Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Tracur Trojan Activity / Norton 360

Started by Iceman107 , Aug 22 2011 12:45 PM

This topic is locked

#1
Iceman107

Posted 22 August 2011 - 12:45 PM

New Member

Member
6 posts

I was given your website address from the Community forums of Norton 360 as it pertains to the following and hopes you might be of assistance. I was looking at a post on your site from someone with a similar problem but their solution involved downloading a Kaspersky extension. I have Norton 360. Also I'm not familiar with the OTR log download procedure as I'm not a techy. Thanks for your help. Here's my post on the Norton Community boards.:

Not mentioned was I found the 'People Can Fly' entry in my search toolbar options and had it 'disabled'

Iceman107
Newbie

Posts: 2
Registered: 08-21-2011
Tracur Trojan Activity
Options
08-21-2011 10:27 PM
I keep getting Norton 360 pop-up warning stating " Norton Block, an intrusion attempt, Tracur Trojan ...".
Under the Security Alert it reads: 91.217.153.48 was blocked. IPS Alert Name - System Infected Tracur Trojan Activity.
Aside from this there is a reoccurring file left on my desktop labled: lhnfyqpnpn.tmp
I keep deleting it and emptying the recycle bin but it comes back (though it seems inactive.
In short I don't think ANYTHING was blocked. I believe the Trojan got through.
Please advise.
Report Inappropriate Content
Message 1 of 3 (25 Views)
Reply
0 Kudos
Success!
• Click to go to your post.
SendOfJive
Norton Fighter

Posts: 5,457
Registered: 02-07-2009
Re: Tracur Trojan Activity
Options
08-21-2011 10:49 PM
The "System Infected" notation means that the trojan is already on your system. It is trying to connect out and IPS is blocking the outbound connection. You may want to post at one of the following free malware removal forums for assistance with this.

http://www.bleepingcomputer.com

http://www.geekstogo.com/forum/

http://www.cybertechhelp.com/forums/

http://forums.whatthetech.com/
Report Inappropriate Content
Message 2 of 3 (18 Views)
Reply
0 Kudos

Accept as Solution
Iceman107
Newbie

Posts: 2
Registered: 08-21-2011
Re: Tracur Trojan Activity
•
08-22-2011 12:16 AM
With all do respect, what does this say about Norton 360's performance...or lack thereof? And why are you referring me elsewhere instead of having Norton resolve the issue? I mean what the [bleep] am I paying for???
Regards.
Report Inappropriate Content
Message 3 of 3 (0 Views)
Reply
0 Kudos

#2
Gammo

Posted 22 August 2011 - 12:58 PM

Member 2k

Malware Removal
2,299 posts

Hi,

Download OTL to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Check the box that says Scan All Users.
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

#3
Iceman107

Posted 22 August 2011 - 04:24 PM

New Member

Topic Starter
Member
6 posts

OTL logfile created on: 8/22/2011 5:09:39 PM - Run 1
OTL by OldTimer - Version 3.2.26.5 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.99 Mb Total Physical Memory | 207.08 Mb Available Physical Memory | 40.60% Memory free
1.22 Gb Paging File | 0.86 Gb Available in Paging File | 70.47% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 11.25 Gb Free Space | 30.18% Space Free | Partition Type: NTFS

Computer Name: FAMILY | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/22 17:05:05 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2011/08/21 20:28:22 | 000,717,312 | ---- | M] (People Can Fly) -- C:\WINDOWS\system32\slbiop32.exe
PRC - [2011/08/21 20:28:22 | 000,717,312 | ---- | M] (People Can Fly) -- C:\WINDOWS\system32\iprop32.exe
PRC - [2011/07/24 15:57:49 | 000,079,872 | ---- | M] (SanDisk Corporation) -- C:\Documents and Settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
PRC - [2011/04/16 19:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\5.1.0.29\ccsvchst.exe
PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/06 14:41:06 | 000,069,632 | ---- | M] (Software 2000 Limited) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HP1006MC.EXE

========== Modules (No Company Name) ==========

MOD - [2011/01/04 22:45:31 | 000,139,776 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2010/03/28 23:48:42 | 000,110,816 | ---- | M] () -- C:\Program Files\Ace Utilities\wipext.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/08/21 20:28:22 | 000,717,312 | ---- | M] (People Can Fly) [Auto | Running] -- C:\WINDOWS\system32\iprop32.exe -- (aspnet_state32)
SRV - [2011/04/16 19:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe -- (N360)

========== Driver Services (SafeList) ==========

DRV - [2011/08/03 20:15:21 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20110822.004\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/08/03 20:15:21 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20110822.004\NAVENG.SYS -- (NAVENG)
DRV - [2011/08/02 01:07:58 | 000,355,256 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110819.030\IDSXpx86.sys -- (IDSxpx86)
DRV - [2011/07/27 19:06:22 | 000,105,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/07/27 19:06:21 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/07/22 19:27:23 | 000,815,736 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110812.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2011/05/02 17:38:45 | 000,126,584 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/03/30 22:00:09 | 000,516,216 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0501000.01D\SRTSP.SYS -- (SRTSP)
DRV - [2011/03/30 22:00:09 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2011/03/21 19:39:49 | 000,369,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0501000.01D\SYMTDI.SYS -- (SYMTDI)
DRV - [2011/03/14 21:31:23 | 000,744,568 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMEFA.SYS -- (SymEFA)
DRV - [2011/01/27 01:47:10 | 000,340,088 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMDS.SYS -- (SymDS)
DRV - [2010/11/15 20:45:33 | 000,136,312 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\Ironx86.SYS -- (SymIRON)
DRV - [2010/02/08 12:45:06 | 000,019,328 | ---- | M] (WiFi Media Connect) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wfmcvad.sys -- (WFMC_VAD) WFMC Virtual Audio Device (WDM)
DRV - [2004/04/13 20:20:08 | 000,015,781 | R--- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)
DRV - [2003/09/22 12:43:06 | 001,330,048 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\P16X.sys -- (P16X) Creative SB Live! Series (WDM)
DRV - [2003/09/22 08:48:06 | 000,130,192 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2003/09/22 08:47:38 | 000,178,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2000/05/03 04:10:00 | 000,058,736 | ---- | M] (Logitech) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\LSERMOUS.SYS -- (lsermous)
DRV - [2000/05/03 04:10:00 | 000,058,592 | ---- | M] (Logitech) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\LMOUFLTR.SYS -- (lmoufltr)
DRV - [2000/05/03 04:10:00 | 000,004,240 | ---- | M] (Logitech) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\LKBDFLTR.SYS -- (lkbdfltr)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 9C 2C 45 12 20 B1 10 47 85 86 84 5D BA BB AB 40 [binary data]
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 9C 2C 45 12 20 B1 10 47 85 86 84 5D BA BB AB 40 [binary data]
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 9C 2C 45 12 20 B1 10 47 85 86 84 5D BA BB AB 40 [binary data]
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 9C 2C 45 12 20 B1 10 47 85 86 84 5D BA BB AB 40 [binary data]
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1078081533-1844823847-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML
IE - HKU\S-1-5-21-1078081533-1844823847-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
IE - HKU\S-1-5-21-1078081533-1844823847-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 9C 2C 45 12 20 B1 10 47 85 86 84 5D BA BB AB 40 [binary data]
IE - HKU\S-1-5-21-1078081533-1844823847-725345543-1003\..\URLSearchHook: {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.)
IE - HKU\S-1-5-21-1078081533-1844823847-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\[email protected]/YahooActiveXPluginBridge;version=1.0.0.1: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\IPSFFPlgn\ [2011/08/16 23:51:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\coFFPlgn_2011_7_1_3 [2011/08/22 13:53:42 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2011/08/18 09:53:04 | 000,436,514 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15024 more lines...
O2 - BHO: (no name) - {12452C9C-B120-4710-8586-845DBABBAB40} - C:\WINDOWS\system32\authz32.dll (People Can Fly)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\5.1.0.29\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\5.1.0.29\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\5.1.0.29\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Copernic Agent) - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.)
O3 - HKU\S-1-5-21-1078081533-1844823847-725345543-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1078081533-1844823847-725345543-1003\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKU\S-1-5-21-1078081533-1844823847-725345543-1003\..\Toolbar\WebBrowser: (Copernic Agent) - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.)
O4 - HKU\S-1-5-21-1078081533-1844823847-725345543-1003..\Run: [Desktop Software] File not found
O4 - HKU\S-1-5-21-1078081533-1844823847-725345543-1003..\Run: [SansaDispatch] C:\Documents and Settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe (SanDisk Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 28
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1078081533-1844823847-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.)
O9 - Extra 'Tools' menuitem : Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\Program Files\Copernic Agent\CopernicAgent.exe (Copernic Technologies Inc.)
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\Program Files\Copernic Agent\CopernicAgent.exe (Copernic Technologies Inc.)
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.h...nosticsxp2k.cab (DDRevision Class)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.1
O18 - Protocol\Handler\copernicagent {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.)
O18 - Protocol\Handler\copernicagentcache {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/08 11:25:13 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/08/22 17:05:04 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/08/21 21:32:27 | 000,158,208 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\mswsock32.dll
[2011/08/21 20:29:11 | 000,717,312 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\slbiop32.exe
[2011/08/21 20:29:02 | 000,717,312 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\iprop32.exe
[2011/08/21 20:28:53 | 000,334,336 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\authz32.dll
[2011/08/19 01:18:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Bus Routes 2011
[2011/08/14 18:05:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/08/14 18:05:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/08/10 16:15:20 | 000,000,000 | -HSD | C] -- C:\found.000
[2011/08/10 07:54:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2011/08/10 07:32:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Craigslist
[2011/07/28 21:52:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Mp3Gain PRO
[2011/07/28 21:52:31 | 000,000,000 | ---D | C] -- C:\Program Files\Mp3GainPRO
[2011/07/24 15:57:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\SanDisk
[2011/06/07 05:01:57 | 005,636,840 | ---- | C] (SmartSoft ) -- C:\Program Files\Smart Wave Converter - Pro.exe
[2010/01/11 15:18:59 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Owner\Desktop\*.tmp files -> C:\Documents and Settings\Owner\Desktop\*.tmp -> ]
[1 C:\Documents and Settings\Owner\*.tmp files -> C:\Documents and Settings\Owner\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/22 17:09:19 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003.lnk
[2011/08/22 17:05:05 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/08/22 17:01:54 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/08/22 17:01:51 | 000,013,720 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/08/22 16:16:04 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/08/22 13:53:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/08/21 22:04:03 | 000,000,220 | -HS- | M] () -- C:\boot.ini
[2011/08/21 22:04:02 | 007,523,080 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\SMRBackup210.dat
[2011/08/21 21:39:12 | 000,000,807 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Ace Utilities (2).lnk
[2011/08/21 21:32:27 | 000,158,208 | ---- | M] (People Can Fly) -- C:\WINDOWS\System32\mswsock32.dll
[2011/08/21 21:32:27 | 000,000,103 | ---- | M] () -- C:\WINDOWS\System32\450784611
[2011/08/21 21:17:12 | 000,031,992 | ---- | M] () -- C:\{DC36F24C-EA1C-4A3E-BC68-4A6FCD92C6D3}
[2011/08/21 20:28:53 | 000,334,336 | ---- | M] (People Can Fly) -- C:\WINDOWS\System32\authz32.dll
[2011/08/21 20:28:22 | 000,717,312 | ---- | M] (People Can Fly) -- C:\WINDOWS\System32\slbiop32.exe
[2011/08/21 20:28:22 | 000,717,312 | ---- | M] (People Can Fly) -- C:\WINDOWS\System32\iprop32.exe
[2011/08/21 20:15:04 | 000,000,508 | ---- | M] () -- C:\WINDOWS\tasks\RaimaRadio_WDRV- 971 The Drive_5_25_2011_6_52_49_PM.job
[2011/08/21 18:04:54 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{EE1165A9-ABDE-4FE6-B789-44AB0A7ED5F1}.job
[2011/08/18 09:53:04 | 000,436,514 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/08/15 07:02:12 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\Ace Optimizer Maintenance.job
[2011/08/14 12:57:05 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\Disk Cleanup.job
[2011/08/14 05:40:02 | 000,000,522 | ---- | M] () -- C:\WINDOWS\tasks\Disk Defragmenter.job
[2011/08/14 04:00:00 | 000,000,314 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
[2011/08/12 23:42:00 | 000,000,020 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2011/08/11 03:29:11 | 000,436,344 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110818-095303.backup
[2011/08/10 15:52:15 | 000,441,546 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/08/10 15:52:15 | 000,071,482 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/08/10 15:30:29 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/08/07 00:54:34 | 000,436,278 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110811-032910.backup
[2011/07/30 22:46:36 | 000,436,218 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110807-005434.backup
[2011/07/30 20:51:08 | 000,000,095 | ---- | M] () -- C:\WINDOWS\System32\lp3codec32win.dll
[2011/07/28 21:52:35 | 000,000,706 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Mp3GainPRO.lnk
[2011/07/28 21:50:44 | 002,034,861 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\mp3gainpro.rar
[2011/07/25 21:01:25 | 000,436,064 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110730-224636.backup
[2011/07/25 00:38:15 | 015,728,640 | ---- | M] () -- C:\clppa.bin
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Owner\Desktop\*.tmp files -> C:\Documents and Settings\Owner\Desktop\*.tmp -> ]
[1 C:\Documents and Settings\Owner\*.tmp files -> C:\Documents and Settings\Owner\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/21 22:02:59 | 007,523,080 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\SMRBackup210.dat
[2011/08/21 21:39:12 | 000,000,807 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Ace Utilities (2).lnk
[2011/08/21 21:17:12 | 000,031,992 | ---- | C] () -- C:\{DC36F24C-EA1C-4A3E-BC68-4A6FCD92C6D3}
[2011/08/21 20:29:02 | 000,000,103 | ---- | C] () -- C:\WINDOWS\System32\450784611
[2011/07/30 12:50:49 | 000,000,095 | ---- | C] () -- C:\WINDOWS\System32\lp3codec32win.dll
[2011/07/28 21:52:35 | 000,000,706 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Mp3GainPRO.lnk
[2011/07/28 21:50:38 | 002,034,861 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\mp3gainpro.rar
[2011/07/25 00:38:14 | 015,728,640 | ---- | C] () -- C:\clppa.bin
[2011/03/31 15:01:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/03/28 10:27:25 | 000,019,848 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/12/06 11:14:14 | 000,000,033 | ---- | C] () -- C:\WINDOWS\DownloadStudioScheduleMonitor.INI
[2010/05/25 12:51:14 | 000,109,782 | ---- | C] () -- C:\WINDOWS\CopernicAgentUninstall.exe
[2010/04/08 17:38:25 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/17 10:40:52 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/01/19 13:05:25 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2010/01/17 14:31:38 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Compressor
[2010/01/17 14:31:38 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Owner\Application Data\Command Line Utility
[2010/01/17 14:31:38 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2010/01/17 14:31:38 | 000,000,012 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Core Data Application
[2010/01/17 11:15:53 | 000,104,448 | ---- | C] () -- C:\WINDOWS\System32\LGUICOM.DLL
[2010/01/17 11:15:53 | 000,000,488 | ---- | C] () -- C:\WINDOWS\Cmousecc.ini
[2010/01/17 10:54:48 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\HPPLVS.dll
[2010/01/08 11:27:13 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/01/08 11:22:46 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/01/08 05:15:29 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/01/08 05:14:33 | 000,122,136 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/06/11 15:24:28 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\hppatusg01.dll
[2004/08/02 15:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2003/07/08 14:41:48 | 000,047,616 | ---- | C] () -- C:\WINDOWS\System32\P16X.dll
[2001/08/23 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 07:00:00 | 000,441,546 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 07:00:00 | 000,071,482 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/23 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2011/07/16 14:35:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Digital Asphyxia
[2010/01/17 14:31:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EnterNHelp
[2010/01/17 14:32:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nikon
[2010/12/29 10:24:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pJnBp01819
[2011/06/04 11:37:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RegCure
[2010/01/17 11:40:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RoboForm
[2010/11/11 11:02:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2011/07/16 14:38:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer
[2011/08/21 21:29:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/01/17 14:31:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ultima_T15
[2011/07/23 12:05:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Audacity
[2011/06/22 22:30:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\BioniX Wallpaper
[2011/03/24 10:39:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\BioniX Wallpaper 6
[2011/03/24 10:30:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\CategorizeThis
[2010/05/25 12:51:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Copernic
[2011/07/16 14:35:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Digital Asphyxia
[2011/03/24 22:59:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\GroovesharkDesktop.7F9BF17D6D9CB2159C78A6A6AB076EA0B1E0497C.1
[2010/01/25 20:34:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Leadertech
[2010/03/17 10:09:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Nikon
[2010/01/25 21:00:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\PhotoFiltre
[2011/07/05 09:46:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\RaimaRadioPro
[2011/05/13 13:44:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\rockbox.org
[2011/07/24 15:57:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SanDisk
[2010/04/04 22:34:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\StumbleUpon
[2011/05/25 16:15:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Tific
[2011/03/07 15:49:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\TK8 Software
[2011/08/15 07:02:12 | 000,000,294 | ---- | M] () -- C:\WINDOWS\Tasks\Ace Optimizer Maintenance.job
[2011/08/14 12:57:05 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\Disk Cleanup.job
[2011/08/14 05:40:02 | 000,000,522 | ---- | M] () -- C:\WINDOWS\Tasks\Disk Defragmenter.job
[2011/08/21 20:15:04 | 000,000,508 | ---- | M] () -- C:\WINDOWS\Tasks\RaimaRadio_WDRV- 971 The Drive_5_25_2011_6_52_49_PM.job
[2011/08/21 18:04:54 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{EE1165A9-ABDE-4FE6-B789-44AB0A7ED5F1}.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Owner\Desktop\lhnfyqpnpn.tmp:SummaryInformation
@Alternate Data Stream - 168 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E965A533

< End of report >

#4
Iceman107

Posted 22 August 2011 - 04:26 PM

New Member

Topic Starter
Member
6 posts

OTL Extras logfile created on: 8/22/2011 5:09:40 PM - Run 1
OTL by OldTimer - Version 3.2.26.5 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.99 Mb Total Physical Memory | 207.08 Mb Available Physical Memory | 40.60% Memory free
1.22 Gb Paging File | 0.86 Gb Available in Paging File | 70.47% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 11.25 Gb Free Space | 30.18% Space Free | Partition Type: NTFS

Computer Name: FAMILY | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Digital Asphyxia\Y!TunnelPro 2.5\YTPro.exe" = C:\Program Files\Digital Asphyxia\Y!TunnelPro 2.5\YTPro.exe:*:Enabled:Y!TunnelPro V2.5
"C:\WINDOWS\system32\mmc.exe" = C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console -- (Microsoft Corporation)
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\Philips\Wi-Fi MediaConnect\WFMCDMS.exe" = C:\Program Files\Philips\Wi-Fi MediaConnect\WFMCDMS.exe:*:Enabled:Wi-Fi DMS

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 18
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CCC7F68-A437-4559-A840-F5E010934951}" = HP Driver Diagnostics
"{7B02BF60-796D-4616-908B-B31A63CFDEFB}" = HPCarePackCore
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8CF1CF59-807A-4608-8F8B-45A24D1B9305}" = DownloadStudio
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)
"{B3FED300-806C-11E0-A0D0-B8AC6F97B88E}" = Google Earth
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6B25B8D-0566-42B1-A23D-7576138435D6}" = Y!TunnelPro 2.6
"{E9757890-7EC5-46C8-99AB-B00F07B6525C}" = Nikon Transfer
"{ECA31632-C2AD-4774-A3CA-2813D47E4DD0}" = HPCarePackProducts
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
"Ace Utilities_is1" = Ace Utilities
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AT&&T Yahoo! Messenger" = AT&T Yahoo! Messenger
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.13 (Unicode)
"Copernic Agent Basic" = Copernic Agent Basic
"Dead Like Me" = Dead Like Me Screen Saver
"Easy Hi-Q Recorder_is1" = Easy Hi-Q Recorder 2.4
"HP LaserJet P1000 series" = HP LaserJet P1000 series
"ie8" = Windows Internet Explorer 8
"Logitech MouseWare" = Logitech MouseWare 9.10
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mp3Gain PRO_is1" = Mp3Gain PRO
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"N360" = Norton 360
"NVIDIA Drivers" = NVIDIA Drivers
"One Eye Open_is1" = One Eye Open v1.0
"PROSet" = Intel® PRO Ethernet Adapter and Software
"RarmaRadio_is1" = RarmaRadio 2.63
"Smart WAV Converter Pro_is1" = Smart WAV Converter Pro
"TK8 Backup_is1" = TK8 Backup 4.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR 4.00 beta 4 (32-bit)
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Messenger" = AT&T Yahoo! Messenger

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1078081533-1844823847-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"AI RoboForm" = AI RoboForm
"Sansa Updater" = Sansa Updater

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/21/2011 10:19:33 PM | Computer Name = FAMILY | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/21/2011 10:19:47 PM | Computer Name = FAMILY | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 8/21/2011 10:19:52 PM | Computer Name = FAMILY | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 8/21/2011 10:20:00 PM | Computer Name = FAMILY | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 8/21/2011 10:28:48 PM | Computer Name = FAMILY | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/21/2011 10:28:48 PM | Computer Name = FAMILY | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/21/2011 10:28:56 PM | Computer Name = FAMILY | Source = Application Hang | ID = 1001
Description = Fault bucket 734562961.

Error - 8/21/2011 10:29:00 PM | Computer Name = FAMILY | Source = Application Hang | ID = 1001
Description = Fault bucket 734562961.

Error - 8/22/2011 1:43:52 AM | Computer Name = FAMILY | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 11.0.5604.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/22/2011 1:44:19 AM | Computer Name = FAMILY | Source = Application Hang | ID = 1001
Description = Fault bucket 57586923.

[ System Events ]
Error - 8/22/2011 10:56:17 AM | Computer Name = FAMILY | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000243'
while processing the file 'SMR210.SYS' on the volume 'HarddiskVolume1'. It has
stopped monitoring the volume.

Error - 8/22/2011 10:56:17 AM | Computer Name = FAMILY | Source = lsermous | ID = 327684
Description = The hardware resources for are already in use by another device.

Error - 8/22/2011 10:57:02 AM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7000
Description = The NVR0FLASHDev service failed to start due to the following error:
%%2

Error - 8/22/2011 10:57:05 AM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
lmoufltr

Error - 8/22/2011 2:14:17 PM | Computer Name = FAMILY | Source = lsermous | ID = 327684
Description = The hardware resources for are already in use by another device.

Error - 8/22/2011 2:14:41 PM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7000
Description = The NVR0FLASHDev service failed to start due to the following error:
%%2

Error - 8/22/2011 2:14:45 PM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
lmoufltr

Error - 8/22/2011 2:53:44 PM | Computer Name = FAMILY | Source = lsermous | ID = 327684
Description = The hardware resources for are already in use by another device.

Error - 8/22/2011 2:53:45 PM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7000
Description = The NVR0FLASHDev service failed to start due to the following error:
%%2

Error - 8/22/2011 2:53:46 PM | Computer Name = FAMILY | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
lmoufltr

< End of report >

#5
Gammo

Posted 22 August 2011 - 04:40 PM

Member 2k

Malware Removal
2,299 posts

Hi,

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
SRV - [2011/08/21 20:28:22 | 000,717,312 | ---- | M] (People Can Fly) [Auto | Running] -- C:\WINDOWS\system32\iprop32.exe -- (aspnet_state32)
O2 - BHO: (no name) - {12452C9C-B120-4710-8586-845DBABBAB40} - C:\WINDOWS\system32\authz32.dll (People Can Fly)
[2011/08/21 21:32:27 | 000,158,208 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\mswsock32.dll
[2011/08/21 20:29:11 | 000,717,312 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\slbiop32.exe
[2011/08/21 20:29:02 | 000,717,312 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\iprop32.exe
[2011/08/21 20:28:53 | 000,334,336 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\authz32.dll
[2011/08/21 21:32:27 | 000,000,103 | ---- | M] () -- C:\WINDOWS\System32\450784611
[2011/08/21 21:17:12 | 000,031,992 | ---- | M] () -- C:\{DC36F24C-EA1C-4A3E-BC68-4A6FCD92C6D3}
[2010/12/29 10:24:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pJnBp01819
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Owner\Desktop\*.tmp files -> C:\Documents and Settings\Owner\Desktop\*.tmp -> ]
[1 C:\Documents and Settings\Owner\*.tmp files -> C:\Documents and Settings\Owner\*.tmp -> ]
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Owner\Desktop\lhnfyqpnpn.tmp:SummaryInformation

:Services

:Reg

:Files
ipconfig /flushdns /c
C:\Documents and Settings\Owner\Desktop\lhnfyqpnpn.tmp

:Commands
[purity]
[resethosts]
[emptytemp]
[emptyflash]
[createrestorepoint]
[reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks
When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

#6
Iceman107

Posted 23 August 2011 - 10:25 AM

New Member

Topic Starter
Member
6 posts

I've included the OTL as well as the ComboFix logs:

All processes killed
========== OTL ==========
Error: Unable to stop service aspnet_state32!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_state32 deleted successfully.
C:\WINDOWS\system32\iprop32.exe moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{12452C9C-B120-4710-8586-845DBABBAB40}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{12452C9C-B120-4710-8586-845DBABBAB40}\ deleted successfully.
C:\WINDOWS\system32\authz32.dll moved successfully.
File C:\WINDOWS\System32\mswsock32.dll not found.
C:\WINDOWS\system32\slbiop32.exe moved successfully.
File C:\WINDOWS\System32\iprop32.exe not found.
File C:\WINDOWS\System32\authz32.dll not found.
C:\WINDOWS\system32\450784611 moved successfully.
C:\{DC36F24C-EA1C-4A3E-BC68-4A6FCD92C6D3} moved successfully.
C:\Documents and Settings\All Users\Application Data\pJnBp01819 folder moved successfully.
C:\WINDOWS\LMI3.tmp\rescue.log deleted successfully.
C:\WINDOWS\LMI3.tmp folder deleted successfully.
C:\WINDOWS\LMI4.tmp\rescue.log deleted successfully.
C:\WINDOWS\LMI4.tmp folder deleted successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
C:\Documents and Settings\Owner\Desktop\lhnfyqpnpn.tmp deleted successfully.
Unable to delete ADS C:\Documents and Settings\Owner\Desktop\lhnfyqpnpn.tmp:SummaryInformation .
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Owner\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Owner\Desktop\cmd.txt deleted successfully.
File\Folder C:\Documents and Settings\Owner\Desktop\lhnfyqpnpn.tmp not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56468 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 469 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 51473 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 802883 bytes
->Flash cache emptied: 1270 bytes

User: Owner
->Temp folder emptied: 131072 bytes
->Temporary Internet Files folder emptied: 6720599 bytes
->Java cache emptied: 9529932 bytes
->Flash cache emptied: 11769 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16384 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 67 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 17.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Guest
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: Owner
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.26.5 log created on 08232011_111314

Files\Folders moved on Reboot...
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VN1DM9A3\aceUAC[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VN1DM9A3\ads[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VN1DM9A3\launch[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VN1DM9A3\like[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VN1DM9A3\quickreply[1].html moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VN1DM9A3\st[1] moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VN1DM9A3\yimapp[1].html moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWQUW4DK\blank[1].html moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWQUW4DK\iframe3[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWQUW4DK\login_status[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DXDOD2HL\app[1].html moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DXDOD2HL\controller[1].html moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DXDOD2HL\fc[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DXDOD2HL\login_status[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DXDOD2HL\page__p__2052099__fromsearch__1[1].txt moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DXDOD2HL\view[1].html moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DXDOD2HL\_;ord=1314115886384537[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8STZVO50\ext-render-secure[1].html moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8STZVO50\index[1].php moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8STZVO50\xframe-proxy_20110602[2].html moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8STZVO50\xframe-proxy_20110602[3].html moved successfully.
C:\WINDOWS\temp\Perflib_Perfdata_6c0.dat moved successfully.

Registry entries deleted on Reboot...

ComboFix 11-08-23.03 - Owner 08/23/2011 10:43:13.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.299 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{D6B25B8D-0566-42B1-A23D-7576138435D6}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{D6B25B8D-0566-42B1-A23D-7576138435D6}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{D6B25B8D-0566-42B1-A23D-7576138435D6}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{D6B25B8D-0566-42B1-A23D-7576138435D6}\Setup.ico
c:\documents and settings\LocalService\Application Data\02000000e862833f1406C.manifest
c:\documents and settings\LocalService\Application Data\02000000e862833f1406O.manifest
c:\documents and settings\LocalService\Application Data\02000000e862833f1406P.manifest
c:\documents and settings\LocalService\Application Data\02000000e862833f1406S.manifest
c:\documents and settings\Owner\lhnfyqpnpn.tmp
c:\documents and settings\Owner\My Documents\360.txt
c:\program files\messenger\msmsgsin.exe
c:\windows\system32\lp3codec32win.dll
c:\windows\system32\mswsock32.dll
c:\windows\system32\slbiop32.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-07-23 to 2011-08-23 )))))))))))))))))))))))))))))))
.
.
2011-08-23 15:58 . 2011-08-23 15:58 158208 ----a-w- c:\windows\system32\msxbde4032.dll
2011-08-22 01:29 . 2011-08-22 01:28 717312 ----a-w- c:\windows\system32\iprop32.exe
2011-08-22 01:28 . 2011-08-22 01:28 334336 ----a-w- c:\windows\system32\authz32.dll
2011-08-14 22:58 . 2011-08-14 22:58 -------- dcsh--w- c:\documents and settings\NetworkService\IETldCache
2011-08-10 21:15 . 2011-08-13 15:52 -------- d-----w- C:\found.000
2011-08-10 19:15 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 19:14 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-07-29 02:52 . 2011-07-30 17:41 -------- d-----w- c:\program files\Mp3GainPRO
2011-07-25 05:38 . 2011-07-25 05:38 15728640 ----a-w- C:\clppa.bin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-10 12:54 . 2011-05-18 10:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2001-08-23 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2001-08-23 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2010-01-08 16:21 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2001-08-23 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2010-01-11 19:19 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2001-08-23 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-07 10:02 . 2011-06-07 10:01 5636840 ----a-w- c:\program files\Smart Wave Converter - Pro.exe
2011-06-02 14:02 . 2001-08-23 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12452C9C-B120-4710-8586-845DBABBAB40}]
2011-08-22 01:28 334336 ----a-w- c:\windows\system32\authz32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="c:\documents and settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2011-07-24 79872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Nikon Monitor.lnk]
backup=c:\windows\pss\Nikon Monitor.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadStudio
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EM_EXEC]
2000-05-03 15:10 33792 -c--a-w- c:\progra~1\Logitech\MOUSEW~1\system\EM_EXEC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpbdfawep]
2007-04-25 20:28 954368 -c--a-w- c:\program files\HP\Dfawep\bin\hpbdfawep.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2011-06-16 12:55 6276408 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 11:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
2010-10-09 17:56 160328 ----a-w- c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 22:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 21:21 246504 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IgfxTray"=c:\windows\system32\igfxtray.exe
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\symds.sys [5/2/2011 5:38 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\symefa.sys [5/2/2011 5:38 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110812.001\BHDrvx86.sys [8/15/2011 7:17 PM 815736]
R1 lkbdfltr;Logitech Keyboard Class Filter Driver;c:\windows\system32\drivers\LKBDFLTR.SYS [1/17/2010 11:15 AM 4240]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\ironx86.sys [5/2/2011 5:38 PM 136312]
R2 aspnet_state32;ASP.NET State Service ;c:\windows\system32\iprop32.exe [8/21/2011 8:29 PM 717312]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\5.1.0.29\ccsvchst.exe [5/2/2011 5:38 PM 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/27/2011 7:06 PM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110822.030\IDSXpx86.sys [8/22/2011 8:07 PM 355256]
S1 lmoufltr;Logitech Mouse Class Filter Driver;c:\windows\system32\drivers\LMOUFLTR.SYS [1/17/2010 11:15 AM 58592]
S1 lsermous;Logitech Serial Mouse Driver;c:\windows\system32\drivers\LSERMOUS.SYS [1/17/2010 11:15 AM 58736]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/14/2010 12:56 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/14/2010 12:56 PM 136176]
S3 WFMC_VAD;WFMC Virtual Audio Device (WDM);c:\windows\system32\drivers\wfmcvad.sys [2/25/2011 2:42 PM 19328]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-15 c:\windows\Tasks\Ace Optimizer Maintenance.job
- c:\program files\Ace Utilities\au.exe [2011-07-08 01:11]
.
2011-08-14 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2001-08-23 11:42]
.
2011-08-14 c:\windows\Tasks\Disk Defragmenter.job
- c:\documents and settings\All Users\Start Menu\Programs\Accessories\System Tools\Disk Defragmenter.lnk [2010-01-08 16:35]
.
2011-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 17:55]
.
2011-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 17:55]
.
2011-08-22 c:\windows\Tasks\RaimaRadio_WDRV- 971 The Drive_5_25_2011_6_52_49_PM.job
- c:\program files\RarmaRadio\RarmaRadio.exe [2010-01-16 20:25]
.
2011-05-13 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2011-02-16 21:31]
.
2011-08-14 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2011-02-16 21:31]
.
2011-08-23 c:\windows\Tasks\User_Feed_Synchronization-{EE1165A9-ABDE-4FE6-B789-44AB0A7ED5F1}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
uInternet Connection Wizard,ShellNext = iexplore
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Search Using Copernic Agent - c:\program files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
TCP: DhcpNameServer = 192.168.10.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Desktop Software - c:\program files\Common Files\SupportSoft\bin\bcont.exe
AddRemove-{D6B25B8D-0566-42B1-A23D-7576138435D6} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{D6B25~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-23 11:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4068)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\slbiop32.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-08-23 11:08:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-23 16:08
.
Pre-Run: 12,033,314,816 bytes free
Post-Run: 12,060,647,424 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn /bootlog
.
- - End Of File - - 22C5A6D0B5BBB3889FF0CD5BA5A3A237

#7
Gammo

Posted 24 August 2011 - 05:57 AM

Member 2k

Malware Removal
2,299 posts

Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

http://www.geekstogo.com/forum/topic/306382-tracur-trojan-activity-norton-360/

Collect::
c:\windows\system32\msxbde4032.dll
c:\windows\system32\iprop32.exe
c:\windows\system32\authz32.dll
C:\WINDOWS\System32\mswsock32.dll
C:\WINDOWS\System32\slbiop32.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12452C9C-B120-4710-8586-845DBABBAB40}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{12452C9C-B120-4710-8586-845DBABBAB40}]

Driver::
aspnet_state32

KillAll::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.