[Inactive] Norton IS reports Tracur Trojan activity after removing with Malewarebytes

needtechpros · Aug 21, 2011

Tracur Trojan Activity keeps being blocked by Norton IS after I think I have removed the malware with Malewarebytes. Runing XP Pro.

Following are scans from Malwarebytes GMER log and DDS log DDS.txt. (DDS did not produce an "Attache.txt"?)

Thanks in advance for help.

---------------------
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7531

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/21/2011 7:33:37 PM
mbam-log-2011-08-21 (19-33-37).txt

Scan type: Quick scan
Objects scanned: 240182
Time elapsed: 4 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\0200000070de5b951406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\0200000070de5b951406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\0200000070de5b951406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\0200000070de5b951406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
---------------------------------------------
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-08-21 20:12:21
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD7501AALS-00E3A0 rev.05.01D05
Running: 9rgqo3mr.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pxtdipoc.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
-------------------------------------
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Run by Owner at 20:36:04 on 2011-08-21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2349 [GMT -7:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\WINDOWS\system32\NLSSRV32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\V0230Mon.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\SecCopy\SecCopy.exe
C:\WINDOWS\system32\ctfmon.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: MakeItLive Plugin: {56361a71-4e9f-401d-9e12-8aeaa3d7a672} - c:\program files\makeitlive\makeitlive_toolbar.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.6.0.29\ips\IPSBHO.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: PDF-XChange Viewer IE-Plugin: {c5d07eb6-bbce-4dae-acbb-d13a8d28cb1f} - c:\program files\tracker software\pdf-xchange viewer\pdf-viewer\PDFXCviewIEPlugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: MakeItLive Plugin: {56361a71-4e9f-401d-9e12-8aeaa3d7a672} - c:\program files\makeitlive\makeitlive_toolbar.dll
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Second Copy] "c:\program files\seccopy\SecCopy.exe" /InitialWait=10
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [V0230Mon.exe] c:\windows\V0230Mon.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\phonet~1.lnk - c:\program files\classic phonetools\Phontool.exe
IE: {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - c:\program files\amazon\add to wish list ie extension\run.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\miff9c~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1204237991031
DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} - hxxps://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=5fca2ead3f7b1eb64618af2d840edc55&url=http%3A%2F%2Fd.64.69.14.226.downloads.estara.com.%2Fas%2FOneCCDM.php&template=384172&sessionid=1676394464_64.69.14.226_47979&=&req=1264998944592OneCC.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8DF017CF-BEDB-4869-9C30-164AB58F1E17} - hxxps://www.lacertesoftware.com/MyAccount/WebDownloads/bin/05prepinstall.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://intuitevents.webex.com/client/T27L/event/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: Interfaces\{58C1ACA1-6C76-4EA1-BD76-240C25789DCE} : NameServer = 192.168.1.1
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\qb08\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\qb09\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\qb11\HelpAsyncPluggableProtocol.dll
Handler: makeitlivechrome - {51472043-0170-45F9-BCCF-19FCFC676D18} - c:\program files\makeitlive\makeitlive_toolbar.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\nh0y3y1x.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\nh0y3y1x.default\extensions\{d02b1e87-a8c6-433f-9b5c-2cec4a072736}\components\susfox3.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071502000008.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\nh0y3y1x.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: SignupShield: {D02B1E87-A8C6-433f-9B5C-2CEC4A072736} - %profile%\extensions\{D02B1E87-A8C6-433f-9B5C-2CEC4A072736}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {F744F437-9DFE-49B7-8F52-52E970DE95D8} - c:\documents and settings\owner\local settings\application data\{F744F437-9DFE-49B7-8F52-52E970DE95D8}
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\owner\application data\Move Networks
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-2-9 64512]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\SymDS.sys [2011-8-13 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\SymEFA.sys [2011-8-13 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.6.0.29\definitions\bashdefs\20110812.001\BHDrvx86.sys [2011-8-15 815736]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-5-28 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\Ironx86.sys [2011-8-13 136312]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-5-11 233472]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.6.0.29\ccSvcHst.exe [2011-8-13 130008]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2011-3-21 196928]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2011-3-21 68928]
R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\opencase\opencase media agent\MediaAgent.exe [2008-1-16 814728]
R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2010-12-2 1251840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-8-18 105592]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-5-11 36608]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.6.0.29\definitions\ipsdefs\20110819.030\IDSXpx86.sys [2011-8-20 355256]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.6.0.29\definitions\virusdefs\20110821.003\NAVENG.SYS [2011-8-21 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.6.0.29\definitions\virusdefs\20110821.003\NAVEX15.SYS [2011-8-21 1576312]
R3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [2006-3-24 6272]
R3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [2006-9-29 500480]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2008-2-28 20160]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2010-12-31 401920]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 2151640]
S3 MSSQL$LACERTEDB;MSSQL$LACERTEDB;c:\program files\microsoft sql server\mssql$lacertedb\binn\sqlservr.exe -slacertedb --> c:\program files\microsoft sql server\mssql$lacertedb\binn\sqlservr.exe -sLACERTEDB [?]
S3 QuickBooksDB19;QuickBooksDB19;c:\progra~1\intuit\qb09\qbdbmgrn.exe -hvquickbooksdb19 --> c:\progra~1\intuit\qb09\QBDBMgrN.exe -hvQuickBooksDB19 [?]
S3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb20 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB20 [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 12872]
S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB;c:\program files\microsoft sql server\mssql$lacertedb\binn\sqlagent.exe -i lacertedb --> c:\program files\microsoft sql server\mssql$lacertedb\binn\sqlagent.EXE -i LACERTEDB [?]
.
=============== Created Last 30 ================
.
2011-08-20 18:12:51 0 ---ha-w- c:\documents and settings\owner\wfseaheqoi.tmp
2011-08-16 18:10:14 -------- d-----w- C:\DriveKey
2011-08-14 05:24:47 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-14 05:24:46 105472 -c----w- c:\windows\system32\dllcache\mup.sys
.
==================== Find3M ====================
.
2011-08-14 05:17:33 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-08-14 05:17:33 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-08-13 22:11:06 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-29 13:21:13 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 20:37:00.71 ===============

Bobbye · Aug 22, 2011

Welcome to TechSpot! It is rare that running one scan removes all malware entries. It is possible that if the source of the malware is still on the system, it may be activated again on a reboot.
------------------------------
My Guidelines: please read and follow:

Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.

Read my instructions carefully. If you don't understand or have a problem, ask me.

Follow the order of the tasks I give you. Order is crucial in cleaning process.

File sharing programs should be uninstalled or disabled during the cleaning process..

Observe these:
[o] Don't use any other cleaning programs or scans while I'm helping you, including a Registry Cleaner or make changes in the Registry.
[o] Please Do not Attach logs or put in code boxes
[o] Don't download and install new programs- except those I give you.

Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
DDS always produces 2 logs. Please search the system for Attach.txt. 'Attach' is a name only so do not 'attach' the file> paste it in like you have done with the others and don't zip it. There is valuable information in that log which will help me help you.
==============================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HERE and save to the desktop

Double click combofix.exe & follow the prompts.

ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.

.Click on Yes, to continue scanning for malware

.If Combofix asks you to update the program, allow

.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

.Close any open browsers.

.Double click combofix.exe & follow the prompts to run.

When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
=========================================

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESETOnlineScan

For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
[o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
[o] Double click on the on your desktop.

Check 'Yes I accept terms of use.'

Click Start button

Accept any security warnings from your browser.

Uncheck 'Remove found threats'

Check 'Scan archives/

Leave remaining settings as is.

Press the Start button.

ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.

When the scan completes, press List of found threats

Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.

Push the Back button

Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

needtechpros · Aug 23, 2011

Update on Tracur Tojan after running DDS, Combofix and ESET

Sorry it took so long to post again. Had to run some of this over night.

Here are results. Thanks again!

attach.txt, followed by Combofix log and ESET Scan log:

ATTACH:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/28/2008 1:08:31 PM
System Uptime: 8/21/2011 8:13:29 PM (14 hours ago)
.
Motherboard: Dell Inc. | | 0CT017
Processor: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz | Microprocessor | 2394/1066mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 699 GiB total, 459.469 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1313: 5/24/2011 12:33:34 PM - System Checkpoint
RP1314: 5/25/2011 1:04:27 PM - System Checkpoint
RP1315: 5/26/2011 1:33:47 PM - System Checkpoint
RP1316: 5/26/2011 2:16:17 PM - Software Distribution Service 3.0
RP1317: 5/27/2011 4:29:25 PM - System Checkpoint
RP1318: 5/28/2011 4:29:42 PM - System Checkpoint
RP1319: 5/29/2011 5:41:42 PM - System Checkpoint
RP1320: 5/30/2011 6:29:42 PM - System Checkpoint
RP1321: 5/31/2011 7:00:54 PM - System Checkpoint
RP1322: 6/1/2011 7:44:35 PM - System Checkpoint
RP1323: 6/2/2011 7:56:09 PM - System Checkpoint
RP1324: 6/3/2011 8:08:09 PM - System Checkpoint
RP1325: 6/5/2011 12:38:51 AM - System Checkpoint
RP1326: 6/6/2011 1:44:27 AM - System Checkpoint
RP1327: 6/7/2011 2:48:49 AM - System Checkpoint
RP1328: 6/8/2011 3:22:08 AM - System Checkpoint
RP1329: 6/9/2011 3:34:16 AM - System Checkpoint
RP1330: 6/10/2011 4:34:16 AM - System Checkpoint
RP1331: 6/11/2011 5:34:16 AM - System Checkpoint
RP1332: 6/12/2011 6:34:17 AM - System Checkpoint
RP1333: 6/13/2011 7:22:16 AM - System Checkpoint
RP1334: 6/14/2011 11:26:21 AM - System Checkpoint
RP1335: 6/15/2011 11:29:50 AM - System Checkpoint
RP1336: 6/16/2011 12:13:12 PM - System Checkpoint
RP1337: 6/17/2011 4:00:21 PM - System Checkpoint
RP1338: 6/18/2011 5:51:46 PM - System Checkpoint
RP1339: 6/19/2011 6:02:58 PM - System Checkpoint
RP1340: 6/20/2011 6:48:56 PM - System Checkpoint
RP1341: 6/21/2011 7:20:52 PM - System Checkpoint
RP1342: 6/22/2011 7:27:15 PM - System Checkpoint
RP1343: 6/23/2011 8:00:18 PM - System Checkpoint
RP1344: 6/24/2011 9:00:19 PM - System Checkpoint
RP1345: 6/25/2011 9:12:19 PM - System Checkpoint
RP1346: 6/26/2011 10:00:18 PM - System Checkpoint
RP1347: 6/27/2011 10:12:16 PM - System Checkpoint
RP1348: 6/28/2011 11:12:19 PM - System Checkpoint
RP1349: 6/30/2011 12:41:52 AM - System Checkpoint
RP1350: 7/1/2011 12:55:04 AM - System Checkpoint
RP1351: 7/2/2011 2:07:03 AM - System Checkpoint
RP1352: 7/3/2011 2:55:03 AM - System Checkpoint
RP1353: 7/4/2011 4:07:03 AM - System Checkpoint
RP1354: 7/5/2011 5:07:03 AM - System Checkpoint
RP1355: 7/6/2011 5:55:03 AM - System Checkpoint
RP1356: 7/7/2011 5:57:55 AM - System Checkpoint
RP1357: 7/8/2011 6:41:55 AM - System Checkpoint
RP1358: 7/9/2011 7:17:26 AM - System Checkpoint
RP1359: 7/10/2011 7:34:43 AM - System Checkpoint
RP1360: 7/11/2011 8:22:43 AM - System Checkpoint
RP1361: 7/12/2011 8:52:51 AM - System Checkpoint
RP1362: 7/13/2011 2:22:09 PM - System Checkpoint
RP1363: 7/14/2011 4:28:51 PM - System Checkpoint
RP1364: 7/15/2011 5:54:53 PM - System Checkpoint
RP1365: 7/16/2011 7:01:57 PM - System Checkpoint
RP1366: 7/17/2011 7:54:30 PM - System Checkpoint
RP1367: 7/18/2011 10:34:14 PM - System Checkpoint
RP1368: 7/19/2011 11:37:53 PM - System Checkpoint
RP1369: 7/21/2011 12:16:31 AM - System Checkpoint
RP1370: 7/22/2011 12:16:59 AM - System Checkpoint
RP1371: 7/23/2011 1:28:55 AM - System Checkpoint
RP1372: 7/24/2011 1:50:34 AM - System Checkpoint
RP1373: 7/25/2011 2:50:33 AM - System Checkpoint
RP1374: 7/26/2011 4:02:34 AM - System Checkpoint
RP1375: 7/27/2011 4:15:48 AM - System Checkpoint
RP1376: 7/28/2011 4:27:56 AM - System Checkpoint
RP1377: 7/29/2011 4:46:03 AM - System Checkpoint
RP1378: 7/30/2011 5:34:04 AM - System Checkpoint
RP1379: 7/31/2011 6:46:03 AM - System Checkpoint
RP1380: 8/1/2011 7:34:03 AM - System Checkpoint
RP1381: 8/2/2011 9:19:34 AM - System Checkpoint
RP1382: 8/3/2011 9:56:00 AM - System Checkpoint
RP1383: 8/4/2011 10:08:34 AM - System Checkpoint
RP1384: 8/5/2011 12:11:30 PM - System Checkpoint
RP1385: 8/6/2011 12:44:06 PM - System Checkpoint
RP1386: 8/7/2011 1:13:02 PM - System Checkpoint
RP1387: 8/8/2011 1:25:00 PM - System Checkpoint
RP1388: 8/9/2011 1:38:01 PM - System Checkpoint
RP1389: 8/10/2011 2:13:00 PM - System Checkpoint
RP1390: 8/11/2011 2:25:00 PM - System Checkpoint
RP1391: 8/12/2011 2:46:43 PM - System Checkpoint
RP1392: 8/13/2011 10:26:55 PM - Software Distribution Service 3.0
RP1393: 8/14/2011 10:44:51 PM - System Checkpoint
RP1394: 8/15/2011 11:05:47 PM - System Checkpoint
RP1395: 8/16/2011 11:10:14 AM - Installed HP USB Disk Storage Format Tool
RP1396: 8/17/2011 11:19:58 AM - System Checkpoint
RP1397: 8/18/2011 1:01:37 PM - System Checkpoint
RP1398: 8/19/2011 1:47:22 PM - System Checkpoint
RP1399: 8/20/2011 2:28:26 PM - System Checkpoint
RP1400: 8/21/2011 3:03:52 PM - System Checkpoint
.
==== Installed Programs ======================
.
2000 Lacerte Tax
2001 Lacerte Tax
2002 Lacerte Tax
2003 Lacerte Tax
2004 Lacerte Tax
2005 Lacerte Tax
2006 Lacerte Tax
2007 Lacerte Tax
2008 Lacerte Tax
2009 Lacerte Tax
2010 Lacerte Tax
32 Bit HP BiDi Channel Components Installer
7-Zip 4.65
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.3.0
Adobe Shockwave Player 11
Amazon Add to Wish List IE Extension 1.1
Amazon Games & Software Downloader
Amazon MP3 Downloader 1.0.12
Amazon Unbox Video
Apple Mobile Device Support
ArcSoft PhotoStudio 5.5
Audacity 1.2.3
Avanquest update
Boxee
Canon MP Navigator 3.0
Canon MP160
Canon MP160 User Registration
Canon My Printer
CCleaner
Classic PhoneTools
CNET TechTracker
Conexant D850 56K V.9x DFVc Modem
Creative Live! Cam Video IM Pro Driver (1.01.03.0928)
Critical Update for Windows Media Player 11 (KB959772)
CRON-O-METER 0.9.7
Defraggler
Digital TV for PC 2.0
DivX Converter
DivX Plus DirectShow Filters
DivX Setup
Document eSort Components
doPDF 6.2 printer
Easy-WebPrint
Email Saver Xe 1.03
Glary Registry Repair 3.3.0.852
Glary Utilities 2.35.0.1216
Google Chrome
Google Updater
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
hp LaserJet 4200 Uninstaller
HP USB Disk Storage Format Tool
Infragisticsv62Install
Intel(R) PRO Network Connections Drivers
Intuit Runtime Components 6.0.16
iTunes
Java(TM) 6 Update 15
JLC's Internet TV
Lacerte Runtime Components
Lacerte to Drake Conversion 7.5.6
LAME v3.98.3 for Audacity
MakeItLive Plugin
Malwarebytes' Anti-Malware version 1.51.1.1800
MediaMonkey 3.2
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2003
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Media Content
Microsoft Office XP Small Business
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server Desktop Engine (LACERTEDB)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual Studio 2005 Tools for Office Runtime
Miro
Motorola Phone Tools
Move Media Player
Mozilla Firefox (3.6.15)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Nitro PDF Professional
Norton Internet Security
NVIDIA Drivers
Octoshape add-in for Adobe Flash Player
OGA Notifier 2.0.0048.0
OnlineLive
OpenCASE Media Agent
PC Connectivity Solution
PCShowBuzz
PDF-Viewer
PhoneTools
PowerDVD
ProLine Tax Import
QBFC 7.0
QuickBooks
QuickBooks Premier 2002: Accountant Edition
QuickBooks Premier Edition 2006
QuickBooks Premier: Accountant Edition 2003
QuickBooks Premier: Accountant Edition 2004
QuickBooks Premier: Accountant Edition 2005
QuickBooks Premier: Accountant Edition 2007
QuickBooks Premier: Accountant Edition 2008
QuickBooks Premier: Accountant Edition 2009
QuickBooks Premier: Accountant Edition 2010
QuickBooks Premier: Accountant Edition 2011
QuickBooks Pro 2000
QuickBooks Pro 2001
QuickTime
RealPlayer
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio MyDVD DE
SAMSUNG Mobile Composite Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung New PC Studio
SamsungConnectivityCableDriver
ScanSoft OmniPage SE 4.0
Second Copy 7
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SigmaTel Audio
Skype™ 5.0
Sonic Activation Module
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
SupportSoft Assisted Service
Timeslips v11
TV Player Pro v0.7
UltraTax CS 2007
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Outlook 2007 Junk Email Filter (KB2508979)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
Veetle TV 0.9.17
VideoLAN VLC media player 0.8.6d
VisiPics V1.30
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual Studio 2005 Tools for Office Second Edition Runtime
vShare Plugin
WebEx
WebFldrs XP
Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Movie Maker 2.0
Windows Presentation Foundation
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0
Zune
Zune Language Pack (ES)
.
==== Event Viewer Messages From Past Week ========
.
8/21/2011 8:11:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL SRTSP SRTSPX SymIRON SYMTDI Tcpip
8/21/2011 8:11:06 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
8/21/2011 8:11:06 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/21/2011 8:11:06 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/21/2011 8:11:06 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
8/21/2011 8:11:06 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/21/2011 8:10:56 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
8/21/2011 8:10:41 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
8/21/2011 8:10:38 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/21/2011 7:46:07 PM, error: System Error [1003] - Error code 00000019, parameter1 00000020, parameter2 889c1000, parameter3 889c1828, parameter4 1b050000.
8/21/2011 7:43:46 PM, error: System Error [1003] - Error code 00000019, parameter1 00000020, parameter2 88ad5000, parameter3 88ad5828, parameter4 1b050000.
8/21/2011 7:40:51 PM, error: System Error [1003] - Error code 00000019, parameter1 00000020, parameter2 880b8388, parameter3 880b8bb0, parameter4 1b050004.
8/21/2011 6:34:03 PM, error: Service Control Manager [7034] - The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 1 time(s).
8/21/2011 4:34:08 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 960 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
8/20/2011 8:34:06 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 480 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
8/20/2011 4:34:06 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 240 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
8/20/2011 2:34:05 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
8/20/2011 1:34:05 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
8/18/2011 10:59:03 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
8/18/2011 10:44:02 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
.
==== End Of File ===========================

COMBOFIX LOG:
ComboFix 11-08-22.03 - Owner 08/22/2011 11:23:07.10.4 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2657 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
ADS - WINDOWS: deleted 192 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{02b8966a-70b2-452b-90a1-7ebe6ff45889}
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{02b8966a-70b2-452b-90a1-7ebe6ff45889}\chrome.manifest
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{02b8966a-70b2-452b-90a1-7ebe6ff45889}\chrome\xulcache.jar
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{02b8966a-70b2-452b-90a1-7ebe6ff45889}\defaults\preferences\xulcache.js
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{02b8966a-70b2-452b-90a1-7ebe6ff45889}\install.rdf
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{c7f51fa3-ae87-4b4f-814e-6ffbcec1274f}
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{c7f51fa3-ae87-4b4f-814e-6ffbcec1274f}\chrome.manifest
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{c7f51fa3-ae87-4b4f-814e-6ffbcec1274f}\chrome\xulcache.jar
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{c7f51fa3-ae87-4b4f-814e-6ffbcec1274f}\defaults\preferences\xulcache.js
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{c7f51fa3-ae87-4b4f-814e-6ffbcec1274f}\install.rdf
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{d72b2d69-5357-4154-bcd9-7d9d0fe32a5c}
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{d72b2d69-5357-4154-bcd9-7d9d0fe32a5c}\chrome.manifest
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{d72b2d69-5357-4154-bcd9-7d9d0fe32a5c}\chrome\xulcache.jar
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{d72b2d69-5357-4154-bcd9-7d9d0fe32a5c}\defaults\preferences\xulcache.js
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{d72b2d69-5357-4154-bcd9-7d9d0fe32a5c}\install.rdf
c:\documents and settings\Owner\Application Data\OfferBox
c:\documents and settings\Owner\Application Data\OfferBox\config.dat
c:\documents and settings\Owner\Application Data\OfferBox\config.xml
c:\documents and settings\Owner\My Documents\1017.pdf
c:\documents and settings\Owner\wfseaheqoi.tmp
c:\documents and settings\Owner\WINDOWS
c:\timeslips\NAVEdit.exe
c:\timeslips\PROCedit.exe
c:\timeslips\TSIMport.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-22 to 2011-08-22 )))))))))))))))))))))))))))))))
.
.
2011-08-16 18:10 . 2011-08-16 18:10 -------- d-----w- C:\DriveKey
2011-08-14 05:24 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-14 05:24 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-08-13 22:48 . 2011-08-13 22:48 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-13 22:11 . 2011-07-06 15:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-29 13:21 . 2011-02-09 16:30 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-15 13:29 . 2004-08-04 07:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2001-08-23 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 02:52 . 2011-06-01 01:43 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52 . 2011-06-01 01:43 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10 . 2008-02-28 21:03 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-08-04 08:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 18:36 . 2004-08-04 08:56 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-08-04 08:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 12:05 . 2004-08-04 06:59 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-04 08:56 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2004-08-04 07:17 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56361A71-4E9F-401D-9E12-8AEAA3D7A672}]
2010-08-20 02:17 434288 ----a-w- c:\program files\MakeItLive\makeitlive_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{56361A71-4E9F-401D-9E12-8AEAA3D7A672}"= "c:\program files\MakeItLive\makeitlive_toolbar.dll" [2010-08-20 434288]
.
[HKEY_CLASSES_ROOT\clsid\{56361a71-4e9f-401d-9e12-8aeaa3d7a672}]
[HKEY_CLASSES_ROOT\MakeItLive.PugiObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{788202E4-BC14-42BD-BC26-644E440BFCD4}]
[HKEY_CLASSES_ROOT\MakeItLive.PugiObj]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{56361A71-4E9F-401D-9E12-8AEAA3D7A672}"= "c:\program files\MakeItLive\makeitlive_toolbar.dll" [2010-08-20 434288]
.
[HKEY_CLASSES_ROOT\clsid\{56361a71-4e9f-401d-9e12-8aeaa3d7a672}]
[HKEY_CLASSES_ROOT\MakeItLive.PugiObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{788202E4-BC14-42BD-BC26-644E440BFCD4}]
[HKEY_CLASSES_ROOT\MakeItLive.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Second Copy"="c:\program files\SecCopy\SecCopy.exe" [2007-10-17 2425856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-21 282624]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"V0230Mon.exe"="c:\windows\V0230Mon.exe" [2006-09-07 32768]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-11-10 1457928]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
PhoneTools.lnk - c:\program files\Classic PhoneTools\Phontool.exe [2008-3-9 417792]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-02-09 20:57 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Intuit\\QB06\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Intuit\\QB07\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Intuit\\QB08\\QBDBMgrN.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Intuit\\QB09\\QBDBMgrN.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Boxee\\BOXEE.exe"=
"c:\\Program Files\\3B Software\\Digital TV for PC\\WTV.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Intuit\\QB11\\QBDBMgrN.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/9/2011 9:30 AM 64512]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\SymDS.sys [8/13/2011 10:17 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\SymEFA.sys [8/13/2011 10:17 PM 744568]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\BASHDefs\20110812.001\BHDrvx86.sys [8/15/2011 4:55 PM 815736]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/28/2008 10:33 AM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33 AM 67656]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\Ironx86.sys [8/13/2011 10:17 PM 136312]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [5/11/2009 4:46 PM 233472]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe [8/13/2011 10:17 PM 130008]
S2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [3/21/2011 11:17 AM 196928]
S2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [3/21/2011 11:17 AM 68928]
S2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe [1/16/2008 3:57 PM 814728]
S2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [12/2/2010 2:02 PM 1251840]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2/28/2008 2:40 PM 20160]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [12/31/2010 7:05 PM 401920]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/18/2011 10:31 AM 105592]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [5/11/2009 4:46 PM 36608]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\IPSDefs\20110819.030\IDSXpx86.sys [8/20/2011 10:51 AM 355256]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 2:05 AM 2151640]
S3 MSSQL$LACERTEDB;MSSQL$LACERTEDB;c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB --> c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB [?]
S3 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QB09\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QB09\QBDBMgrN.exe -hvQuickBooksDB19 [?]
S3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB20 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB20 [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 10:33 AM 12872]
S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB;c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB --> c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB [?]
S3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [3/24/2006 1:00 AM 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [9/29/2006 1:01 AM 500480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-22 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-09-10 15:26]
.
2011-08-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-24 17:16]
.
2011-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1383384898-839522115-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-27 03:30]
.
2011-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1383384898-839522115-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-27 03:30]
.
2011-08-22 c:\windows\Tasks\User_Feed_Synchronization-{DC5C132A-E4F7-4419-8BD8-19760468EFCF}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
TCP: Interfaces\{58C1ACA1-6C76-4EA1-BD76-240C25789DCE}: NameServer = 192.168.1.1
Handler: makeitlivechrome - {51472043-0170-45F9-BCCF-19FCFC676D18} - c:\program files\MakeItLive\makeitlive_toolbar.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} - hxxps://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=5fca2ead3f7b1eb64618af2d840edc55&url=http%3A%2F%2Fd.64.69.14.226.downloads.estara.com.%2Fas%2FOneCCDM.php&template=384172&sessionid=1676394464_64.69.14.226_47979&=&req=1264998944592OneCC.cab
DPF: {8DF017CF-BEDB-4869-9C30-164AB58F1E17} - hxxps://www.lacertesoftware.com/MyAccount/WebDownloads/bin/05prepinstall.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: SignupShield: {D02B1E87-A8C6-433f-9B5C-2CEC4A072736} - %profile%\extensions\{D02B1E87-A8C6-433f-9B5C-2CEC4A072736}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {F744F437-9DFE-49B7-8F52-52E970DE95D8} - c:\documents and settings\Owner\Local Settings\Application Data\{F744F437-9DFE-49B7-8F52-52E970DE95D8}
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Owner\Application Data\Move Networks
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-22 11:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(256)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-08-22 11:36:06
ComboFix-quarantined-files.txt 2011-08-22 18:36
.
Pre-Run: 499,477,209,088 bytes free
Post-Run: 499,487,862,784 bytes free
.
- - End Of File - - C6C2CB1F02F8D8BE3AAC9F5B7A836368

ESET Scan log:
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\jgchaiepfmfhafpmdiobhfkadenoijck\contentscript.js Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\Owner\My Documents\Downloads\1COMPUTER\Free YouTube Downloader\FreeYouTubeDownloaderSetup v3.3.89 071311.exe multiple threats
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{02b8966a-70b2-452b-90a1-7ebe6ff45889}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{02b8966a-70b2-452b-90a1-7ebe6ff45889}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{c7f51fa3-ae87-4b4f-814e-6ffbcec1274f}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{c7f51fa3-ae87-4b4f-814e-6ffbcec1274f}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{d72b2d69-5357-4154-bcd9-7d9d0fe32a5c}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{d72b2d69-5357-4154-bcd9-7d9d0fe32a5c}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\System Volume Information\_restore{4D4F2DDC-E40E-4393-A5BF-15A164F66C96}\RP1401\A0214023.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{4D4F2DDC-E40E-4393-A5BF-15A164F66C96}\RP1401\A0214024.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{4D4F2DDC-E40E-4393-A5BF-15A164F66C96}\RP1401\A0214025.manifest Win32/TrojanDownloader.Tracur.F trojan

------------------------

Hope this helps.

needtechpros · Aug 24, 2011

Trying to PM Bobbye to continue fix

I can't PM Bobbye since I only have 2 (now 3 posts)

needtechpros · Aug 24, 2011

Bobbye are you out there?

I guess I now have 4 posts (6 more to go and I can post a message to Bobbye).
Anyone know another way to be allowed to post a PM or Visitor message?
Thanks

Bobbye · Aug 24, 2011

I got your PM. I am busy helping others who started before you. You only began the thread 1 day ago and you're getting impatient after an hour! I'll start you off but please refer back to this:

My Guidelines: please read and follow:

* Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.

============================================
You have 7 outdated versions of Java on the system. These are all vulnerabilities. Please run the following now:
You have multiple old versions of Java and do not have the current version. The best way to handle that is to run the following: Note: I do not want this log!

Please download JavaRa and unzip it to your desktop.

Important!***Please close any instances of Internet Explorer before continuing!***

Double-click on JavaRa.exe to start the program.

From the drop-down menu, choose English and click on Select.

JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.

Click Yes when prompted. When JavaRa is done, a notice will appear that
a logfile has been produced. Click OK.

A logfile will pop up. Please save it to a convenient location.Note: Do not leave this log.

Download and install then most current version and update of Java RuntimeEnvironment (JRE)HERE.
Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
===========================================
The Java cache will have malware because of the outdated programs:
To clear the Java Plug-in cache:

[1]. Click Start > Control Panel.
[2]. Double-click the Java icon in the control panel. The Java Control Panel appears.

[3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.

[4] Click Delete Files.The Delete Temporary Files dialog box appears.

[5]. Click OK on Delete Temporary Files window.
Note: This deletes all the Downloaded Applications and Applets from the cache.
[6]. Click Apply> OK on Temporary Files Settings window.

Images courtesy java.com
============================================
There are only 2 active entries in Eset. Qoobox is quarantine folder from Combofix and System Volume is restore point which we will remove at the end. Neither of these locations are a threat- unless you happen to do a system restore and pick those particular points
Please download OTMovit by Old Timer and save to your desktop.
Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
:Files 
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\jgchaiepfmfhafpmdiobhfkadenoijck\contentscript.js 
C:\Documents and Settings\Owner\My Documents\Downloads\1COMPUTER\Free YouTube Downloader\FreeYouTubeDownloaderSetup v3.3.89 071311.exe 
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.

Click the red Moveit! button.

A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=================================
Questions and Comments
Suspect that some of your download are from Torrent sites. That is a straight road to malware. It appears that you are in business and using this computer. I suggest that you do not frequent files sharing sites.
================================
Can you give me some information on these? The first one have multiple entries in the Registry:
1. [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56361A71-4E9F-401D-9E12-8AEAA3D7A672}]
"c:\\Program Files\\Boxee\\BOXEE.exe"=
2. 2010-08-20 02:17 434288 ----a-w- c:\program files\MakeItLive\makeitlive_toolbar.dll
=============================
The Adobe\Reader 8.0 is also out of date. The current version is v10. Please update now: Adobe Reader site Uninstall any earlier updates as they are vulnerabilities.
==============================
Were you previously using AVG and didn't do an uninstall when you got Norton? Or are you just using this>
AVG Anti-Spyware Guard
==============================
I'll get back to you as soon as I can. It won't be until tomorrow as I am very busy helping others.

needtechpros · Aug 24, 2011

Ran OTM, results posted

Thanks for your patience with me. I didn't think my PM went through and didn't know how to contact you.

Here is the file created by OTM. - I made a couple of notes on things I had deleted prior to running this. Sorry, just very nervous about malware/viruses.

See answers to your questions following the log file.

--------------------

All processes killed
========== FILES ==========
File/Folder C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User <--- [I had already deleted this ( had issues with Chrome, so uninstalled it and deleted some related files (sorry- can you tell I freak out when there is malware)]
Data\Default\Default\jgchaiepfmfhafpmdiobhfkadenoijck\contentscript.js not found.
File/Folder C:\Documents and Settings\Owner\My Documents\Downloads\1COMPUTER\Free YouTube Downloader\FreeYouTubeDownloaderSetup v3.3.89 071311.exe not found. <---- [This one I had already deleted. Had just downloaded from download.cnet.com, hadn't installed it yet.]

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 83 bytes

User: All Users

User: b

User: b.Q24A
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 83 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 83 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 268567408 bytes
->Temporary Internet Files folder emptied: 44135520 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 1144 bytes

User: QBDataServiceUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 83 bytes

User: QBDataServiceUser19
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 83 bytes

User: QBDataServiceUser20
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 83 bytes

User: user

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 1894400 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 24192 bytes
Windows Temp folder emptied: 33251 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 302.00 mb

OTM by OldTimer - Version 3.1.18.0 log created on 08242011_192917

Files moved on Reboot...
File C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_df4.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_1dc.dat not found!

Registry entries deleted on Reboot...
----------------------------
I had downloaded from a Torrent site - not doing that anymore.
--------------
Registry:
1. [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56361A71-4E9F-401D-9E12-8AEAA3D7A672}]
"c:\\Program Files\\Boxee\\BOXEE.exe"=
2. 2010-08-20 02:17 434288 ----a-w- c:\program files\MakeItLive\makeitlive_toolbar.dll

I think both above registry entries have something to do with watching TV / movies on my PC. I don't do that anymore, so ok with me if these should both be removed.

I probably should remove old TV related programs. But.... I promise I won't do anymore removing until after you are finished helping me.
--------------
I removed Reader 8.0 and installed v10.
-------------
Were you previously using AVG and didn't do an uninstall when you got Norton? Or are you just using this> AVG Anti-Spyware Guard

I did install AVG at one time, but no longer use it. I don't see it in my Add/Remove programs list anymore. Just use Norton IS (installed) and then once every few weeks run (free versions) of CCleaner, Glary Utilities, Spybot, Malewarebytes, Ad-Aware and sometimes Super Anti-virus. ---I know, stop laughing. Overkill?, They all seem to find different things. Any suggestions on what I should or shouldn't run? Do bi-weekly scans make sense?
--------------
Thanks again for all your help.

I will wait for your reply.

Bobbye · Aug 25, 2011

I made a couple of notes on things I had deleted prior to running this. Sorry, just very nervous about malware/viruses.

Please don't make comments within a log. If you want to add information about an entry, do it at the end, but out of the log. Entries that aren't found often have been moved in a previous program. I understand this. If I have any doubt at all about an entry, I will ask you about it- rather than you trying to explain it.
======================================
Notes on Security:
1. Per the Combofix instructions, these should be disabled when running the scan:
AV: Norton Internet Security *Enabled/Updated*
FW: Norton Internet Security *Enabled*
2. I don't recommend running both AdAware and Spybot S&D. AdAware has AdWatch and Spybot S&D has Tea Timer. There are both real time scanners. If you bot them both, there is a possibility of a conflict. If you paid for AdAware, I recommend you let the subscription expire and Keep Spybot S&D. But I don't recommend running Tea Timer.

Notes on Quickbooks:
Since you are running a business, I strongly recommend that you Look into this on the Intuit site:
You have multiple versions of the QB Download Manager loading: 6,7,8,9,10,11,19,20. You also show the install of the following:

QBFC 7.0
QuickBooks
QuickBooks Premier 2002: Accountant Edition
QuickBooks Premier Edition 2006
QuickBooks Premier: Accountant Edition 2003
QuickBooks Premier: Accountant Edition 2004
QuickBooks Premier: Accountant Edition 2005
QuickBooks Premier: Accountant Edition 2007
QuickBooks Premier: Accountant Edition 2008
QuickBooks Premier: Accountant Edition 2009
QuickBooks Premier: Accountant Edition 2010
QuickBooks Premier: Accountant Edition 2011
QuickBooks Pro 2000

Service or driver for DB 19 and 20
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
*****Are these multiple versions for different businesses. Or have you just not updated?******
===============================================
Please run this Custom CFScript:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code:
File::

DDS::
Handler: makeitlivechrome - {51472043-0170-45F9-BCCF-19FCFC676D18} - c:\program files\MakeItLive\makeitlive_toolbar.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56361A71-4E9F-401D-9E12-8AEAA3D7A672}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{56361A71-4E9F-401D-9E12-8AEAA3D7A672}"=-
[HKEY_CLASSES_ROOT\clsid\{56361a71-4e9f-401d-9e12-8aeaa3d7a672}]
[HKEY_CLASSES_ROOT\MakeItLive.PugiObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{788202E4-BC14-42BD-BC26-644E440BFCD4}]
[HKEY_CLASSES_ROOT\MakeItLive.PugiObj]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{56361A71-4E9F-401D-9E12-8AEAA3D7A672}"=-
[HKEY_CLASSES_ROOT\clsid\{56361a71-4e9f-401d-9e12-8aeaa3d7a672}]
[HKEY_CLASSES_ROOT\MakeItLive.PugiObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{788202E4-BC14-42BD-BC26-644E440BFCD4}]
[HKEY_CLASSES_ROOT\MakeItLive.PugiObj]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Second Copy"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"
"c:\\Program Files\\Boxee\\BOXEE.exe"=-
Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Open Firefox> Tools> Addons> Plugins> Find Jave v6u13, u14, u15 ans u16 and delete them.
===================
I'll give you some security tips when we're through. I'm removing Registry entries for the AVG Antispyware. That may be enough. If it isn't, I'll give you a tool to run to remove it.

needtechpros · Aug 25, 2011

ComboFix log

ComboFix 11-08-25.01 - Owner 08/25/2011 17:58:42.13.4 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2739 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
ADS - WINDOWS: deleted 192 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mootools.svn.js
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\pffcenter.html
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\pffCenter.js
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\reviewDialog.html
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\reviewNotesPopUp.html
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\taskNotesDialog.html
c:\program files\MakeItLive\makeitlive_toolbar.dll
c:\windows\system32\comct332.ocx
.
.
((((((((((((((((((((((((( Files Created from 2011-07-26 to 2011-08-26 )))))))))))))))))))))))))))))))
.
.
2011-08-25 03:39 . 2011-08-25 03:39 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-08-25 02:29 . 2011-08-25 02:29 -------- d-----w- C:\_OTM
2011-08-25 02:25 . 2011-08-25 02:25 -------- d-----w- c:\program files\Common Files\Java
2011-08-25 02:25 . 2011-08-25 02:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-22 18:51 . 2011-08-22 18:51 -------- d-----w- c:\program files\ESET
2011-08-16 18:10 . 2011-08-16 18:10 -------- d-----w- C:\DriveKey
2011-08-14 05:24 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-14 05:24 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-08-13 22:48 . 2011-08-13 22:48 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-25 03:58 . 2011-07-06 15:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-25 02:25 . 2009-03-10 20:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-29 13:21 . 2011-02-09 16:30 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-15 13:29 . 2004-08-04 07:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2001-08-23 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 02:52 . 2011-06-01 01:43 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52 . 2011-06-01 01:43 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10 . 2008-02-28 21:03 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-08-04 08:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 18:36 . 2004-08-04 08:56 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-08-04 08:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 12:05 . 2004-08-04 06:59 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-04 08:56 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2004-08-04 07:17 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-21 282624]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"V0230Mon.exe"="c:\windows\V0230Mon.exe" [2006-09-07 32768]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-11-10 1457928]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
PhoneTools.lnk - c:\program files\Classic PhoneTools\Phontool.exe [2008-3-9 417792]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-02-09 20:57 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Intuit\\QB06\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Intuit\\QB07\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Intuit\\QB08\\QBDBMgrN.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Intuit\\QB09\\QBDBMgrN.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Boxee\\BOXEE.exe"=
"c:\\Program Files\\3B Software\\Digital TV for PC\\WTV.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Intuit\\QB11\\QBDBMgrN.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/9/2011 9:30 AM 64512]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\SymDS.sys [8/13/2011 10:17 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\SymEFA.sys [8/13/2011 10:17 PM 744568]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\BASHDefs\20110812.001\BHDrvx86.sys [8/15/2011 4:55 PM 815736]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/28/2008 10:33 AM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33 AM 67656]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\Ironx86.sys [8/13/2011 10:17 PM 136312]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [5/11/2009 4:46 PM 233472]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe [8/13/2011 10:17 PM 130008]
S2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [3/21/2011 11:17 AM 196928]
S2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [3/21/2011 11:17 AM 68928]
S2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe [1/16/2008 3:57 PM 814728]
S2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [12/2/2010 2:02 PM 1251840]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2/28/2008 2:40 PM 20160]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [12/31/2010 7:05 PM 401920]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/18/2011 10:31 AM 105592]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [5/11/2009 4:46 PM 36608]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\IPSDefs\20110822.031\IDSXpx86.sys [8/23/2011 12:17 AM 356280]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 2:05 AM 2151640]
S3 MSSQL$LACERTEDB;MSSQL$LACERTEDB;c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB --> c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB [?]
S3 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QB09\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QB09\QBDBMgrN.exe -hvQuickBooksDB19 [?]
S3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB20 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB20 [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 10:33 AM 12872]
S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB;c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB --> c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB [?]
S3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [3/24/2006 1:00 AM 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [9/29/2006 1:01 AM 500480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-26 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-09-10 01:47]
.
2011-08-25 c:\windows\Tasks\User_Feed_Synchronization-{DC5C132A-E4F7-4419-8BD8-19760468EFCF}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
TCP: Interfaces\{58C1ACA1-6C76-4EA1-BD76-240C25789DCE}: NameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} - hxxps://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=5fca2ead3f7b1eb64618af2d840edc55&url=http%3A%2F%2Fd.64.69.14.226.downloads.estara.com.%2Fas%2FOneCCDM.php&template=384172&sessionid=1676394464_64.69.14.226_47979&=&req=1264998944592OneCC.cab
DPF: {8DF017CF-BEDB-4869-9C30-164AB58F1E17} - hxxps://www.lacertesoftware.com/MyAccount/WebDownloads/bin/05prepinstall.cab
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{56361A71-4E9F-401D-9E12-8AEAA3D7A672} - c:\program files\MakeItLive\makeitlive_toolbar.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-25 18:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(676)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-08-25 18:10:12
ComboFix-quarantined-files.txt 2011-08-26 01:10
ComboFix2.txt 2011-08-23 03:30
ComboFix3.txt 2011-08-22 18:36
.
Pre-Run: 498,972,426,240 bytes free
Post-Run: 498,996,989,952 bytes free
.
- - End Of File - - 2AE4BBA4540B303A503F5C59C2BDA899
------------------------

I only use the free versions of scanners - except Norton IS.
I don't run AdWatch or Tea Timer and I run AdAware and Spybot at separate times. i.e. I don't think I am running any real time scanners except NIS.

I have all of those versions of Quickbooks installed. I have clients running different versions, so if I want to restore my changes back to their system, I need to run the same version of QB.

I don't think I need old QB versions download managers - I will check intuit site.

The install that just shows QuickBooks may be the 2006 edition, since I know that is installed and not showing.

I don't know what QBFC 7.0 is but it is a QB program (it might link some other software to QB?)

I don't understand the follwowing:
Service or driver for DB 19 and 20
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

*****Are these multiple versions for different businesses. Or have you just not updated?******
Yes multiple versions of QB

====================
Open Firefox> Tools> Addons> Plugins> Find Jave v6u13, u14, u15 ans u16 and delete them.
===================
Can't do, I previously removed Firefox.

Thanks again. Seems like we are getting there.

Bobbye · Aug 26, 2011

No problem with QB. I had to ask because some users just keep updating programs but don't understand that many don't overwrite and they need to remove them>>> Examples are Java and Adobe Reader

This is the 'handler':
CLSID: {FC598A64-626C-4447-85B8-53150405FD57}
Name: qbwc
File Name: %SYSDIR%\mscoree.dll
Description: QuickBooks_WebConnector
L Protocol> Legitimate protocol

I will leave any QuickBook programs or files up to you to make changes, if any, after you check Intuit.
========================================
Will you please update and run the Eset scan again? Leave entire log if there are any entries found.
=======================================
Download HijackThis and save to your desktop.

Extract it to a directory on your hard drive called c:\HijackThis.

Then navigate to that directory and double-click on the hijackthis.exe file.

When started click on the Scan button and then the Save Log button to create a log of your information.

The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad

Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

needtechpros · Aug 27, 2011

Eset and HijackThis ran

Here are the logs:

C:\Documents and Settings\Owner\desktop\cnet_fbsetup_exe.exe a variant of Win32/InstallCore.B application
C:\Documents and Settings\Owner\desktop\cnet_mylockbox_setup_zip.exe a variant of Win32/InstallCore.B application
C:\Documents and Settings\Owner\desktop\cnet_TrueCrypt Setup 7_0a_exe.exe a variant of Win32/InstallCore.B application
C:\Documents and Settings\Owner\desktop\cnet_USBWriteProtect_zip.exe a variant of Win32/InstallCore.B application
C:\Documents and Settings\Owner\My Documents\Downloads\1COMPUTER\Revo Uninstaller\cnet_RevoUninProSetup_exe v1.93 081311.exe a variant of Win32/InstallCore.B application
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{02b8966a-70b2-452b-90a1-7ebe6ff45889}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{02b8966a-70b2-452b-90a1-7ebe6ff45889}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{c7f51fa3-ae87-4b4f-814e-6ffbcec1274f}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{c7f51fa3-ae87-4b4f-814e-6ffbcec1274f}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{d72b2d69-5357-4154-bcd9-7d9d0fe32a5c}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{d72b2d69-5357-4154-bcd9-7d9d0fe32a5c}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\System Volume Information\_restore{4D4F2DDC-E40E-4393-A5BF-15A164F66C96}\RP1401\A0214023.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{4D4F2DDC-E40E-4393-A5BF-15A164F66C96}\RP1401\A0214024.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{4D4F2DDC-E40E-4393-A5BF-15A164F66C96}\RP1401\A0214025.manifest Win32/TrojanDownloader.Tracur.F trojan

-------------------------

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:12:28 AM, on 8/27/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL
O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [V0230Mon.exe] C:\WINDOWS\V0230Mon.exe
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PhoneTools.lnk = C:\Program Files\Classic PhoneTools\Phontool.exe
O9 - Extra button: Add to Wish List - {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - C:\Program Files\Amazon\Add to Wish List IE Extension\run.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIFF9C~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com.../en/x86/MuCatalogWebControl.cab?1204237991031
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - https://as00.estara.com/UI/proxyhtt....69.14.226_47979&=&req=1264998944592OneCC.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {8DF017CF-BEDB-4869-9C30-164AB58F1E17} (05PrepInstall) - https://www.lacertesoftware.com/MyAccount/WebDownloads/bin/05prepinstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://intuitevents.webex.com/client/T27L/event/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{58C1ACA1-6C76-4EA1-BD76-240C25789DCE}: NameServer = 192.168.1.1
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QB08\HelpAsyncPluggableProtocol.dll
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QB09\HelpAsyncPluggableProtocol.dll
O18 - Protocol: intu-help-qb3 - {C5E479EA-0A65-4B05-8C6C-2FC8CC682EB4} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
O18 - Protocol: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - C:\Program Files\Intuit\QB11\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
O23 - Service: NitroPDFDriverCreatorReadSpool (NitroDriverReadSpool) - Nitro PDF Software - C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
O23 - Service: NLS Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\NLSSRV32.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QBIDPService (QBVSS) - Unknown owner - C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
O23 - Service: QuickBooksDB - Intuit, Inc. - C:\PROGRA~1\Intuit\QB06\QBDBMgrN.exe
O23 - Service: QuickBooksDB19 - Intuit, Inc. - C:\PROGRA~1\Intuit\QB09\QBDBMgrN.exe
O23 - Service: QuickBooksDB20 - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)

--
End of file - 11414 bytes

----------------------

Had to run Eset in safe mode. Eset would report something like can't get proxy. - it wouldn't update from the internet. I left computer in safe mode when running HijackThis.

Thanks

Bobbye · Aug 27, 2011

It is best that you let me know if you have a problem before going around it. The proxy can be handled rather than reverting to Safe Mode:
Handle the proxy this way:
Reset your browser proxies

For Firefox:
o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
o Click on the "Network" tab, and then on the "Settings" button.
o Please make sure that the "No Proxy" option is selected.

For Internet Explorer:
o Open Internet Explorer.
o Click on "Tools" and then select "Internet Options".
o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
o Uncheck "Use a Proxy server for your LAN".
o Click Ok to close the Local Area Network (LAN) Settings window.
o Click Ok to close the Internet Options window.

=================================================
Since it appears that you use cnet for downloads, I'd like you to go to their forum or support and post that you are also getting the Win32/InstallCore.B reported as malware from their downloads. I checked several threads and many were mentioning this, but there was no notice that it was a False Positive. It is reported as malware by several AV programs.. Many download screen have pre-checked boxes for bundles toolbars and browser helper objects. IF you do not uncheck them, they will load with the program and they have nothing to do with the program.
================================================
Considering the amount of financial information you have on your system, you should be very careful what you're putting on it. And since these are new, it appears that you are downloading while we are cleaning. Please don't do that.
============================================
Please download OTMovit by Old Timer and save to your desktop.
Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
:Files 
C:\Documents and Settings\Owner\desktop\cnet_fbsetup_exe.exe 
C:\Documents and Settings\Owner\desktop\cnet_mylockbox_setup_zip.exe 
C:\Documents and Settings\Owner\desktop\cnet_TrueCrypt Setup 7_0a_exe.exe 
C:\Documents and Settings\Owner\desktop\cnet_USBWriteProtect_zip.exe 
C:\Documents and Settings\Owner\My Documents\Downloads\1COMPUTER\RevoUninstaller\cnet_RevoUninProSetup_exe v1.93 081311.exe 

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.

Click the red Moveit! button.

A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==================================================
Please run this Custom CFScript:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code:
File::
c:\documents and settings\owner\wfseaheqoi.tmp
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Boxee\\BOXEE.exe"=-
Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Reboot the computer. The proxy problem should be resolved. Update and rescan with Eset in Normal Mode. Leave the entire log in the next reply

The Qoobox entries in Eset are from the folder where Combofix puts the quarantined entries. They are not active on the system and will be removed with you uninstall Combofix.

The System Volume entries are restore points. They are not active in the system and will be removed at the end of the cleaning.

needtechpros · Aug 30, 2011

more logs

Went to options in IE and "Use proxy server for your Lan" was already unchecked.
Scans are working in regular mode for some reason.

Tried finding support at cnet downloads, couldn't find out anything about Win32/InstallCore.B. Didn't see support?
Tried Google, no real luck. Looks like a few (Eset) AV programs do report a possible problem but couldn't find out more than that.
I see people complaining that CNet/download.com has just recently added things to installers like asking you to install a toolbar, etc to many of their downloads.

I will stop using Cnet (at least until they change their policies). Win32/InstallCore.B was associated with "Revo Uninstaller" and other downloads from cnet.

Since I had just downloaded, but not installed the program "Revo Uninstaller", I deleted it (still in Recycle bin), reboot and then ran Eset.
i.e. ran OTMoveit and Combofix, then deleted the install program for "Revo Uninstaller", then ran Eset.
I believe that Win32/InstallCore.B was a false positive and not a virus. It is showing up in most recent cnet downloads.

I Was able to run OTMoveit3 ok. However when ComboFix finished had Windows error and had to reboot.

Error signature
BCCode : 19 BCP1 : 00000020 BCP2 : 884513E0 BCP3 : 884517F8
BCP4 : 1A830001 OSVer : 5_1_2600 SP : 3_0 Product : 256_1

Don't know if above helps?
Couldn't find or print the .tmp files that Windows said were created as a result of the error.

Eset run with settings as before. unchecked 'Remove found threats', Checked 'Scan archives'

Logs following - OTMoveit, Combofix and Eset:

----------------

All processes killed
========== FILES ==========
C:\Documents and Settings\Owner\desktop\cnet_fbsetup_exe.exe moved successfully.
C:\Documents and Settings\Owner\desktop\cnet_mylockbox_setup_zip.exe moved successfully.
C:\Documents and Settings\Owner\desktop\cnet_TrueCrypt Setup 7_0a_exe.exe moved successfully.
C:\Documents and Settings\Owner\desktop\cnet_USBWriteProtect_zip.exe moved successfully.
File/Folder C:\Documents and Settings\Owner\My Documents\Downloads\1COMPUTER\RevoUninstaller\cnet_RevoUninProSetup_exe v1.93 081311.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: b

User: b.Q24A
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56468 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 73882 bytes
->Temporary Internet Files folder emptied: 47733383 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 1798 bytes

User: QBDataServiceUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: QBDataServiceUser19
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: QBDataServiceUser20
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: user

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16867 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 193085440 bytes

Total Files Cleaned = 230.00 mb

OTM by OldTimer - Version 3.1.18.0 log created on 08292011_084419

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_a8.dat not found!

Registry entries deleted on Reboot...

-------------------

ComboFix 11-08-29.03 - Owner 08/29/2011 9:58:48.15.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2250 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::
"c:\documents and settings\owner\wfseaheqoi.tmp"

((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-29 )))))))))))))))))))))))))))))))

2011-08-27 14:10:51 . 2011-08-27 14:12:28 -------- d-----w- C:\HijackThis
2011-08-25 03:39:19 . 2011-08-25 03:39:19 -------- d-----w- C:\Program Files\Common Files\Adobe AIR
2011-08-25 02:29:17 . 2011-08-25 02:29:17 -------- d-----w- C:\_OTM
2011-08-25 02:25:36 . 2011-08-25 02:25:36 -------- d-----w- C:\Program Files\Common Files\Java
2011-08-25 02:25:26 . 2011-08-25 02:25:11 472808 ----a-w- C:\WINDOWS\system32\deployJava1.dll
2011-08-22 18:51:01 . 2011-08-22 18:51:01 -------- d-----w- C:\Program Files\ESET
2011-08-16 18:10:14 . 2011-08-16 18:10:14 -------- d-----w- C:\DriveKey
2011-08-14 05:24:47 . 2011-06-24 14:10:36 139656 -c----w- C:\WINDOWS\system32\dllcache\rdpwd.sys
2011-08-14 05:24:46 . 2011-04-21 13:37:43 105472 -c----w- C:\WINDOWS\system32\dllcache\mup.sys
2011-08-13 22:48:21 . 2011-08-13 22:48:23 -------- d-----w- C:\Documents and Settings\Administrator
.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-08-25 03:58:00 . 2011-07-06 15:44:35 404640 ----a-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2011-08-25 02:25:12 . 2009-03-10 20:21:34 73728 ----a-w- C:\WINDOWS\system32\javacpl.cpl
2011-07-29 13:21:13 . 2011-02-09 16:30:44 101720 ----a-w- C:\WINDOWS\system32\drivers\SBREDrv.sys
2011-07-15 13:29:31 . 2004-08-04 07:15:18 456320 ----a-w- C:\WINDOWS\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 . 2001-08-23 12:00:00 10496 ----a-w- C:\WINDOWS\system32\drivers\ndistapi.sys
2011-07-07 02:52:42 . 2011-06-01 01:43:12 41272 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 . 2011-06-01 01:43:08 22712 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2011-06-24 14:10:36 . 2008-02-28 21:03:59 139656 ----a-w- C:\WINDOWS\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 . 2004-08-04 08:56:58 1469440 ------w- C:\WINDOWS\system32\inetcpl.cpl
2011-06-23 18:36:30 . 2004-08-04 08:56:48 916480 ----a-w- C:\WINDOWS\system32\wininet.dll
2011-06-23 18:36:30 . 2004-08-04 08:56:44 43520 ----a-w- C:\WINDOWS\system32\licmgr10.dll
2011-06-23 12:05:13 . 2004-08-04 06:59:58 385024 ----a-w- C:\WINDOWS\system32\html.iec
2011-06-20 17:44:52 . 2004-08-04 08:56:48 293376 ----a-w- C:\WINDOWS\system32\winsrv.dll
2011-06-02 14:02:05 . 2004-08-04 07:17:42 1858944 ----a-w- C:\WINDOWS\system32\win32k.sys

((((((((((((((((((((((((((((( SnapShot@2011-08-26_01.07.25 )))))))))))))))))))))))))))))))))))))))))

+ 2011-08-29 16:32:14 . 2011-08-29 16:32:14 16384 C:\WINDOWS\temp\Perflib_Perfdata_768.dat
+ 2011-08-29 15:46:04 . 2011-08-29 15:46:04 16384 C:\WINDOWS\temp\Perflib_Perfdata_728.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-21 00:00:04 282624]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 19:56:08 124200]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 19:22:16 221184]
"V0230Mon.exe"="C:\WINDOWS\V0230Mon.exe" [2006-09-07 08:01:00 32768]
"Intuit SyncManager"="C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-11-10 13:17:54 1457928]
"AmazonGSDownloaderTray"="C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 20:31:44 326144]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 09:07:00 8491008]
"DivXUpdate"="C:\Program Files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 18:56:16 1230704]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 20:06:06 254696]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 19:55:28 937920]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
PhoneTools.lnk - C:\Program Files\Classic PhoneTools\Phontool.exe [2008-3-9 417792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 17:13:36 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-02-09 20:57:17 548352 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe"
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"C:\\Program Files\\Intuit\\QB06\\QBDBMgrN.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Intuit\\QB07\\QBDBMgrN.exe"=
"C:\\WINDOWS\\system32\\msiexec.exe"=
"C:\\Program Files\\Intuit\\QB08\\QBDBMgrN.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"C:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"C:\\Program Files\\Intuit\\QB09\\QBDBMgrN.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"C:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"C:\\Program Files\\Boxee\\BOXEE.exe"=
"C:\\Program Files\\3B Software\\Digital TV for PC\\WTV.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Intuit\\QB11\\QBDBMgrN.exe"=

R0 Lbd;Lbd;C:\WINDOWS\system32\drivers\Lbd.sys [2/9/2011 9:30:49 AM 64512]
R0 SymDS;Symantec Data Store;C:\WINDOWS\system32\drivers\NIS\1206000.01D\SymDS.sys [8/13/2011 10:17:24 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;C:\WINDOWS\system32\drivers\NIS\1206000.01D\SymEFA.sys [8/13/2011 10:17:24 PM 744568]
R1 BHDrvx86;BHDrvx86;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\BASHDefs\20110812.001\BHDrvx86.sys [8/15/2011 4:55:18 PM 815736]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [5/28/2008 10:33:36 AM 12872]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33:36 AM 67656]
R1 SymIRON;Symantec Iron Driver;C:\WINDOWS\system32\drivers\NIS\1206000.01D\Ironx86.sys [8/13/2011 10:17:24 PM 136312]
R2 FsUsbExService;FsUsbExService;C:\WINDOWS\system32\FsUsbExService.Exe [5/11/2009 4:46:31 PM 233472]
R2 NIS;Norton Internet Security;C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe [8/13/2011 10:17:16 PM 130008]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe [3/21/2011 11:17:44 AM 196928]
R2 nlsX86cc;NLS Service;C:\WINDOWS\system32\NLSSRV32.EXE [3/21/2011 11:17:56 AM 68928]
R2 OpenCASE Media Agent;OpenCASE Media Agent;C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe [1/16/2008 3:57:26 PM 814728]
R2 QBVSS;QBIDPService;C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe [12/2/2010 2:02:36 PM 1251840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/18/2011 10:31:09 AM 105592]
R3 FsUsbExDisk;FsUsbExDisk;C:\WINDOWS\system32\FsUsbExDisk.Sys [5/11/2009 4:46:31 PM 36608]
R3 IDSxpx86;IDSxpx86;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\IPSDefs\20110826.030\IDSXpx86.sys [8/27/2011 7:37:33 AM 356280]
R3 V0230Vfx;V0230Vfx;C:\WINDOWS\system32\drivers\V0230Vfx.sys [3/24/2006 1:00:00 AM 6272]
R3 V0230VID;Live! Cam Video IM Pro;C:\WINDOWS\system32\drivers\V0230VID.sys [9/29/2006 1:01:00 AM 500480]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\drivers\ADM8511.SYS [2/28/2008 2:40:22 PM 20160]
S3 Amazon Download Agent;Amazon Download Agent;C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [12/31/2010 7:05:09 PM 401920]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 2:05:32 AM 2151640]
S3 MSSQL$LACERTEDB;MSSQL$LACERTEDB;C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB --> C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB [?]
S3 QuickBooksDB19;QuickBooksDB19;C:\PROGRA~1\Intuit\QB09\QBDBMgrN.exe -hvQuickBooksDB19 --> C:\PROGRA~1\Intuit\QB09\QBDBMgrN.exe -hvQuickBooksDB19 [?]
S3 QuickBooksDB20;QuickBooksDB20;C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB20 --> C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB20 [?]
S3 SASENUM;SASENUM;C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 10:33:38 AM 12872]
S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB;C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB --> C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - FSUSBEXDISK

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

Contents of the 'Scheduled Tasks' folder

2011-08-29 C:\WINDOWS\Tasks\GlaryInitialize.job
- C:\Program Files\Glary Utilities\initialize.exe [2009-09-10 15:56:24 . 2011-08-10 01:47:26]

2011-08-29 C:\WINDOWS\Tasks\User_Feed_Synchronization-{DC5C132A-E4F7-4419-8BD8-19760468EFCF}.job
- C:\WINDOWS\system32\msfeedssync.exe [2007-08-14 02:36:40 . 2009-03-08 11:31:54]

------- Supplementary Scan -------

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
TCP: Interfaces\{58C1ACA1-6C76-4EA1-BD76-240C25789DCE}: NameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} - hxxps://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=5fca2ead3f7b1eb64618af2d840edc55&url=http%3A%2F%2Fd.64.69.14.226.downloads.estara.com.%2Fas%2FOneCCDM.php&template=384172&sessionid=1676394464_64.69.14.226_47979&=&req=1264998944592OneCC.cab
DPF: {8DF017CF-BEDB-4869-9C30-164AB58F1E17} - hxxps://www.lacertesoftware.com/MyAccount/WebDownloads/bin/05prepinstall.cab

-----------------
Eset:

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{02b8966a-70b2-452b-90a1-7ebe6ff45889}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{02b8966a-70b2-452b-90a1-7ebe6ff45889}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{c7f51fa3-ae87-4b4f-814e-6ffbcec1274f}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{c7f51fa3-ae87-4b4f-814e-6ffbcec1274f}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{d72b2d69-5357-4154-bcd9-7d9d0fe32a5c}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nh0y3y1x.default\extensions\{d72b2d69-5357-4154-bcd9-7d9d0fe32a5c}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\RECYCLER\S-1-5-21-2000478354-1383384898-839522115-1003\Dc1.exe a variant of Win32/InstallCore.B application
C:\System Volume Information\_restore{4D4F2DDC-E40E-4393-A5BF-15A164F66C96}\RP1401\A0214023.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{4D4F2DDC-E40E-4393-A5BF-15A164F66C96}\RP1401\A0214024.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{4D4F2DDC-E40E-4393-A5BF-15A164F66C96}\RP1401\A0214025.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\_OTM\MovedFiles\08292011_084419\C_Documents and Settings\Owner\desktop\cnet_fbsetup_exe.exe a variant of Win32/InstallCore.B application
C:\_OTM\MovedFiles\08292011_084419\C_Documents and Settings\Owner\desktop\cnet_mylockbox_setup_zip.exe a variant of Win32/InstallCore.B application
C:\_OTM\MovedFiles\08292011_084419\C_Documents and Settings\Owner\desktop\cnet_TrueCrypt Setup 7_0a_exe.exe a variant of Win32/InstallCore.B application
C:\_OTM\MovedFiles\08292011_084419\C_Documents and Settings\Owner\desktop\cnet_USBWriteProtect_zip.exe a variant of Win32/InstallCore.B application
-------

Thanks. Work your magic...

Bobbye · Aug 30, 2011

Sometimes I wish I could work magic! But my wand doesn't zap away everything!

Eset looks good. Nothing new or active. We do need to take out the trash though! The Recycler is the folder where the deleted items from the Recycle Bin are sent.
The 2 important things in doing this are: 1. The Recycle Bin itself must be empty and 2. Since the Recycler is a hidden, protected system file, hidden files and folders must show.

Open Windows Explorer (right click on Start> Explore> then go to Tools> Folder Options> View tab>

Check 'Show hidden files and folders> Uncheck 'Hide protected system files (Recommended.' Confirm Yes when you get the message.

Then click on Apply> OK.

Go down to the Recycle Bin itself and empty it.

Then double click on Recycler which will now be unhidden.

Look on right screen for SID S-1-5-21-2000478354-1383384898-839522115-1003> do a right click> Delete.

Go back and rehide the files and folders and protected system files when done.
---------------------------------------------
Once in a while this won't work and you'll get a message about it being in use. Don't let this bother you if it happens. Try it again at some other time, going through the same steps.
---------------------------------------------
Qoobox enries are Combofix quarantined files which will be removed when we uninstall Combofix.
System Volume are restore points which I will have to drop and set new, clean one when we finish the cleaning.
====================================
Please run this Custom CFScript

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code:
File::
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Boxee\\BOXEE.exe"=-
Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Since you ran HijackThis in Safe Mode with Networking I'd like you to run it again in Normal Mode. That should finish you up and I'll have you remove the cleaning tools..

needtechpros · Sep 1, 2011

Haven't been able to delete

I haven't been able to delete S-1-5-21-2000478354-1383384898-839522115-1003.

I have tried often, with no other (visible) programs running.

Any thoughts? Should I perform the other tasks without deleting?

Thanks

Bobbye · Sep 1, 2011

No problem. It will get overwritten. I've had problems occasionally too. Go ahead with the rest.

Bobbye · Sep 10, 2011

Do you want to continue?

TechSpot

[Inactive] Norton IS reports Tracur Trojan activity after removing with Malewarebytes

needtechpros Newcomer, in training

Bobbye Helper on the Fringe

needtechpros Newcomer, in training

needtechpros Newcomer, in training

needtechpros Newcomer, in training

Bobbye Helper on the Fringe

needtechpros Newcomer, in training

Bobbye Helper on the Fringe

needtechpros Newcomer, in training

Bobbye Helper on the Fringe

needtechpros Newcomer, in training

Bobbye Helper on the Fringe

needtechpros Newcomer, in training

Bobbye Helper on the Fringe

needtechpros Newcomer, in training

Bobbye Helper on the Fringe

Bobbye Helper on the Fringe