380: 8/1/2011 7:34:03 AM - System Checkpoint
    RP1381: 8/2/2011 9:19:34 AM - System Checkpoint
    RP1382: 8/3/2011 9:56:00 AM - System Checkpoint
    RP1383: 8/4/2011 10:08:34 AM - System Checkpoint
    RP1384: 8/5/2011 12:11:30 PM - System Checkpoint
    RP1385: 8/6/2011 12:44:06 PM - System Checkpoint
    RP1386: 8/7/2011 1:13:02 PM - System Checkpoint
    RP1387: 8/8/2011 1:25:00 PM - System Checkpoint
    RP1388: 8/9/2011 1:38:01 PM - System Checkpoint
    RP1389: 8/10/2011 2:13:00 PM - System Checkpoint
    RP1390: 8/11/2011 2:25:00 PM - System Checkpoint
    RP1391: 8/12/2011 2:46:43 PM - System Checkpoint
    RP1392: 8/13/2011 10:26:55 PM - Software Distribution Service 3.0
    RP1393: 8/14/2011 10:44:51 PM - System Checkpoint
    RP1394: 8/15/2011 11:05:47 PM - System Checkpoint
    RP1395: 8/16/2011 11:10:14 AM - Installed HP USB Disk Storage Format Tool
    RP1396: 8/17/2011 11:19:58 AM - System Checkpoint
    RP1397: 8/18/2011 1:01:37 PM - System Checkpoint
    RP1398: 8/19/2011 1:47:22 PM - System Checkpoint
    RP1399: 8/20/2011 2:28:26 PM - System Checkpoint
    RP1400: 8/21/2011 3:03:52 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    2000 Lacerte Tax
    2001 Lacerte Tax
    2002 Lacerte Tax
    2003 Lacerte Tax
    2004 Lacerte Tax
    2005 Lacerte Tax
    2006 Lacerte Tax
    2007 Lacerte Tax
    2008 Lacerte Tax
    2009 Lacerte Tax
    2010 Lacerte Tax
    32 Bit HP BiDi Channel Components Installer
    7-Zip 4.65
    Ad-Aware
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.3.0
    Adobe Shockwave Player 11
    Amazon Add to Wish List IE Extension 1.1
    Amazon Games & Software Downloader
    Amazon MP3 Downloader 1.0.12
    Amazon Unbox Video
    Apple Mobile Device Support
    ArcSoft PhotoStudio 5.5
    Audacity 1.2.3
    Avanquest update
    Boxee
    Canon MP Navigator 3.0
    Canon MP160
    Canon MP160 User Registration
    Canon My Printer
    CCleaner
    Classic PhoneTools
    CNET TechTracker
    Conexant D850 56K V.9x DFVc Modem
    Creative Live! Cam Video IM Pro Driver (1.01.03.0928)
    Critical Update for Windows Media Player 11 (KB959772)
    CRON-O-METER 0.9.7
    Defraggler
    Digital TV for PC 2.0
    DivX Converter
    DivX Plus DirectShow Filters
    DivX Setup
    Document eSort Components
    doPDF 6.2 printer
    Easy-WebPrint
    Email Saver Xe 1.03
    Glary Registry Repair 3.3.0.852
    Glary Utilities 2.35.0.1216
    Google Chrome
    Google Updater
    High Definition Audio Driver Package - KB835221
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    hp LaserJet 4200 Uninstaller
    HP USB Disk Storage Format Tool
    Infragisticsv62Install
    Intel(R) PRO Network Connections Drivers
    Intuit Runtime Components 6.0.16
    iTunes
    Java(TM) 6 Update 15
    JLC's Internet TV
    Lacerte Runtime Components
    Lacerte to Drake Conversion 7.5.6
    LAME v3.98.3 for Audacity
    MakeItLive Plugin
    Malwarebytes' Anti-Malware version 1.51.1.1800
    MediaMonkey 3.2
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Primary Interop Assemblies
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2003
    Microsoft Office Professional 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Office XP Media Content
    Microsoft Office XP Small Business
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft SQL Server Desktop Engine (LACERTEDB)
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual Studio 2005 Tools for Office Runtime
    Miro
    Motorola Phone Tools
    Move Media Player
    Mozilla Firefox (3.6.15)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MSXML 6.0 Parser (KB933579)
    Nitro PDF Professional
    Norton Internet Security
    NVIDIA Drivers
    Octoshape add-in for Adobe Flash Player
    OGA Notifier 2.0.0048.0
    OnlineLive
    OpenCASE Media Agent
    PC Connectivity Solution
    PCShowBuzz
    PDF-Viewer
    PhoneTools
    PowerDVD
    ProLine Tax Import
    QBFC 7.0
    QuickBooks
    QuickBooks Premier 2002: Accountant Edition
    QuickBooks Premier Edition 2006
    QuickBooks Premier: Accountant Edition 2003
    QuickBooks Premier: Accountant Edition 2004
    QuickBooks Premier: Accountant Edition 2005
    QuickBooks Premier: Accountant Edition 2007
    QuickBooks Premier: Accountant Edition 2008
    QuickBooks Premier: Accountant Edition 2009
    QuickBooks Premier: Accountant Edition 2010
    QuickBooks Premier: Accountant Edition 2011
    QuickBooks Pro 2000
    QuickBooks Pro 2001
    QuickTime
    RealPlayer
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Drag-to-Disc
    Roxio MyDVD DE
    SAMSUNG Mobile Composite Device Software
    SAMSUNG Mobile Modem Driver Set
    Samsung Mobile phone USB driver Software
    SAMSUNG Mobile USB Modem 1.0 Software
    SAMSUNG Mobile USB Modem Software
    Samsung New PC Studio
    SamsungConnectivityCableDriver
    ScanSoft OmniPage SE 4.0
    Second Copy 7
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SigmaTel Audio
    Skype™ 5.0
    Sonic Activation Module
    Spybot - Search & Destroy
    SUPERAntiSpyware Free Edition
    SupportSoft Assisted Service
    Timeslips v11
    TV Player Pro v0.7
    UltraTax CS 2007
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office Outlook 2007 (KB2412171)
    Update for Outlook 2007 Junk Email Filter (KB2508979)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB982632)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC80CRTRedist - 8.0.50727.4053
    Veetle TV 0.9.17
    VideoLAN VLC media player 0.8.6d
    VisiPics V1.30
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    Visual Studio 2005 Tools for Office Second Edition Runtime
    vShare Plugin
    WebEx
    WebFldrs XP
    Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
    Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
    Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Movie Maker 2.0
    Windows Presentation Foundation
    Windows XP Service Pack 3
    XML Paper Specification Shared Components Pack 1.0
    Zune
    Zune Language Pack (ES)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    8/21/2011 8:11:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL SRTSP SRTSPX SymIRON SYMTDI Tcpip
    8/21/2011 8:11:06 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    8/21/2011 8:11:06 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    8/21/2011 8:11:06 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    8/21/2011 8:11:06 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    8/21/2011 8:11:06 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    8/21/2011 8:10:56 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    8/21/2011 8:10:41 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    8/21/2011 8:10:38 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    8/21/2011 7:46:07 PM, error: System Error [1003] - Error code 00000019, parameter1 00000020, parameter2 889c1000, parameter3 889c1828, parameter4 1b050000.
    8/21/2011 7:43:46 PM, error: System Error [1003] - Error code 00000019, parameter1 00000020, parameter2 88ad5000, parameter3 88ad5828, parameter4 1b050000.
    8/21/2011 7:40:51 PM, error: System Error [1003] - Error code 00000019, parameter1 00000020, parameter2 880b8388, parameter3 880b8bb0, parameter4 1b050004.
    8/21/2011 6:34:03 PM, error: Service Control Manager [7034] - The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 1 time(s).
    8/21/2011 4:34:08 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 960 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    8/20/2011 8:34:06 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 480 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    8/20/2011 4:34:06 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 240 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    8/20/2011 2:34:05 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    8/20/2011 1:34:05 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    8/18/2011 10:59:03 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    8/18/2011 10:44:02 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    .
    ==== End Of File ===========================

    COMBOFIX LOG:
    ComboFix 11-08-22.03 - Owner 08/22/2011 11:23:07.10.4 - x86 MINIMAL
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2657 [GMT -7:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    ADS - WINDOWS: deleted 192 bytes in 1 streams.
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{02b8966a-70b2-452b-90a1-7ebe6ff45889}
    c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{02b8966a-70b2-452b-90a1-7ebe6ff45889}\chrome.manifest
    c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{02b8966a-70b2-452b-90a1-7ebe6ff45889}\chrome\xulcache.jar
    c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{02b8966a-70b2-452b-90a1-7ebe6ff45889}\defaults\preferences\xulcache.js
    c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{02b8966a-70b2-452b-90a1-7ebe6ff45889}\install.rdf
    c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{c7f51fa3-ae87-4b4f-814e-6ffbcec1274f}
    c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{c7f51fa3-ae87-4b4f-814e-6ffbcec1274f}\chrome.manifest
    c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{c7f51fa3-ae87-4b4f-814e-6ffbcec1274f}\chrome\xulcache.jar
    c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{c7f51fa3-ae87-4b4f-814e-6ffbcec1274f}\defaults\preferences\xulcache.js
    c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{c7f51fa3-ae87-4b4f-814e-6ffbcec1274f}\install.rdf
    c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{d72b2d69-5357-4154-bcd9-7d9d0fe32a5c}
    c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{d72b2d69-5357-4154-bcd9-7d9d0fe32a5c}\chrome.manifest
    c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{d72b2d69-5357-4154-bcd9-7d9d0fe32a5c}\chrome\xulcache.jar
    c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{d72b2d69-5357-4154-bcd9-7d9d0fe32a5c}\defaults\preferences\xulcache.js
    c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{d72b2d69-5357-4154-bcd9-7d9d0fe32a5c}\install.rdf
    c:\documents and settings\Owner\Application Data\OfferBox
    c:\documents and settings\Owner\Application Data\OfferBox\config.dat
    c:\documents and settings\Owner\Application Data\OfferBox\config.xml
    c:\documents and settings\Owner\My Documents\1017.pdf
    c:\documents and settings\Owner\wfseaheqoi.tmp
    c:\documents and settings\Owner\WINDOWS
    c:\timeslips\NAVEdit.exe
    c:\timeslips\PROCedit.exe
    c:\timeslips\TSIMport.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-22 to 2011-08-22 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-16 18:10 . 2011-08-16 18:10 -------- d-----w- C:\DriveKey
    2011-08-14 05:24 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
    2011-08-14 05:24 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
    2011-08-13 22:48 . 2011-08-13 22:48 -------- d-----w- c:\documents and settings\Administrator
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-13 22:11 . 2011-07-06 15:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-29 13:21 . 2011-02-09 16:30 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-07-15 13:29 . 2004-08-04 07:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02 . 2001-08-23 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-07-07 02:52 . 2011-06-01 01:43 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-07 02:52 . 2011-06-01 01:43 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-24 14:10 . 2008-02-28 21:03 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-23 18:36 . 2004-08-04 08:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-06-23 18:36 . 2004-08-04 08:56 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-06-23 18:36 . 2004-08-04 08:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-06-23 12:05 . 2004-08-04 06:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-06-20 17:44 . 2004-08-04 08:56 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-06-02 14:02 . 2004-08-04 07:17 1858944 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56361A71-4E9F-401D-9E12-8AEAA3D7A672}]
    2010-08-20 02:17 434288 ----a-w- c:\program files\MakeItLive\makeitlive_toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{56361A71-4E9F-401D-9E12-8AEAA3D7A672}"= "c:\program files\MakeItLive\makeitlive_toolbar.dll" [2010-08-20 434288]
    .
    [HKEY_CLASSES_ROOT\clsid\{56361a71-4e9f-401d-9e12-8aeaa3d7a672}]
    [HKEY_CLASSES_ROOT\MakeItLive.PugiObj.1]
    [HKEY_CLASSES_ROOT\TypeLib\{788202E4-BC14-42BD-BC26-644E440BFCD4}]
    [HKEY_CLASSES_ROOT\MakeItLive.PugiObj]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{56361A71-4E9F-401D-9E12-8AEAA3D7A672}"= "c:\program files\MakeItLive\makeitlive_toolbar.dll" [2010-08-20 434288]
    .
    [HKEY_CLASSES_ROOT\clsid\{56361a71-4e9f-401d-9e12-8aeaa3d7a672}]
    [HKEY_CLASSES_ROOT\MakeItLive.PugiObj.1]
    [HKEY_CLASSES_ROOT\TypeLib\{788202E4-BC14-42BD-BC26-644E440BFCD4}]
    [HKEY_CLASSES_ROOT\MakeItLive.PugiObj]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Second Copy"="c:\program files\SecCopy\SecCopy.exe" [2007-10-17 2425856]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-21 282624]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
    "V0230Mon.exe"="c:\windows\V0230Mon.exe" [2006-09-07 32768]
    "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-11-10 1457928]
    "AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    .
    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    PhoneTools.lnk - c:\program files\Classic PhoneTools\Phontool.exe [2008-3-9 417792]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-02-09 20:57 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
    "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
    "c:\\Program Files\\Intuit\\QB06\\QBDBMgrN.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\Intuit\\QB07\\QBDBMgrN.exe"=
    "c:\\WINDOWS\\system32\\msiexec.exe"=
    "c:\\Program Files\\Intuit\\QB08\\QBDBMgrN.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
    "c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
    "c:\\Program Files\\Intuit\\QB09\\QBDBMgrN.exe"=
    "c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\Boxee\\BOXEE.exe"=
    "c:\\Program Files\\3B Software\\Digital TV for PC\\WTV.exe"=
    "c:\\WINDOWS\\system32\\java.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Intuit\\QB11\\QBDBMgrN.exe"=
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/9/2011 9:30 AM 64512]
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\SymDS.sys [8/13/2011 10:17 PM 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\SymEFA.sys [8/13/2011 10:17 PM 744568]
    S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\BASHDefs\20110812.001\BHDrvx86.sys [8/15/2011 4:55 PM 815736]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/28/2008 10:33 AM 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33 AM 67656]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\Ironx86.sys [8/13/2011 10:17 PM 136312]
    S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [5/11/2009 4:46 PM 233472]
    S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe [8/13/2011 10:17 PM 130008]
    S2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [3/21/2011 11:17 AM 196928]
    S2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [3/21/2011 11:17 AM 68928]
    S2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe [1/16/2008 3:57 PM 814728]
    S2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [12/2/2010 2:02 PM 1251840]
    S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2/28/2008 2:40 PM 20160]
    S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [12/31/2010 7:05 PM 401920]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/18/2011 10:31 AM 105592]
    S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [5/11/2009 4:46 PM 36608]
    S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\IPSDefs\20110819.030\IDSXpx86.sys [8/20/2011 10:51 AM 355256]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 2:05 AM 2151640]
    S3 MSSQL$LACERTEDB;MSSQL$LACERTEDB;c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB --> c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB [?]
    S3 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QB09\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QB09\QBDBMgrN.exe -hvQuickBooksDB19 [?]
    S3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB20 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB20 [?]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 10:33 AM 12872]
    S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB;c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB --> c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB [?]
    S3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [3/24/2006 1:00 AM 6272]
    S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [9/29/2006 1:01 AM 500480]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-22 c:\windows\Tasks\GlaryInitialize.job
    - c:\program files\Glary Utilities\initialize.exe [2009-09-10 15:26]
    .
    2011-08-22 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-24 17:16]
    .
    2011-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1383384898-839522115-1003Core.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-27 03:30]
    .
    2011-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1383384898-839522115-1003UA.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-27 03:30]
    .
    2011-08-22 c:\windows\Tasks\User_Feed_Synchronization-{DC5C132A-E4F7-4419-8BD8-19760468EFCF}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = <local>
    TCP: Interfaces\{58C1ACA1-6C76-4EA1-BD76-240C25789DCE}: NameServer = 192.168.1.1
    Handler: makeitlivechrome - {51472043-0170-45F9-BCCF-19FCFC676D18} - c:\program files\MakeItLive\makeitlive_toolbar.dll
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} - hxxps://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=5fca2ead3f7b1eb64618af2d840edc55&url=http%3A%2F%2Fd.64.69.14.226.downloads.estara.com.%2Fas%2FOneCCDM.php&template=384172&sessionid=1676394464_64.69.14.226_47979&=&req=1264998944592OneCC.cab
    DPF: {8DF017CF-BEDB-4869-9C30-164AB58F1E17} - hxxps://www.lacertesoftware.com/MyAccount/WebDownloads/bin/05prepinstall.cab
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\
    FF - prefs.js: browser.startup.homepage - google.com
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: SignupShield: {D02B1E87-A8C6-433f-9B5C-2CEC4A072736} - %profile%\extensions\{D02B1E87-A8C6-433f-9B5C-2CEC4A072736}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: XULRunner: {F744F437-9DFE-49B7-8F52-52E970DE95D8} - c:\documents and settings\Owner\Local Settings\Application Data\{F744F437-9DFE-49B7-8F52-52E970DE95D8}
    FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
    FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Owner\Application Data\Move Networks
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-22 11:32
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(256)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    Completion time: 2011-08-22 11:36:06
    ComboFix-quarantined-files.txt 2011-08-22 18:36
    .
    Pre-Run: 499,477,209,088 bytes free
    Post-Run: 499,487,862,784 bytes free
    .
    - - End Of File - - C6C2CB1F02F8D8BE3AAC9F5B7A836368

    ESET Scan log:
    C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\jgchaiepfmfhafpmdiobhfkadenoijck\contentscript.js Win32/TrojanDownloader.Tracur.F trojan
    C:\Documents and Settings\Owner\My Documents\Downloads\1COMPUTER\Free YouTube Downloader\FreeYouTubeDownloaderSetup v3.3.89 071311.exe multiple threats
    C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{02b8966a-70b2-452b-90a1-7ebe6ff45889}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
    C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{02b8966a-70b2-452b-90a1-7ebe6ff45889}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
    C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{c7f51fa3-ae87-4b4f-814e-6ffbcec1274f}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
    C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{c7f51fa3-ae87-4b4f-814e-6ffbcec1274f}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
    C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{d72b2d69-5357-4154-bcd9-7d9d0fe32a5c}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
    C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{d72b2d69-5357-4154-bcd9-7d9d0fe32a5c}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
    C:\System Volume Information\_restore{4D4F2DDC-E40E-4393-A5BF-15A164F66C96}\RP1401\A0214023.manifest Win32/TrojanDownloader.Tracur.F trojan
    C:\System Volume Information\_restore{4D4F2DDC-E40E-4393-A5BF-15A164F66C96}\RP1401\A0214024.manifest Win32/TrojanDownloader.Tracur.F trojan
    C:\System Volume Information\_restore{4D4F2DDC-E40E-4393-A5BF-15A164F66C96}\RP1401\A0214025.manifest Win32/TrojanDownloader.Tracur.F trojan

    ------------------------

    Hope this helps.
     
  4. needtechpros

    needtechpros TS Rookie Topic Starter

    Trying to PM Bobbye to continue fix

    I can't PM Bobbye since I only have 2 (now 3 posts)
     
  5. needtechpros

    needtechpros TS Rookie Topic Starter

    Bobbye are you out there?

    I guess I now have 4 posts (6 more to go and I can post a message to Bobbye).
    Anyone know another way to be allowed to post a PM or Visitor message?
    Thanks
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I got your PM. I am busy helping others who started before you. You only began the thread 1 day ago and you're getting impatient after an hour! I'll start you off but please refer back to this:
    ============================================
    You have 7 outdated versions of Java on the system. These are all vulnerabilities. Please run the following now:
    You have multiple old versions of Java and do not have the current version. The best way to handle that is to run the following: Note: I do not want this log!

    Please download JavaRa and unzip it to your desktop.

    Important!***Please close any instances of Internet Explorer before continuing!***
    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that
      a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.Note: Do not leave this log.
    Download and install then most current version and update of Java RuntimeEnvironment (JRE)HERE.
    Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
    ===========================================
    The Java cache will have malware because of the outdated programs:
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    ============================================
    There are only 2 active entries in Eset. Qoobox is quarantine folder from Combofix and System Volume is restore point which we will remove at the end. Neither of these locations are a threat- unless you happen to do a system restore and pick those particular points
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\jgchaiepfmfhafpmdiobhfkadenoijck\contentscript.js 
      C:\Documents and Settings\Owner\My Documents\Downloads\1COMPUTER\Free YouTube Downloader\FreeYouTubeDownloaderSetup v3.3.89 071311.exe 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =================================
    Questions and Comments
    Suspect that some of your download are from Torrent sites. That is a straight road to malware. It appears that you are in business and using this computer. I suggest that you do not frequent files sharing sites.
    ================================
    Can you give me some information on these? The first one have multiple entries in the Registry:
    1. [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56361A71-4E9F-401D-9E12-8AEAA3D7A672}]
    "c:\\Program Files\\Boxee\\BOXEE.exe"=
    2. 2010-08-20 02:17 434288 ----a-w- c:\program files\MakeItLive\makeitlive_toolbar.dll
    =============================
    The Adobe\Reader 8.0 is also out of date. The current version is v10. Please update now: Adobe Reader site Uninstall any earlier updates as they are vulnerabilities.
    ==============================
    Were you previously using AVG and didn't do an uninstall when you got Norton? Or are you just using this>
    AVG Anti-Spyware Guard

    ==============================
    I'll get back to you as soon as I can. It won't be until tomorrow as I am very busy helping others.
     
  7. needtechpros

    needtechpros TS Rookie Topic Starter

    Ran OTM, results posted

    Thanks for your patience with me. I didn't think my PM went through and didn't know how to contact you.

    Here is the file created by OTM. - I made a couple of notes on things I had deleted prior to running this. Sorry, just very nervous about malware/viruses.

    See answers to your questions following the log file.

    --------------------

    All processes killed
    ========== FILES ==========
    File/Folder C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User <--- [I had already deleted this ( had issues with Chrome, so uninstalled it and deleted some related files (sorry- can you tell I freak out when there is malware)]
    Data\Default\Default\jgchaiepfmfhafpmdiobhfkadenoijck\contentscript.js not found.
    File/Folder C:\Documents and Settings\Owner\My Documents\Downloads\1COMPUTER\Free YouTube Downloader\FreeYouTubeDownloaderSetup v3.3.89 071311.exe not found. <---- [This one I had already deleted. Had just downloaded from download.cnet.com, hadn't installed it yet.]

    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 83 bytes

    User: All Users

    User: b

    User: b.Q24A
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 83 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 83 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Owner
    ->Temp folder emptied: 268567408 bytes
    ->Temporary Internet Files folder emptied: 44135520 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 1144 bytes

    User: QBDataServiceUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 83 bytes

    User: QBDataServiceUser19
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 83 bytes

    User: QBDataServiceUser20
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 83 bytes

    User: user

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 2142714 bytes
    %systemroot%\System32 .tmp files removed: 1894400 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 24192 bytes
    Windows Temp folder emptied: 33251 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 302.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 08242011_192917

    Files moved on Reboot...
    File C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_df4.dat not found!
    File C:\WINDOWS\temp\Perflib_Perfdata_1dc.dat not found!

    Registry entries deleted on Reboot...
    ----------------------------
    I had downloaded from a Torrent site - not doing that anymore.
    --------------
    Registry:
    1. [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56361A71-4E9F-401D-9E12-8AEAA3D7A672}]
    "c:\\Program Files\\Boxee\\BOXEE.exe"=
    2. 2010-08-20 02:17 434288 ----a-w- c:\program files\MakeItLive\makeitlive_toolbar.dll

    I think both above registry entries have something to do with watching TV / movies on my PC. I don't do that anymore, so ok with me if these should both be removed.

    I probably should remove old TV related programs. But.... I promise I won't do anymore removing until after you are finished helping me.
    --------------
    I removed Reader 8.0 and installed v10.
    -------------
    Were you previously using AVG and didn't do an uninstall when you got Norton? Or are you just using this> AVG Anti-Spyware Guard

    I did install AVG at one time, but no longer use it. I don't see it in my Add/Remove programs list anymore. Just use Norton IS (installed) and then once every few weeks run (free versions) of CCleaner, Glary Utilities, Spybot, Malewarebytes, Ad-Aware and sometimes Super Anti-virus. ---I know, stop laughing. Overkill?, They all seem to find different things. Any suggestions on what I should or shouldn't run? Do bi-weekly scans make sense?
    --------------
    Thanks again for all your help.

    I will wait for your reply.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please don't make comments within a log. If you want to add information about an entry, do it at the end, but out of the log. Entries that aren't found often have been moved in a previous program. I understand this. If I have any doubt at all about an entry, I will ask you about it- rather than you trying to explain it.
    ======================================
    Notes on Security:
    1. Per the Combofix instructions, these should be disabled when running the scan:
    AV: Norton Internet Security *Enabled/Updated*
    FW: Norton Internet Security *Enabled*
    2. I don't recommend running both AdAware and Spybot S&D. AdAware has AdWatch and Spybot S&D has Tea Timer. There are both real time scanners. If you bot them both, there is a possibility of a conflict. If you paid for AdAware, I recommend you let the subscription expire and Keep Spybot S&D. But I don't recommend running Tea Timer.

    Notes on Quickbooks:
    Since you are running a business, I strongly recommend that you Look into this on the Intuit site:
    You have multiple versions of the QB Download Manager loading: 6,7,8,9,10,11,19,20. You also show the install of the following:
    Service or driver for DB 19 and 20
    Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
    *****Are these multiple versions for different businesses. Or have you just not updated?******
    ===============================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    
    DDS::
    Handler: makeitlivechrome - {51472043-0170-45F9-BCCF-19FCFC676D18} - c:\program files\MakeItLive\makeitlive_toolbar.dll
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56361A71-4E9F-401D-9E12-8AEAA3D7A672}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{56361A71-4E9F-401D-9E12-8AEAA3D7A672}"=-
    [HKEY_CLASSES_ROOT\clsid\{56361a71-4e9f-401d-9e12-8aeaa3d7a672}]
    [HKEY_CLASSES_ROOT\MakeItLive.PugiObj.1]
    [HKEY_CLASSES_ROOT\TypeLib\{788202E4-BC14-42BD-BC26-644E440BFCD4}]
    [HKEY_CLASSES_ROOT\MakeItLive.PugiObj]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{56361A71-4E9F-401D-9E12-8AEAA3D7A672}"=-
    [HKEY_CLASSES_ROOT\clsid\{56361a71-4e9f-401d-9e12-8aeaa3d7a672}]
    [HKEY_CLASSES_ROOT\MakeItLive.PugiObj.1]
    [HKEY_CLASSES_ROOT\TypeLib\{788202E4-BC14-42BD-BC26-644E440BFCD4}]
    [HKEY_CLASSES_ROOT\MakeItLive.PugiObj]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"=-
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Second Copy"=-
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"
    "c:\\Program Files\\Boxee\\BOXEE.exe"=-
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Open Firefox> Tools> Addons> Plugins> Find Jave v6u13, u14, u15 ans u16 and delete them.
    ===================
    I'll give you some security tips when we're through. I'm removing Registry entries for the AVG Antispyware. That may be enough. If it isn't, I'll give you a tool to run to remove it.
     
  9. needtechpros

    needtechpros TS Rookie Topic Starter

    ComboFix log

    ComboFix 11-08-25.01 - Owner 08/25/2011 17:58:42.13.4 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2739 [GMT -7:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    ADS - WINDOWS: deleted 192 bytes in 1 streams.
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mootools.svn.js
    c:\documents and settings\Owner\Local Settings\Temporary Internet Files\pffcenter.html
    c:\documents and settings\Owner\Local Settings\Temporary Internet Files\pffCenter.js
    c:\documents and settings\Owner\Local Settings\Temporary Internet Files\reviewDialog.html
    c:\documents and settings\Owner\Local Settings\Temporary Internet Files\reviewNotesPopUp.html
    c:\documents and settings\Owner\Local Settings\Temporary Internet Files\taskNotesDialog.html
    c:\program files\MakeItLive\makeitlive_toolbar.dll
    c:\windows\system32\comct332.ocx
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-26 to 2011-08-26 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-25 03:39 . 2011-08-25 03:39 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2011-08-25 02:29 . 2011-08-25 02:29 -------- d-----w- C:\_OTM
    2011-08-25 02:25 . 2011-08-25 02:25 -------- d-----w- c:\program files\Common Files\Java
    2011-08-25 02:25 . 2011-08-25 02:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-08-22 18:51 . 2011-08-22 18:51 -------- d-----w- c:\program files\ESET
    2011-08-16 18:10 . 2011-08-16 18:10 -------- d-----w- C:\DriveKey
    2011-08-14 05:24 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
    2011-08-14 05:24 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
    2011-08-13 22:48 . 2011-08-13 22:48 -------- d-----w- c:\documents and settings\Administrator
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-25 03:58 . 2011-07-06 15:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-08-25 02:25 . 2009-03-10 20:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-07-29 13:21 . 2011-02-09 16:30 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-07-15 13:29 . 2004-08-04 07:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02 . 2001-08-23 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-07-07 02:52 . 2011-06-01 01:43 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-07 02:52 . 2011-06-01 01:43 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-24 14:10 . 2008-02-28 21:03 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-23 18:36 . 2004-08-04 08:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-06-23 18:36 . 2004-08-04 08:56 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-06-23 18:36 . 2004-08-04 08:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-06-23 12:05 . 2004-08-04 06:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-06-20 17:44 . 2004-08-04 08:56 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-06-02 14:02 . 2004-08-04 07:17 1858944 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-21 282624]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
    "V0230Mon.exe"="c:\windows\V0230Mon.exe" [2006-09-07 32768]
    "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-11-10 1457928]
    "AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    .
    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    PhoneTools.lnk - c:\program files\Classic PhoneTools\Phontool.exe [2008-3-9 417792]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-02-09 20:57 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
    "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
    "c:\\Program Files\\Intuit\\QB06\\QBDBMgrN.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\Intuit\\QB07\\QBDBMgrN.exe"=
    "c:\\WINDOWS\\system32\\msiexec.exe"=
    "c:\\Program Files\\Intuit\\QB08\\QBDBMgrN.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
    "c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
    "c:\\Program Files\\Intuit\\QB09\\QBDBMgrN.exe"=
    "c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\Boxee\\BOXEE.exe"=
    "c:\\Program Files\\3B Software\\Digital TV for PC\\WTV.exe"=
    "c:\\WINDOWS\\system32\\java.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Intuit\\QB11\\QBDBMgrN.exe"=
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/9/2011 9:30 AM 64512]
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\SymDS.sys [8/13/2011 10:17 PM 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\SymEFA.sys [8/13/2011 10:17 PM 744568]
    S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\BASHDefs\20110812.001\BHDrvx86.sys [8/15/2011 4:55 PM 815736]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/28/2008 10:33 AM 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33 AM 67656]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\Ironx86.sys [8/13/2011 10:17 PM 136312]
    S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [5/11/2009 4:46 PM 233472]
    S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe [8/13/2011 10:17 PM 130008]
    S2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [3/21/2011 11:17 AM 196928]
    S2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [3/21/2011 11:17 AM 68928]
    S2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe [1/16/2008 3:57 PM 814728]
    S2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [12/2/2010 2:02 PM 1251840]
    S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2/28/2008 2:40 PM 20160]
    S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [12/31/2010 7:05 PM 401920]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/18/2011 10:31 AM 105592]
    S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [5/11/2009 4:46 PM 36608]
    S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\IPSDefs\20110822.031\IDSXpx86.sys [8/23/2011 12:17 AM 356280]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 2:05 AM 2151640]
    S3 MSSQL$LACERTEDB;MSSQL$LACERTEDB;c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB --> c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB [?]
    S3 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QB09\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QB09\QBDBMgrN.exe -hvQuickBooksDB19 [?]
    S3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB20 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB20 [?]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 10:33 AM 12872]
    S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB;c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB --> c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB [?]
    S3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [3/24/2006 1:00 AM 6272]
    S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [9/29/2006 1:01 AM 500480]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-26 c:\windows\Tasks\GlaryInitialize.job
    - c:\program files\Glary Utilities\initialize.exe [2009-09-10 01:47]
    .
    2011-08-25 c:\windows\Tasks\User_Feed_Synchronization-{DC5C132A-E4F7-4419-8BD8-19760468EFCF}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = <local>
    TCP: Interfaces\{58C1ACA1-6C76-4EA1-BD76-240C25789DCE}: NameServer = 192.168.1.1
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} - hxxps://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=5fca2ead3f7b1eb64618af2d840edc55&url=http%3A%2F%2Fd.64.69.14.226.downloads.estara.com.%2Fas%2FOneCCDM.php&template=384172&sessionid=1676394464_64.69.14.226_47979&=&req=1264998944592OneCC.cab
    DPF: {8DF017CF-BEDB-4869-9C30-164AB58F1E17} - hxxps://www.lacertesoftware.com/MyAccount/WebDownloads/bin/05prepinstall.cab
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{56361A71-4E9F-401D-9E12-8AEAA3D7A672} - c:\program files\MakeItLive\makeitlive_toolbar.dll
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-25 18:07
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(676)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    Completion time: 2011-08-25 18:10:12
    ComboFix-quarantined-files.txt 2011-08-26 01:10
    ComboFix2.txt 2011-08-23 03:30
    ComboFix3.txt 2011-08-22 18:36
    .
    Pre-Run: 498,972,426,240 bytes free
    Post-Run: 498,996,989,952 bytes free
    .
    - - End Of File - - 2AE4BBA4540B303A503F5C59C2BDA899
    ------------------------

    I only use the free versions of scanners - except Norton IS.
    I don't run AdWatch or Tea Timer and I run AdAware and Spybot at separate times. i.e. I don't think I am running any real time scanners except NIS.

    I have all of those versions of Quickbooks installed. I have clients running different versions, so if I want to restore my changes back to their system, I need to run the same version of QB.

    I don't think I need old QB versions download managers - I will check intuit site.

    The install that just shows QuickBooks may be the 2006 edition, since I know that is installed and not showing.

    I don't know what QBFC 7.0 is but it is a QB program (it might link some other software to QB?)

    I don't understand the follwowing:
    Service or driver for DB 19 and 20
    Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll


    *****Are these multiple versions for different businesses. Or have you just not updated?******
    Yes multiple versions of QB


    ====================
    Open Firefox> Tools> Addons> Plugins> Find Jave v6u13, u14, u15 ans u16 and delete them.
    ===================
    Can't do, I previously removed Firefox.

    Thanks again. Seems like we are getting there.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No problem with QB. I had to ask because some users just keep updating programs but don't understand that many don't overwrite and they need to remove them>>> Examples are Java and Adobe Reader

    This is the 'handler':
    CLSID: {FC598A64-626C-4447-85B8-53150405FD57}
    Name: qbwc
    File Name: %SYSDIR%\mscoree.dll
    Description: QuickBooks_WebConnector
    L Protocol> Legitimate protocol

    I will leave any QuickBook programs or files up to you to make changes, if any, after you check Intuit.
    ========================================
    Will you please update and run the Eset scan again? Leave entire log if there are any entries found.
    =======================================
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  11. needtechpros

    needtechpros TS Rookie Topic Starter

    Eset and HijackThis ran

    Here are the logs:

    C:\Documents and Settings\Owner\desktop\cnet_fbsetup_exe.exe a variant of Win32/InstallCore.B application
    C:\Documents and Settings\Owner\desktop\cnet_mylockbox_setup_zip.exe a variant of Win32/InstallCore.B application
    C:\Documents and Settings\Owner\desktop\cnet_TrueCrypt Setup 7_0a_exe.exe a variant of Win32/InstallCore.B application
    C:\Documents and Settings\Owner\desktop\cnet_USBWriteProtect_zip.exe a variant of Win32/InstallCore.B application
    C:\Documents and Settings\Owner\My Documents\Downloads\1COMPUTER\Revo Uninstaller\cnet_RevoUninProSetup_exe v1.93 081311.exe a variant of Win32/InstallCore.B application
    C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{02b8966a-70b2-452b-90a1-7ebe6ff45889}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
    C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{02b8966a-70b2-452b-90a1-7ebe6ff45889}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
    C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{c7f51fa3-ae87-4b4f-814e-6ffbcec1274f}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
    C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{c7f51fa3-ae87-4b4f-814e-6ffbcec1274f}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
    C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{d72b2d69-5357-4154-bcd9-7d9d0fe32a5c}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
    C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{d72b2d69-5357-4154-bcd9-7d9d0fe32a5c}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
    C:\System Volume Information\_restore{4D4F2DDC-E40E-4393-A5BF-15A164F66C96}\RP1401\A0214023.manifest Win32/TrojanDownloader.Tracur.F trojan
    C:\System Volume Information\_restore{4D4F2DDC-E40E-4393-A5BF-15A164F66C96}\RP1401\A0214024.manifest Win32/TrojanDownloader.Tracur.F trojan
    C:\System Volume Information\_restore{4D4F2DDC-E40E-4393-A5BF-15A164F66C96}\RP1401\A0214025.manifest Win32/TrojanDownloader.Tracur.F trojan

    -------------------------

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:12:28 AM, on 8/27/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
    O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL
    O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
    O4 - HKLM\..\Run: [V0230Mon.exe] C:\WINDOWS\V0230Mon.exe
    O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
    O4 - HKLM\..\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: PhoneTools.lnk = C:\Program Files\Classic PhoneTools\Phontool.exe
    O9 - Extra button: Add to Wish List - {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - C:\Program Files\Amazon\Add to Wish List IE Extension\run.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIFF9C~1\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
    O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
    O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com.../en/x86/MuCatalogWebControl.cab?1204237991031
    O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - https://as00.estara.com/UI/proxyhtt....69.14.226_47979&=&req=1264998944592OneCC.cab
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {8DF017CF-BEDB-4869-9C30-164AB58F1E17} (05PrepInstall) - https://www.lacertesoftware.com/MyAccount/WebDownloads/bin/05prepinstall.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://intuitevents.webex.com/client/T27L/event/ieatgpc.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O17 - HKLM\System\CCS\Services\Tcpip\..\{58C1ACA1-6C76-4EA1-BD76-240C25789DCE}: NameServer = 192.168.1.1
    O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QB08\HelpAsyncPluggableProtocol.dll
    O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QB09\HelpAsyncPluggableProtocol.dll
    O18 - Protocol: intu-help-qb3 - {C5E479EA-0A65-4B05-8C6C-2FC8CC682EB4} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
    O18 - Protocol: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - C:\Program Files\Intuit\QB11\HelpAsyncPluggableProtocol.dll
    O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O18 - Protocol: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - (no file)
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
    O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
    O23 - Service: NitroPDFDriverCreatorReadSpool (NitroDriverReadSpool) - Nitro PDF Software - C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
    O23 - Service: NLS Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\NLSSRV32.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
    O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    O23 - Service: QBIDPService (QBVSS) - Unknown owner - C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
    O23 - Service: QuickBooksDB - Intuit, Inc. - C:\PROGRA~1\Intuit\QB06\QBDBMgrN.exe
    O23 - Service: QuickBooksDB19 - Intuit, Inc. - C:\PROGRA~1\Intuit\QB09\QBDBMgrN.exe
    O23 - Service: QuickBooksDB20 - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)

    --
    End of file - 11414 bytes

    ----------------------

    Had to run Eset in safe mode. Eset would report something like can't get proxy. - it wouldn't update from the internet. I left computer in safe mode when running HijackThis.

    Thanks
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    It is best that you let me know if you have a problem before going around it. The proxy can be handled rather than reverting to Safe Mode:
    Handle the proxy this way:
    Reset your browser proxies
    • For Firefox:
      o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
      o Click on the "Network" tab, and then on the "Settings" button.
      o Please make sure that the "No Proxy" option is selected.
    • For Internet Explorer:
      o Open Internet Explorer.
      o Click on "Tools" and then select "Internet Options".
      o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
      o Uncheck "Use a Proxy server for your LAN".
      o Click Ok to close the Local Area Network (LAN) Settings window.
      o Click Ok to close the Internet Options window.
    =================================================
    Since it appears that you use cnet for downloads, I'd like you to go to their forum or support and post that you are also getting the Win32/InstallCore.B reported as malware from their downloads. I checked several threads and many were mentioning this, but there was no notice that it was a False Positive. It is reported as malware by several AV programs.. Many download screen have pre-checked boxes for bundles toolbars and browser helper objects. IF you do not uncheck them, they will load with the program and they have nothing to do with the program.
    ================================================
    Considering the amount of financial information you have on your system, you should be very careful what you're putting on it. And since these are new, it appears that you are downloading while we are cleaning. Please don't do that.
    ============================================
    Please download OTMovit by Old Timer and save to your desktop.

    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Documents and Settings\Owner\desktop\cnet_fbsetup_exe.exe 
      C:\Documents and Settings\Owner\desktop\cnet_mylockbox_setup_zip.exe 
      C:\Documents and Settings\Owner\desktop\cnet_TrueCrypt Setup 7_0a_exe.exe 
      C:\Documents and Settings\Owner\desktop\cnet_USBWriteProtect_zip.exe 
      C:\Documents and Settings\Owner\My Documents\Downloads\1COMPUTER\RevoUninstaller\cnet_RevoUninProSetup_exe v1.93 081311.exe 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ==================================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\documents and settings\owner\wfseaheqoi.tmp
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Boxee\\BOXEE.exe"=-
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Reboot the computer. The proxy problem should be resolved. Update and rescan with Eset in Normal Mode. Leave the entire log in the next reply

    The Qoobox entries in Eset are from the folder where Combofix puts the quarantined entries. They are not active on the system and will be removed with you uninstall Combofix.

    The System Volume entries are restore points. They are not active in the system and will be removed at the end of the cleaning.
     
  13. needtechpros

    needtechpros TS Rookie Topic Starter

    more logs

    Went to options in IE and "Use proxy server for your Lan" was already unchecked.
    Scans are working in regular mode for some reason.

    Tried finding support at cnet downloads, couldn't find out anything about Win32/InstallCore.B. Didn't see support?
    Tried Google, no real luck. Looks like a few (Eset) AV programs do report a possible problem but couldn't find out more than that.
    I see people complaining that CNet/download.com has just recently added things to installers like asking you to install a toolbar, etc to many of their downloads.

    I will stop using Cnet (at least until they change their policies). Win32/InstallCore.B was associated with "Revo Uninstaller" and other downloads from cnet.

    Since I had just downloaded, but not installed the program "Revo Uninstaller", I deleted it (still in Recycle bin), reboot and then ran Eset.
    i.e. ran OTMoveit and Combofix, then deleted the install program for "Revo Uninstaller", then ran Eset.
    I believe that Win32/InstallCore.B was a false positive and not a virus. It is showing up in most recent cnet downloads.

    I Was able to run OTMoveit3 ok. However when ComboFix finished had Windows error and had to reboot.

    Error signature
    BCCode : 19 BCP1 : 00000020 BCP2 : 884513E0 BCP3 : 884517F8
    BCP4 : 1A830001 OSVer : 5_1_2600 SP : 3_0 Product : 256_1

    Don't know if above helps?
    Couldn't find or print the .tmp files that Windows said were created as a result of the error.

    Eset run with settings as before. unchecked 'Remove found threats', Checked 'Scan archives'

    Logs following - OTMoveit, Combofix and Eset:

    ----------------

    All processes killed
    ========== FILES ==========
    C:\Documents and Settings\Owner\desktop\cnet_fbsetup_exe.exe moved successfully.
    C:\Documents and Settings\Owner\desktop\cnet_mylockbox_setup_zip.exe moved successfully.
    C:\Documents and Settings\Owner\desktop\cnet_TrueCrypt Setup 7_0a_exe.exe moved successfully.
    C:\Documents and Settings\Owner\desktop\cnet_USBWriteProtect_zip.exe moved successfully.
    File/Folder C:\Documents and Settings\Owner\My Documents\Downloads\1COMPUTER\RevoUninstaller\cnet_RevoUninProSetup_exe v1.93 081311.exe not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: b

    User: b.Q24A
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 56468 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Owner
    ->Temp folder emptied: 73882 bytes
    ->Temporary Internet Files folder emptied: 47733383 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 1798 bytes

    User: QBDataServiceUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: QBDataServiceUser19
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: QBDataServiceUser20
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: user

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 16867 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 193085440 bytes

    Total Files Cleaned = 230.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 08292011_084419

    Files moved on Reboot...
    File C:\WINDOWS\temp\Perflib_Perfdata_a8.dat not found!

    Registry entries deleted on Reboot...

    -------------------

    ComboFix 11-08-29.03 - Owner 08/29/2011 9:58:48.15.4 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2250 [GMT -7:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

    FILE ::
    "c:\documents and settings\owner\wfseaheqoi.tmp"


    ((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-29 )))))))))))))))))))))))))))))))


    2011-08-27 14:10:51 . 2011-08-27 14:12:28 -------- d-----w- C:\HijackThis
    2011-08-25 03:39:19 . 2011-08-25 03:39:19 -------- d-----w- C:\Program Files\Common Files\Adobe AIR
    2011-08-25 02:29:17 . 2011-08-25 02:29:17 -------- d-----w- C:\_OTM
    2011-08-25 02:25:36 . 2011-08-25 02:25:36 -------- d-----w- C:\Program Files\Common Files\Java
    2011-08-25 02:25:26 . 2011-08-25 02:25:11 472808 ----a-w- C:\WINDOWS\system32\deployJava1.dll
    2011-08-22 18:51:01 . 2011-08-22 18:51:01 -------- d-----w- C:\Program Files\ESET
    2011-08-16 18:10:14 . 2011-08-16 18:10:14 -------- d-----w- C:\DriveKey
    2011-08-14 05:24:47 . 2011-06-24 14:10:36 139656 -c----w- C:\WINDOWS\system32\dllcache\rdpwd.sys
    2011-08-14 05:24:46 . 2011-04-21 13:37:43 105472 -c----w- C:\WINDOWS\system32\dllcache\mup.sys
    2011-08-13 22:48:21 . 2011-08-13 22:48:23 -------- d-----w- C:\Documents and Settings\Administrator
    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2011-08-25 03:58:00 . 2011-07-06 15:44:35 404640 ----a-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
    2011-08-25 02:25:12 . 2009-03-10 20:21:34 73728 ----a-w- C:\WINDOWS\system32\javacpl.cpl
    2011-07-29 13:21:13 . 2011-02-09 16:30:44 101720 ----a-w- C:\WINDOWS\system32\drivers\SBREDrv.sys
    2011-07-15 13:29:31 . 2004-08-04 07:15:18 456320 ----a-w- C:\WINDOWS\system32\drivers\mrxsmb.sys
    2011-07-08 14:02:00 . 2001-08-23 12:00:00 10496 ----a-w- C:\WINDOWS\system32\drivers\ndistapi.sys
    2011-07-07 02:52:42 . 2011-06-01 01:43:12 41272 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2011-07-07 02:52:42 . 2011-06-01 01:43:08 22712 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
    2011-06-24 14:10:36 . 2008-02-28 21:03:59 139656 ----a-w- C:\WINDOWS\system32\drivers\rdpwd.sys
    2011-06-23 18:36:30 . 2004-08-04 08:56:58 1469440 ------w- C:\WINDOWS\system32\inetcpl.cpl
    2011-06-23 18:36:30 . 2004-08-04 08:56:48 916480 ----a-w- C:\WINDOWS\system32\wininet.dll
    2011-06-23 18:36:30 . 2004-08-04 08:56:44 43520 ----a-w- C:\WINDOWS\system32\licmgr10.dll
    2011-06-23 12:05:13 . 2004-08-04 06:59:58 385024 ----a-w- C:\WINDOWS\system32\html.iec
    2011-06-20 17:44:52 . 2004-08-04 08:56:48 293376 ----a-w- C:\WINDOWS\system32\winsrv.dll
    2011-06-02 14:02:05 . 2004-08-04 07:17:42 1858944 ----a-w- C:\WINDOWS\system32\win32k.sys


    ((((((((((((((((((((((((((((( SnapShot@2011-08-26_01.07.25 )))))))))))))))))))))))))))))))))))))))))

    + 2011-08-29 16:32:14 . 2011-08-29 16:32:14 16384 C:\WINDOWS\temp\Perflib_Perfdata_768.dat
    + 2011-08-29 15:46:04 . 2011-08-29 15:46:04 16384 C:\WINDOWS\temp\Perflib_Perfdata_728.dat

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-21 00:00:04 282624]
    "PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 19:56:08 124200]
    "RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 19:22:16 221184]
    "V0230Mon.exe"="C:\WINDOWS\V0230Mon.exe" [2006-09-07 08:01:00 32768]
    "Intuit SyncManager"="C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-11-10 13:17:54 1457928]
    "AmazonGSDownloaderTray"="C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 20:31:44 326144]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 09:07:00 8491008]
    "DivXUpdate"="C:\Program Files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 18:56:16 1230704]
    "SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 20:06:06 254696]
    "Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 19:55:28 937920]

    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
    PhoneTools.lnk - C:\Program Files\Classic PhoneTools\Phontool.exe [2008-3-9 417792]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 17:13:36 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-02-09 20:57:17 548352 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
    "OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
    "SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe"
    "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
    "C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
    "C:\\Program Files\\Intuit\\QB06\\QBDBMgrN.exe"=
    "C:\\WINDOWS\\system32\\mmc.exe"=
    "C:\\Program Files\\Intuit\\QB07\\QBDBMgrN.exe"=
    "C:\\WINDOWS\\system32\\msiexec.exe"=
    "C:\\Program Files\\Intuit\\QB08\\QBDBMgrN.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
    "C:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
    "C:\\Program Files\\Intuit\\QB09\\QBDBMgrN.exe"=
    "C:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
    "C:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "C:\\Program Files\\Boxee\\BOXEE.exe"=
    "C:\\Program Files\\3B Software\\Digital TV for PC\\WTV.exe"=
    "C:\\WINDOWS\\system32\\java.exe"=
    "C:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "C:\\Program Files\\Intuit\\QB11\\QBDBMgrN.exe"=

    R0 Lbd;Lbd;C:\WINDOWS\system32\drivers\Lbd.sys [2/9/2011 9:30:49 AM 64512]
    R0 SymDS;Symantec Data Store;C:\WINDOWS\system32\drivers\NIS\1206000.01D\SymDS.sys [8/13/2011 10:17:24 PM 340088]
    R0 SymEFA;Symantec Extended File Attributes;C:\WINDOWS\system32\drivers\NIS\1206000.01D\SymEFA.sys [8/13/2011 10:17:24 PM 744568]
    R1 BHDrvx86;BHDrvx86;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\BASHDefs\20110812.001\BHDrvx86.sys [8/15/2011 4:55:18 PM 815736]
    R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [5/28/2008 10:33:36 AM 12872]
    R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33:36 AM 67656]
    R1 SymIRON;Symantec Iron Driver;C:\WINDOWS\system32\drivers\NIS\1206000.01D\Ironx86.sys [8/13/2011 10:17:24 PM 136312]
    R2 FsUsbExService;FsUsbExService;C:\WINDOWS\system32\FsUsbExService.Exe [5/11/2009 4:46:31 PM 233472]
    R2 NIS;Norton Internet Security;C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe [8/13/2011 10:17:16 PM 130008]
    R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe [3/21/2011 11:17:44 AM 196928]
    R2 nlsX86cc;NLS Service;C:\WINDOWS\system32\NLSSRV32.EXE [3/21/2011 11:17:56 AM 68928]
    R2 OpenCASE Media Agent;OpenCASE Media Agent;C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe [1/16/2008 3:57:26 PM 814728]
    R2 QBVSS;QBIDPService;C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe [12/2/2010 2:02:36 PM 1251840]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/18/2011 10:31:09 AM 105592]
    R3 FsUsbExDisk;FsUsbExDisk;C:\WINDOWS\system32\FsUsbExDisk.Sys [5/11/2009 4:46:31 PM 36608]
    R3 IDSxpx86;IDSxpx86;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\IPSDefs\20110826.030\IDSXpx86.sys [8/27/2011 7:37:33 AM 356280]
    R3 V0230Vfx;V0230Vfx;C:\WINDOWS\system32\drivers\V0230Vfx.sys [3/24/2006 1:00:00 AM 6272]
    R3 V0230VID;Live! Cam Video IM Pro;C:\WINDOWS\system32\drivers\V0230VID.sys [9/29/2006 1:01:00 AM 500480]
    S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\drivers\ADM8511.SYS [2/28/2008 2:40:22 PM 20160]
    S3 Amazon Download Agent;Amazon Download Agent;C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [12/31/2010 7:05:09 PM 401920]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 2:05:32 AM 2151640]
    S3 MSSQL$LACERTEDB;MSSQL$LACERTEDB;C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB --> C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB [?]
    S3 QuickBooksDB19;QuickBooksDB19;C:\PROGRA~1\Intuit\QB09\QBDBMgrN.exe -hvQuickBooksDB19 --> C:\PROGRA~1\Intuit\QB09\QBDBMgrN.exe -hvQuickBooksDB19 [?]
    S3 QuickBooksDB20;QuickBooksDB20;C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB20 --> C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB20 [?]
    S3 SASENUM;SASENUM;C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 10:33:38 AM 12872]
    S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB;C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB --> C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB [?]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - FSUSBEXDISK

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

    Contents of the 'Scheduled Tasks' folder

    2011-08-29 C:\WINDOWS\Tasks\GlaryInitialize.job
    - C:\Program Files\Glary Utilities\initialize.exe [2009-09-10 15:56:24 . 2011-08-10 01:47:26]

    2011-08-29 C:\WINDOWS\Tasks\User_Feed_Synchronization-{DC5C132A-E4F7-4419-8BD8-19760468EFCF}.job
    - C:\WINDOWS\system32\msfeedssync.exe [2007-08-14 02:36:40 . 2009-03-08 11:31:54]


    ------- Supplementary Scan -------

    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = <local>
    TCP: Interfaces\{58C1ACA1-6C76-4EA1-BD76-240C25789DCE}: NameServer = 192.168.1.1
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} - hxxps://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=5fca2ead3f7b1eb64618af2d840edc55&url=http%3A%2F%2Fd.64.69.14.226.downloads.estara.com.%2Fas%2FOneCCDM.php&template=384172&sessionid=1676394464_64.69.14.226_47979&=&req=1264998944592OneCC.cab
    DPF: {8DF017CF-BEDB-4869-9C30-164AB58F1E17} - hxxps://www.lacertesoftware.com/MyAccount/WebDownloads/bin/05prepinstall.cab

    -----------------
    Eset:

    C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{02b8966a-70b2-452b-90a1-7ebe6ff45889}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
    C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{02b8966a-70b2-452b-90a1-7ebe6ff45889}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
    C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{c7f51fa3-ae87-4b4f-814e-6ffbcec1274f}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
    C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{c7f51fa3-ae87-4b4f-814e-6ffbcec1274f}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
    C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{d72b2d69-5357-4154-bcd9-7d9d0fe32a5c}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
    C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{d72b2d69-5357-4154-bcd9-7d9d0fe32a5c}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
    C:\RECYCLER\S-1-5-21-2000478354-1383384898-839522115-1003\Dc1.exe a variant of Win32/InstallCore.B application
    C:\System Volume Information\_restore{4D4F2DDC-E40E-4393-A5BF-15A164F66C96}\RP1401\A0214023.manifest Win32/TrojanDownloader.Tracur.F trojan
    C:\System Volume Information\_restore{4D4F2DDC-E40E-4393-A5BF-15A164F66C96}\RP1401\A0214024.manifest Win32/TrojanDownloader.Tracur.F trojan
    C:\System Volume Information\_restore{4D4F2DDC-E40E-4393-A5BF-15A164F66C96}\RP1401\A0214025.manifest Win32/TrojanDownloader.Tracur.F trojan
    C:\_OTM\MovedFiles\08292011_084419\C_Documents and Settings\Owner\desktop\cnet_fbsetup_exe.exe a variant of Win32/InstallCore.B application
    C:\_OTM\MovedFiles\08292011_084419\C_Documents and Settings\Owner\desktop\cnet_mylockbox_setup_zip.exe a variant of Win32/InstallCore.B application
    C:\_OTM\MovedFiles\08292011_084419\C_Documents and Settings\Owner\desktop\cnet_TrueCrypt Setup 7_0a_exe.exe a variant of Win32/InstallCore.B application
    C:\_OTM\MovedFiles\08292011_084419\C_Documents and Settings\Owner\desktop\cnet_USBWriteProtect_zip.exe a variant of Win32/InstallCore.B application
    -------

    Thanks. Work your magic...
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sometimes I wish I could work magic! But my wand doesn't zap away everything!

    Eset looks good. Nothing new or active. We do need to take out the trash though! The Recycler is the folder where the deleted items from the Recycle Bin are sent.
    The 2 important things in doing this are: 1. The Recycle Bin itself must be empty and 2. Since the Recycler is a hidden, protected system file, hidden files and folders must show.
    • Open Windows Explorer (right click on Start> Explore> then go to Tools> Folder Options> View tab>
    • Check 'Show hidden files and folders> Uncheck 'Hide protected system files (Recommended.' Confirm Yes when you get the message.
    • Then click on Apply> OK.
    • Go down to the Recycle Bin itself and empty it.
    • Then double click on Recycler which will now be unhidden.
    • Look on right screen for SID S-1-5-21-2000478354-1383384898-839522115-1003> do a right click> Delete.
    Go back and rehide the files and folders and protected system files when done.
    ---------------------------------------------
    Once in a while this won't work and you'll get a message about it being in use. Don't let this bother you if it happens. Try it again at some other time, going through the same steps.
    ---------------------------------------------
    Qoobox enries are Combofix quarantined files which will be removed when we uninstall Combofix.
    System Volume are restore points which I will have to drop and set new, clean one when we finish the cleaning.
    ====================================
    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    Registry::
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Boxee\\BOXEE.exe"=-
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Since you ran HijackThis in Safe Mode with Networking I'd like you to run it again in Normal Mode. That should finish you up and I'll have you remove the cleaning tools..
     
  15. needtechpros

    needtechpros TS Rookie Topic Starter

    Haven't been able to delete

    I haven't been able to delete S-1-5-21-2000478354-1383384898-839522115-1003.

    I have tried often, with no other (visible) programs running.

    Any thoughts? Should I perform the other tasks without deleting?

    Thanks
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No problem. It will get overwritten. I've had problems occasionally too. Go ahead with the rest.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Do you want to continue?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...