Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow internet connection


  • This topic is locked This topic is locked
17 replies to this topic

#1 summersa

summersa

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:01:24 AM

Posted 20 May 2009 - 04:19 AM

Hi,

Hopefully somebody can help me. I run IE, 6 I think. Sometimes when I download, the speed goes down to zero. If I open up Task Manager and view networking, the line is completely flat at the bottom.

I have run Iobit Advanced System Care Pro and produced a log which they specify as Hijack This compatable.

I hope it provides whooever is going to assist with the necessary information. I run an an office computer subject to certain restrictions.

See log below,

Logfile of Advanced SystemCare 3 Security Analyzer
Scan saved at 10:15:16 AM, on 2009/05/20
Platform: Windows XP (WinNT 5.1)
MSIE: Internet Explorer v6.0 (6.0.2900.5512)
Boot mode: Normal

Running processes:
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Utils\SPYBOT~2\SDHelper.dll
O2 - BHO: SBCONVERT - {A1056498-D09A-41E4-864B-505EDD640D9E} - C:\Program Files\SpeedBit Video Downloader\Toolbar\SpeedBitVideoDownloader.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O2 - BHO: DAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\DAP\DAPIEL~1.DLL
O2 - BHO: GrabberObj Class - {FF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\SPEEDB~1\Toolbar\grabber.dll
O3 - Toolbar: SpeedBit Video Downloader - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - C:\Program Files\SpeedBit Video Downloader\Toolbar\SpeedBitVideoDownloader.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser RiskMonitor] "C:\Program Files\East-Tec Eraser 2008\Launch.exe" "C:\Program Files\East-Tec Eraser 2008\etRiskMon.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [StartCCC] c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [PTHOSTTR] c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [IFXSPMGT] c:\WINDOWS\system32\ifxspmgt.exe /NotifyLogon
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [accrdsub] "c:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
O9 - Extra button: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - c:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: (Ati HotKey Poller) - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Unknown - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - c:\WINDOWS\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - c:\WINDOWS\system32\ifxtcs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Unknown - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: Personal Secure Drive service (PersonalSecureDriveService) - Infineon Technologies AG - c:\WINDOWS\system32\IfxPsdSv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Unknown - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown - System32\SnoopFreeSvc.exe
O23 - Service: SWIHPWMI - Sierra Wireless Inc. - C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Unknown - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Unknown - C:\Program Files\Intel\AMT\UNS.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown - %systemRoot%\System32\svchost.exe


Thanks
Summersa

BC AdBot (Login to Remove)

 


#2 summersa

summersa
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:01:24 AM

Posted 27 May 2009 - 03:52 AM

Hi Guys,

Anybody out there who can help. I have run Xoftspy and it comes up with an infection - Backdoor Rbot BLL Trojan.
Spybot and Norton do not seem to detect it.
Help...
===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 28 May 2009 - 10:45 PM.


#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:24 PM

Posted 01 June 2009 - 11:07 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 summersa

summersa
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:01:24 AM

Posted 04 June 2009 - 05:29 AM

Hi, attached are the logs of the scan.
Thanks, Angus.

Attached Files



#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:24 AM

Posted 06 June 2009 - 09:41 AM

Hi summersa,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open you can obtain the latest log from there.

  • Please do a scan with Kaspersky Online Scanner

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

    Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:24 AM

Posted 11 June 2009 - 07:18 AM

Are you still there. I'll wait one more day before closing the topic.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:24 AM

Posted 11 June 2009 - 07:21 AM

Hi summersa,

The topic is open please post your reply.

Edited by farbar, 12 June 2009 - 03:39 AM.


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:24 AM

Posted 12 June 2009 - 05:44 AM

summersa,

I understand from your PM KOS is taking too long to download. Instead please do this:

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt along with MBAM log to your next reply.

#9 summersa

summersa
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:01:24 AM

Posted 12 June 2009 - 08:24 AM

Hi farbar,
I have run mbam and attach the log file. I then downloaded and installed Combo Fix and then ran that too. It could not download Microsoft Windows Recovery Console. I have tried to look on the net where I could download manually but have been unsuccessful. Combo Fix has finished running and the log is also attached.
Many thanks for your time and patience, it is appreciated.
summersa

Unable to attach files, after 5 minutes less than 50% has been transferred, listed contents below.

Malwarebytes' Anti-Malware 1.37
Database version: 2202
Windows 5.1.2600 Service Pack 3

2009/06/12 10:12:15 AM
mbam-log-2009-06-12 (10-12-04).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 190751
Time elapsed: 1 hour(s), 11 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




ComboFix 09-06-11.06 - summersa 2009/06/12 13:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1007.417 [GMT 2:00]
Running from: c:\program files\Utils\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-12 08:54 . 2009-06-12 08:54 -------- d-----w- c:\windows\Sun
2009-06-12 08:50 . 2009-06-12 08:50 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-12 08:50 . 2009-06-12 08:50 -------- d-----w- c:\program files\Java
2009-06-12 08:45 . 2009-06-12 08:30 714136 ----a-w- c:\documents and settings\summersa\Application Data\Sun\Java\jre1.6.0_14\JavaSetup6u14.exe
2009-06-12 08:43 . 2009-06-12 08:43 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-06-12 08:43 . 2009-06-12 08:49 152576 ----a-w- c:\documents and settings\summersa\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-11 17:30 . 2009-05-26 11:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-11 17:30 . 2009-05-26 11:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 17:23 . 2009-06-11 17:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 16:24 . 2009-05-27 13:26 3007352 ----a-w- c:\documents and settings\summersa\Application Data\Simply Super Software\Trojan Remover\owy6D.exe
2009-06-11 16:24 . 2009-05-27 13:26 3007352 ----a-w- c:\documents and settings\summersa\Application Data\Simply Super Software\Trojan Remover\njg6C.exe
2009-06-05 06:08 . 2008-12-01 11:47 40368 ----a-w- c:\windows\system32\drivers\hotcore3.sys
2009-06-05 06:08 . 2008-12-01 11:47 4244744 ----a-w- c:\windows\system32\qtp-mt334.dll
2009-06-05 06:08 . 2008-12-01 11:47 13576 ----a-w- c:\windows\system32\wnaspi32.dll
2009-06-05 06:08 . 2008-12-01 11:46 247560 ----a-w- c:\windows\system32\prgiso.dll
2009-06-03 13:14 . 2009-06-03 13:14 -------- d-----w- c:\documents and settings\summersa\Application Data\Mp3 Music Editor
2009-06-03 13:13 . 2005-03-28 13:56 417792 ----a-w- c:\windows\system32\NCTAudioDisplay2.dll
2009-06-03 13:13 . 2005-03-29 05:57 2084864 ----a-w- c:\windows\system32\NCTAudioDesign2.dll
2009-06-03 09:23 . 2009-05-27 13:26 3007352 ----a-w- c:\documents and settings\summersa\Application Data\Simply Super Software\Trojan Remover\fbh2E.exe
2009-06-02 07:54 . 2009-05-27 13:26 3007352 ----a-w- c:\documents and settings\summersa\Application Data\Simply Super Software\Trojan Remover\xud4502.exe
2009-06-01 12:04 . 2006-08-02 03:01 438272 ----a-w- c:\windows\system32\SkinCrafter.dll
2009-06-01 12:04 . 2007-03-09 22:37 139264 ----a-w- c:\windows\system32\viscomqtde.dll
2009-06-01 12:04 . 2007-03-09 22:36 81920 ----a-w- c:\windows\system32\viscomwave.dll
2009-05-31 12:47 . 2009-05-31 12:47 -------- d-----w- c:\documents and settings\summersa\Application Data\Malwarebytes
2009-05-31 12:47 . 2009-05-31 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-29 19:22 . 2009-05-27 13:26 3007352 ----a-w- c:\documents and settings\summersa\Application Data\Simply Super Software\Trojan Remover\apl2.exe
2009-05-29 16:39 . 2009-05-29 16:39 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-29 16:39 . 2009-03-02 13:00 95592 ----a-w- c:\windows\system32\drivers\StarPortLite.sys
2009-05-29 15:48 . 2009-05-29 15:48 9472 ----a-w- c:\windows\system32\drivers\SnopFree.sys.vir
2009-05-29 15:45 . 2009-05-27 13:26 3007352 ----a-w- c:\documents and settings\summersa\Application Data\Simply Super Software\Trojan Remover\yyx57.exe
2009-05-29 09:03 . 2006-06-19 11:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-05-29 09:03 . 2006-05-25 13:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-05-29 09:03 . 2005-08-25 23:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-05-29 09:03 . 2003-02-02 18:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2009-05-29 09:03 . 2002-03-05 23:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-05-29 09:03 . 2009-05-29 15:44 -------- d-----w- c:\documents and settings\summersa\Application Data\Simply Super Software
2009-05-29 09:03 . 2009-05-29 09:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-05-28 15:51 . 2009-05-28 15:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-25 16:25 . 2009-05-30 18:38 117760 ----a-w- c:\documents and settings\summersa\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-25 16:25 . 2009-05-25 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-25 16:24 . 2009-05-25 16:24 -------- d-----w- c:\documents and settings\summersa\Application Data\SUPERAntiSpyware.com
2009-05-25 16:05 . 2009-05-25 16:05 -------- d-----w- c:\documents and settings\summersa\Application Data\iRecordMax Audio Editor
2009-05-25 16:03 . 2009-05-25 16:03 -------- d-----w- c:\documents and settings\summersa\Application Data\iRecordMax Sound Recorder
2009-05-25 16:02 . 2005-04-25 11:01 458752 ----a-w- c:\windows\system32\NCTAudioRecord2.dll
2009-05-25 16:02 . 2005-04-25 11:01 458752 ----a-w- c:\windows\system32\NCTAudioPlayer2.dll
2009-05-25 16:02 . 2005-04-04 15:21 602112 ----a-w- c:\windows\system32\NCTAudioTransform2.dll
2009-05-25 16:02 . 2005-03-28 13:54 479232 ----a-w- c:\windows\system32\NCTAudioVisualization2.dll
2009-05-25 16:02 . 2005-03-28 13:52 417792 ----a-w- c:\windows\system32\NCTTextToAudio2.dll
2009-05-25 16:02 . 2005-02-24 09:51 348160 ----a-w- c:\windows\system32\NCTWMAFile2.dll
2009-05-25 16:02 . 2005-05-18 09:52 1212416 ----a-w- c:\windows\system32\NCTAudioInformation2.dll
2009-05-25 16:02 . 2005-05-17 10:37 1986560 ----a-w- c:\windows\system32\NCTAudioFile2.dll
2009-05-25 16:02 . 2005-04-15 10:08 880640 ----a-w- c:\windows\system32\NCTAudioEditor2.dll
2009-05-25 16:02 . 2004-11-04 11:31 835584 ----a-w- c:\windows\system32\NCTAudioCDGrabber2.dll
2009-05-25 11:27 . 2009-05-25 11:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\Softland
2009-05-25 11:25 . 2009-03-02 13:13 20648 ----a-w- c:\windows\system32\dopdfmn6.dll
2009-05-25 11:25 . 2009-03-02 13:13 18088 ----a-w- c:\windows\system32\dopdfmi6.dll
2009-05-25 08:55 . 2001-10-28 23:42 116224 ----a-w- c:\windows\system32\pdfmonnt.dll
2009-05-25 08:55 . 2009-05-25 08:55 -------- d-----w- c:\program files\PDF-Convert
2009-05-25 08:45 . 2007-08-01 12:57 1014272 ----a-w- c:\windows\system32\PPEngine.dll
2009-05-25 08:45 . 2007-07-12 06:17 472064 ----a-w- c:\windows\system32\PurePage.exe
2009-05-25 08:45 . 2000-06-20 19:28 217088 ----a-w- c:\windows\system32\LPng.dll
2009-05-25 08:45 . 2000-01-24 03:01 453632 ----a-w- c:\windows\system32\stdvcl40.dll
2009-05-25 08:45 . 2009-05-26 11:51 -------- d-----w- c:\program files\ClickToConvert
2009-05-22 09:09 . 2009-05-22 09:09 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-05-21 12:28 . 2009-05-21 12:28 -------- d-----w- c:\documents and settings\summersa\CAS
2009-05-16 13:23 . 2009-06-12 11:46 -------- d-----w- C:\Temp
2009-05-14 15:24 . 2009-04-23 15:24 16640 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(1).sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 11:47 . 2009-04-20 11:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-12 11:23 . 2009-05-05 07:47 -------- d-----w- c:\program files\Utils
2009-06-12 06:18 . 2007-09-18 12:22 -------- d-----w- c:\program files\Symantec AntiVirus
2009-06-05 05:59 . 2007-09-14 19:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-03 18:48 . 2009-06-03 18:47 -------- d-----w- c:\documents and settings\summersa\Application Data\Winamp
2009-05-26 18:15 . 2009-05-04 15:16 -------- d-----w- c:\program files\East-Tec Eraser 2008
2009-05-26 11:51 . 2009-04-21 17:00 -------- d-----w- c:\program files\GoldWave
2009-05-26 11:51 . 2009-04-21 17:04 -------- d-----w- c:\program files\Eraser
2009-05-25 08:46 . 2009-04-06 11:34 67616 ----a-w- c:\documents and settings\summersa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-25 07:34 . 2001-03-22 20:45 381 ----a-w- c:\windows\Fonts\write.txt
2009-05-22 09:00 . 2009-04-20 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedBit
2009-05-20 08:34 . 2009-04-21 12:32 -------- d-----w- c:\documents and settings\summersa\Application Data\IObit
2009-05-15 13:21 . 2009-05-05 08:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-06 07:59 . 2009-05-06 08:00 2639373 ----a-w- c:\program files\GAotD MultiStage Recovery[1].zip
2009-05-05 08:13 . 2009-05-05 08:13 -------- d-----w- c:\documents and settings\summersa\Application Data\VSRevoGroup
2009-05-05 07:56 . 2009-05-05 07:56 -------- d-----w- c:\documents and settings\summersa\Application Data\EAST Technologies
2009-04-22 11:29 . 2009-04-22 11:28 -------- d-----w- c:\program files\MTN F@stLink
2009-04-21 16:57 . 2009-04-21 16:57 -------- d-----w- c:\program files\PDF 2 Word v3.0
2009-04-21 16:55 . 2009-04-21 16:55 -------- d-----w- c:\program files\OpenSebJ
2009-04-21 16:53 . 2009-04-21 16:53 -------- d-----w- c:\program files\PDF Foxonic Prof
2009-04-21 16:49 . 2009-04-21 16:49 -------- d-----w- c:\program files\PDF Foxonic
2009-04-21 12:32 . 2009-04-21 12:32 -------- d-----w- c:\program files\IObit
2009-04-20 15:25 . 2009-04-20 11:27 -------- d-----w- c:\program files\VS Revo Group
2009-04-20 11:48 . 2009-04-20 11:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-04-20 11:29 . 2009-04-20 11:29 34 ----a-w- c:\windows\system32\09wutili.sys
2009-04-20 11:28 . 2009-04-20 11:28 -------- d-----w- c:\program files\WinUtilities
2009-04-20 11:13 . 2009-04-20 11:13 50688 ----a-w- c:\windows\system32\wbhelp2.dll
2009-04-17 16:04 . 2009-04-17 16:04 -------- d-----w- c:\program files\Wondershare
2009-04-17 16:02 . 2009-04-17 16:02 -------- d-----w- c:\program files\WondershareVideoConverter[1]
2009-04-17 14:46 . 2009-04-17 14:49 9249177 ----a-w- c:\program files\WondershareVideoConverter[1].zip
2009-04-17 07:55 . 2009-04-17 07:55 -------- d-----w- c:\program files\CleanUp!
2009-04-14 10:18 . 2009-04-14 10:18 131 ----a-w- c:\documents and settings\summersa\Local Settings\Application Data\fusioncache.dat
2009-04-14 10:17 . 2009-04-14 10:16 -------- d-----w- c:\program files\Common Files\SAP Shared
2009-04-14 10:17 . 2009-04-14 10:16 -------- d-----w- c:\program files\Common Files\ESRI
2009-04-14 10:16 . 2009-04-14 10:16 -------- d-----w- c:\program files\SAP
2009-04-14 10:14 . 2009-04-14 10:14 -------- d-----w- c:\program files\My Company Name
2009-04-03 07:03 . 2008-10-15 13:56 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys
2009-04-03 07:03 . 2008-10-15 13:56 1290584 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\SyKnAppS\SyKnAppS.dll
2009-04-03 07:03 . 2008-10-15 13:56 149768 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2009-04-03 07:00 . 2009-04-03 07:00 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-04-03 07:00 . 2009-04-03 07:00 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-03 06:44 . 2007-09-14 19:07 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2008-03-27 15:37 . 2009-04-20 15:22 1567713 ----a-w- c:\program files\Uninstaller Revo Setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Eraser RiskMonitor"="c:\program files\East-Tec Eraser 2008\Launch.exe" [2008-03-22 18536]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" [2009-01-06 202064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-02 163840]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-02-15 677408]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2007-05-03 57344]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-05-03 293168]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-15 115560]
"TrojanScanner"="c:\program files\Utils\Trojan Remover\Trjscan.exe" [2009-05-26 1059720]
"WinampAgent"="c:\program files\Utils\Winamp\winampa.exe" [2009-04-10 37888]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-12 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
C2CMonitor.lnk - c:\program files\ClickToConvert\C2CMonitor.exe [2009-5-25 412160]
VPN Client.lnk - c:\windows\Installer\{270FE6A0-E893-421C-809E-5B9111C2D4EC}\Icon3E5562ED7.ico [2009-4-3 6144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\Utils\SASp\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05 356352 ----a-w- c:\program files\Utils\SASp\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2007-05-03 16:51 112640 ----a-w- c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-05-03 16:51 281088 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 06:19 49152 ----a-w- c:\windows\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23267018-518795612-518595180-10698\Scripts\Logon\0\0]
"Script"=\\jhb-raddc\NETLOGON\DA2LAGroup.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23267018-518795612-518595180-10698\Scripts\Logon\0\1]
"Script"=CAS30.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec AntiVirus\\Smc.exe"=
"c:\\Program Files\\Symantec AntiVirus\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [6/5/2009 8:08 AM 40368]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2/7/2007 11:22 AM 100495]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [10/9/2006 1:31 PM 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [3/29/2007 4:54 PM 13696]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [1/23/2007 8:07 PM 39080]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2/7/2007 11:23 AM 5808]
R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [5/29/2009 6:39 PM 95592]
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/3/2007 6:51 PM 182576]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [9/11/2007 9:17 AM 14336]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [3/29/2007 5:50 PM 221184]
R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [12/4/2006 4:13 PM 292384]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [9/14/2007 9:31 PM 1489688]
R2 VDDriver;Virtual Disk Driver;c:\program files\Utils\Virtual Disk\VDDriver.sys [5/22/2009 11:15 AM 40952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/2/2009 3:44 PM 101936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/23/2007 7:13 PM 36608]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [9/14/2007 9:28 PM 47616]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [5/14/2009 5:24 PM 16640]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\Utils\SASDIFSV.SYS --> c:\program files\Utils\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\Utils\SASKUTIL.sys --> c:\program files\Utils\SASKUTIL.sys [?]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [9/11/2007 9:17 AM 14336]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [10/15/2008 3:56 PM 23888]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [4/23/2007 1:13 PM 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [4/30/2007 8:28 AM 172131]
S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\drivers\HP24X.sys [9/17/2007 2:26 PM 33024]
S3 SASENUM;SASENUM;\??\c:\program files\Utils\SASENUM.SYS --> c:\program files\Utils\SASENUM.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
.
Contents of the 'Scheduled Tasks' folder

2009-05-11 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2009-04-21 09:37]

2009-06-12 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\Utils\XoftSpySE\XoftSpy.exe [2009-05-20 13:58]

2009-05-26 c:\windows\Tasks\XoftSpySE.job
- c:\program files\Utils\XoftSpySE\XoftSpy.exe [2009-05-20 13:58]
.
- - - - ORPHANS REMOVED - - - -

Notify-OneCard - c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus


.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet/
mStart Page = hxxp://intranet/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: giveawayoftheday.com\www
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-12 13:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1920)
c:\program files\Utils\SASp\SASWINLO.dll
c:\windows\system32\ackpbsc.dll
c:\windows\system32\aclog.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll
c:\windows\system32\DeviceNP.dll

- - - - - - - > 'lsass.exe'(1976)
c:\windows\SbHpNp.dll

- - - - - - - > 'explorer.exe'(1820)
c:\windows\system32\mobsync.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Symantec AntiVirus\Smc.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\program files\Symantec AntiVirus\SNAC.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\IfxPsdSv.exe
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\CCM\clicomp\RemCtrl\Wuser32.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Symantec AntiVirus\SmcGui.exe
c:\windows\system32\CF10553.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\program files\East-Tec Eraser 2008\etRiskMon.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\scardsvr.exe
.
**************************************************************************
.
Completion time: 2009-06-12 13:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-12 11:51

Pre-Run: 123 571 240 960 bytes free
Post-Run: 123 513 237 504 bytes free

332

Attached Files



#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:24 AM

Posted 12 June 2009 - 10:35 AM

Well done. :thumbup2:

Please copy and paste the logs instead of attaching them. Thank you.
  • MBAM is not updated. Please update and run it, if the log is clean you don't need to post the log.

  • Go to Microsoft's website => http://support.microsoft.com/kb/310994

    Select the download that's appropriate for your Operating System


    Posted Image


    Download the file & save it as it's originally named, next to ComboFix.exe.



    Posted Image


    Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click 'Yes' to run the full ComboFix scan.

    Posted Image
  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt for further review.


#11 summersa

summersa
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:01:24 AM

Posted 15 June 2009 - 06:28 AM

Hi farbar,

Here is the ComboFix log. I hope everything is in order.

Thanks once again
summersa :thumbup2:

ComboFix 09-06-11.06 - SummersA 2009/06/15 12:47.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1007.332 [GMT 2:00]
Running from: c:\program files\Utils\ComboFix.exe
Command switches used :: c:\documents and settings\summersa\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-15 to 2009-06-15 )))))))))))))))))))))))))))))))
.

2009-06-15 10:39 . 2009-06-15 10:40 -------- d-----w- C:\32788R22FWJFW
2009-06-12 08:54 . 2009-06-12 08:54 -------- d-----w- c:\windows\Sun
2009-06-12 08:50 . 2009-06-12 08:50 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-12 08:50 . 2009-06-12 08:50 -------- d-----w- c:\program files\Java
2009-06-12 08:45 . 2009-06-12 08:30 714136 ----a-w- c:\documents and settings\summersa\Application Data\Sun\Java\jre1.6.0_14\JavaSetup6u14.exe
2009-06-12 08:43 . 2009-06-12 08:43 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-06-12 08:43 . 2009-06-12 08:49 152576 ----a-w- c:\documents and settings\summersa\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-11 17:30 . 2009-05-26 11:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-11 17:30 . 2009-05-26 11:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 17:23 . 2009-06-11 17:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 16:24 . 2009-05-27 13:26 3007352 ----a-w- c:\documents and settings\summersa\Application Data\Simply Super Software\Trojan Remover\owy6D.exe
2009-06-11 16:24 . 2009-05-27 13:26 3007352 ----a-w- c:\documents and settings\summersa\Application Data\Simply Super Software\Trojan Remover\njg6C.exe
2009-06-05 06:08 . 2008-12-01 11:47 40368 ----a-w- c:\windows\system32\drivers\hotcore3.sys
2009-06-05 06:08 . 2008-12-01 11:47 4244744 ----a-w- c:\windows\system32\qtp-mt334.dll
2009-06-05 06:08 . 2008-12-01 11:47 13576 ----a-w- c:\windows\system32\wnaspi32.dll
2009-06-05 06:08 . 2008-12-01 11:46 247560 ----a-w- c:\windows\system32\prgiso.dll
2009-06-03 13:14 . 2009-06-03 13:14 -------- d-----w- c:\documents and settings\summersa\Application Data\Mp3 Music Editor
2009-06-03 13:13 . 2005-03-28 13:56 417792 ----a-w- c:\windows\system32\NCTAudioDisplay2.dll
2009-06-03 13:13 . 2005-03-29 05:57 2084864 ----a-w- c:\windows\system32\NCTAudioDesign2.dll
2009-06-03 09:23 . 2009-05-27 13:26 3007352 ----a-w- c:\documents and settings\summersa\Application Data\Simply Super Software\Trojan Remover\fbh2E.exe
2009-06-02 07:54 . 2009-05-27 13:26 3007352 ----a-w- c:\documents and settings\summersa\Application Data\Simply Super Software\Trojan Remover\xud4502.exe
2009-06-01 12:04 . 2006-08-02 03:01 438272 ----a-w- c:\windows\system32\SkinCrafter.dll
2009-06-01 12:04 . 2007-03-09 22:37 139264 ----a-w- c:\windows\system32\viscomqtde.dll
2009-06-01 12:04 . 2007-03-09 22:36 81920 ----a-w- c:\windows\system32\viscomwave.dll
2009-05-31 12:47 . 2009-05-31 12:47 -------- d-----w- c:\documents and settings\summersa\Application Data\Malwarebytes
2009-05-31 12:47 . 2009-05-31 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-29 19:22 . 2009-05-27 13:26 3007352 ----a-w- c:\documents and settings\summersa\Application Data\Simply Super Software\Trojan Remover\apl2.exe
2009-05-29 16:39 . 2009-05-29 16:39 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-29 16:39 . 2009-03-02 13:00 95592 ----a-w- c:\windows\system32\drivers\StarPortLite.sys
2009-05-29 15:48 . 2009-05-29 15:48 9472 ----a-w- c:\windows\system32\drivers\SnopFree.sys.vir
2009-05-29 15:45 . 2009-05-27 13:26 3007352 ----a-w- c:\documents and settings\summersa\Application Data\Simply Super Software\Trojan Remover\yyx57.exe
2009-05-29 09:03 . 2006-06-19 11:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-05-29 09:03 . 2006-05-25 13:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-05-29 09:03 . 2005-08-25 23:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-05-29 09:03 . 2003-02-02 18:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2009-05-29 09:03 . 2002-03-05 23:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-05-29 09:03 . 2009-05-29 15:44 -------- d-----w- c:\documents and settings\summersa\Application Data\Simply Super Software
2009-05-29 09:03 . 2009-05-29 09:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-05-28 15:51 . 2009-05-28 15:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-25 16:25 . 2009-05-30 18:38 117760 ----a-w- c:\documents and settings\summersa\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-25 16:25 . 2009-05-25 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-25 16:24 . 2009-05-25 16:24 -------- d-----w- c:\documents and settings\summersa\Application Data\SUPERAntiSpyware.com
2009-05-25 16:05 . 2009-05-25 16:05 -------- d-----w- c:\documents and settings\summersa\Application Data\iRecordMax Audio Editor
2009-05-25 16:03 . 2009-05-25 16:03 -------- d-----w- c:\documents and settings\summersa\Application Data\iRecordMax Sound Recorder
2009-05-25 16:02 . 2005-04-25 11:01 458752 ----a-w- c:\windows\system32\NCTAudioRecord2.dll
2009-05-25 16:02 . 2005-04-25 11:01 458752 ----a-w- c:\windows\system32\NCTAudioPlayer2.dll
2009-05-25 16:02 . 2005-04-04 15:21 602112 ----a-w- c:\windows\system32\NCTAudioTransform2.dll
2009-05-25 16:02 . 2005-03-28 13:54 479232 ----a-w- c:\windows\system32\NCTAudioVisualization2.dll
2009-05-25 16:02 . 2005-03-28 13:52 417792 ----a-w- c:\windows\system32\NCTTextToAudio2.dll
2009-05-25 16:02 . 2005-02-24 09:51 348160 ----a-w- c:\windows\system32\NCTWMAFile2.dll
2009-05-25 16:02 . 2005-05-18 09:52 1212416 ----a-w- c:\windows\system32\NCTAudioInformation2.dll
2009-05-25 16:02 . 2005-05-17 10:37 1986560 ----a-w- c:\windows\system32\NCTAudioFile2.dll
2009-05-25 16:02 . 2005-04-15 10:08 880640 ----a-w- c:\windows\system32\NCTAudioEditor2.dll
2009-05-25 16:02 . 2004-11-04 11:31 835584 ----a-w- c:\windows\system32\NCTAudioCDGrabber2.dll
2009-05-25 11:27 . 2009-05-25 11:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\Softland
2009-05-25 11:25 . 2009-03-02 13:13 20648 ----a-w- c:\windows\system32\dopdfmn6.dll
2009-05-25 11:25 . 2009-03-02 13:13 18088 ----a-w- c:\windows\system32\dopdfmi6.dll
2009-05-25 08:55 . 2001-10-28 23:42 116224 ----a-w- c:\windows\system32\pdfmonnt.dll
2009-05-25 08:55 . 2009-05-25 08:55 -------- d-----w- c:\program files\PDF-Convert
2009-05-25 08:45 . 2007-08-01 12:57 1014272 ----a-w- c:\windows\system32\PPEngine.dll
2009-05-25 08:45 . 2007-07-12 06:17 472064 ----a-w- c:\windows\system32\PurePage.exe
2009-05-25 08:45 . 2000-06-20 19:28 217088 ----a-w- c:\windows\system32\LPng.dll
2009-05-25 08:45 . 2000-01-24 03:01 453632 ----a-w- c:\windows\system32\stdvcl40.dll
2009-05-25 08:45 . 2009-05-26 11:51 -------- d-----w- c:\program files\ClickToConvert
2009-05-22 09:09 . 2009-05-22 09:09 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-05-21 12:28 . 2009-05-21 12:28 -------- d-----w- c:\documents and settings\summersa\CAS
2009-05-16 13:23 . 2009-06-15 11:10 -------- d-----w- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-15 11:11 . 2009-04-20 11:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-12 12:08 . 2009-05-05 07:47 -------- d-----w- c:\program files\Utils
2009-06-12 06:18 . 2007-09-18 12:22 -------- d-----w- c:\program files\Symantec AntiVirus
2009-06-05 05:59 . 2007-09-14 19:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-03 18:48 . 2009-06-03 18:47 -------- d-----w- c:\documents and settings\summersa\Application Data\Winamp
2009-05-26 18:15 . 2009-05-04 15:16 -------- d-----w- c:\program files\East-Tec Eraser 2008
2009-05-26 11:51 . 2009-04-21 17:00 -------- d-----w- c:\program files\GoldWave
2009-05-26 11:51 . 2009-04-21 17:04 -------- d-----w- c:\program files\Eraser
2009-05-25 08:46 . 2009-04-06 11:34 67616 ----a-w- c:\documents and settings\summersa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-25 07:34 . 2001-03-22 20:45 381 ----a-w- c:\windows\Fonts\write.txt
2009-05-22 09:00 . 2009-04-20 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedBit
2009-05-20 08:34 . 2009-04-21 12:32 -------- d-----w- c:\documents and settings\summersa\Application Data\IObit
2009-05-15 13:21 . 2009-05-05 08:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-06 07:59 . 2009-05-06 08:00 2639373 ----a-w- c:\program files\GAotD MultiStage Recovery[1].zip
2009-05-05 08:13 . 2009-05-05 08:13 -------- d-----w- c:\documents and settings\summersa\Application Data\VSRevoGroup
2009-05-05 07:56 . 2009-05-05 07:56 -------- d-----w- c:\documents and settings\summersa\Application Data\EAST Technologies
2009-04-23 15:24 . 2009-05-14 15:24 16640 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(1).sys
2009-04-22 11:29 . 2009-04-22 11:28 -------- d-----w- c:\program files\MTN F@stLink
2009-04-21 16:57 . 2009-04-21 16:57 -------- d-----w- c:\program files\PDF 2 Word v3.0
2009-04-21 16:55 . 2009-04-21 16:55 -------- d-----w- c:\program files\OpenSebJ
2009-04-21 16:53 . 2009-04-21 16:53 -------- d-----w- c:\program files\PDF Foxonic Prof
2009-04-21 16:49 . 2009-04-21 16:49 -------- d-----w- c:\program files\PDF Foxonic
2009-04-21 12:32 . 2009-04-21 12:32 -------- d-----w- c:\program files\IObit
2009-04-20 15:25 . 2009-04-20 11:27 -------- d-----w- c:\program files\VS Revo Group
2009-04-20 11:48 . 2009-04-20 11:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-04-20 11:29 . 2009-04-20 11:29 34 ----a-w- c:\windows\system32\09wutili.sys
2009-04-20 11:28 . 2009-04-20 11:28 -------- d-----w- c:\program files\WinUtilities
2009-04-20 11:13 . 2009-04-20 11:13 50688 ----a-w- c:\windows\system32\wbhelp2.dll
2009-04-17 16:04 . 2009-04-17 16:04 -------- d-----w- c:\program files\Wondershare
2009-04-17 16:02 . 2009-04-17 16:02 -------- d-----w- c:\program files\WondershareVideoConverter[1]
2009-04-17 14:46 . 2009-04-17 14:49 9249177 ----a-w- c:\program files\WondershareVideoConverter[1].zip
2009-04-17 07:55 . 2009-04-17 07:55 -------- d-----w- c:\program files\CleanUp!
2009-04-14 10:18 . 2009-04-14 10:18 131 ----a-w- c:\documents and settings\summersa\Local Settings\Application Data\fusioncache.dat
2009-04-03 07:03 . 2008-10-15 13:56 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys
2009-04-03 07:03 . 2008-10-15 13:56 1290584 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\SyKnAppS\SyKnAppS.dll
2009-04-03 07:03 . 2008-10-15 13:56 149768 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2009-04-03 07:00 . 2009-04-03 07:00 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-04-03 07:00 . 2009-04-03 07:00 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-03 06:44 . 2007-09-14 19:07 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2008-03-27 15:37 . 2009-04-20 15:22 1567713 ----a-w- c:\program files\Uninstaller Revo Setup.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-06-12_11.47.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-15 07:59 . 2009-06-15 07:59 16384 c:\windows\Temp\Perflib_Perfdata_9d8.dat
+ 2009-06-15 10:56 . 2009-06-15 10:56 16384 c:\windows\Temp\Perflib_Perfdata_710.dat
+ 2009-06-15 10:57 . 2009-06-15 10:57 16384 c:\windows\Temp\Perflib_Perfdata_5fc.dat
+ 2009-06-15 07:49 . 2009-06-15 07:49 16384 c:\windows\Temp\Perflib_Perfdata_474.dat
- 2009-06-12 11:19 . 2009-06-12 11:19 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-06-12 11:19 . 2009-06-12 11:57 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-06-12 11:19 . 2009-06-12 11:19 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-06-12 11:19 . 2009-06-12 11:57 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-06-15 10:40 . 2009-06-15 10:39 389120 c:\windows\system32\CF29157.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Eraser RiskMonitor"="c:\program files\East-Tec Eraser 2008\Launch.exe" [2008-03-22 18536]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" [2009-01-06 202064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-02 163840]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-02-15 677408]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2007-05-03 57344]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-05-03 293168]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-15 115560]
"TrojanScanner"="c:\program files\Utils\Trojan Remover\Trjscan.exe" [2009-05-26 1059720]
"WinampAgent"="c:\program files\Utils\Winamp\winampa.exe" [2009-04-10 37888]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-12 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
C2CMonitor.lnk - c:\program files\ClickToConvert\C2CMonitor.exe [2009-5-25 412160]
VPN Client.lnk - c:\windows\Installer\{270FE6A0-E893-421C-809E-5B9111C2D4EC}\Icon3E5562ED7.ico [2009-4-3 6144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\Utils\SASp\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05 356352 ----a-w- c:\program files\Utils\SASp\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2007-05-03 16:51 112640 ----a-w- c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-05-03 16:51 281088 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 06:19 49152 ----a-w- c:\windows\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23267018-518795612-518595180-10698\Scripts\Logon\0\0]
"Script"=\\jhb-raddc\NETLOGON\DA2LAGroup.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23267018-518795612-518595180-10698\Scripts\Logon\0\1]
"Script"=CAS30.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec AntiVirus\\Smc.exe"=
"c:\\Program Files\\Symantec AntiVirus\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [6/5/2009 8:08 AM 40368]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2/7/2007 11:22 AM 100495]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [10/9/2006 1:31 PM 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [3/29/2007 4:54 PM 13696]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [1/23/2007 8:07 PM 39080]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2/7/2007 11:23 AM 5808]
R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [5/29/2009 6:39 PM 95592]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [9/11/2007 9:17 AM 14336]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [3/29/2007 5:50 PM 221184]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [9/14/2007 9:31 PM 1489688]
R2 VDDriver;Virtual Disk Driver;c:\program files\Utils\Virtual Disk\VDDriver.sys [5/22/2009 11:15 AM 40952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/2/2009 3:44 PM 101936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/23/2007 7:13 PM 36608]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [9/14/2007 9:28 PM 47616]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [5/14/2009 5:24 PM 16640]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\Utils\SASDIFSV.SYS --> c:\program files\Utils\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\Utils\SASKUTIL.sys --> c:\program files\Utils\SASKUTIL.sys [?]
S2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/3/2007 6:51 PM 182576]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [9/11/2007 9:17 AM 14336]
S2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [12/4/2006 4:13 PM 292384]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [10/15/2008 3:56 PM 23888]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [4/23/2007 1:13 PM 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [4/30/2007 8:28 AM 172131]
S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\drivers\HP24X.sys [9/17/2007 2:26 PM 33024]
S3 SASENUM;SASENUM;\??\c:\program files\Utils\SASENUM.SYS --> c:\program files\Utils\SASENUM.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
.
Contents of the 'Scheduled Tasks' folder

2009-06-15 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\Utils\XoftSpySE\XoftSpy.exe [2009-05-20 13:58]

2009-05-26 c:\windows\Tasks\XoftSpySE.job
- c:\program files\Utils\XoftSpySE\XoftSpy.exe [2009-05-20 13:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet/
mStart Page = hxxp://intranet/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: giveawayoftheday.com\www
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-15 13:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1900)
c:\program files\Utils\SASp\SASWINLO.dll
c:\windows\system32\ackpbsc.dll
c:\windows\system32\aclog.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll
c:\windows\system32\DeviceNP.dll

- - - - - - - > 'lsass.exe'(1956)
c:\windows\SbHpNp.dll

- - - - - - - > 'explorer.exe'(3556)
c:\windows\system32\mobsync.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Symantec AntiVirus\Smc.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\program files\Symantec AntiVirus\SNAC.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\IfxPsdSv.exe
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\CCM\clicomp\RemCtrl\Wuser32.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Symantec AntiVirus\SmcGui.exe
c:\windows\system32\CF29157.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\program files\East-Tec Eraser 2008\etRiskMon.exe
c:\program files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Symantec Shared\COH\COH32.exe
.
**************************************************************************
.
Completion time: 2009-06-15 13:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-15 11:15
ComboFix2.txt 2009-06-12 11:51

Pre-Run: 123 155 423 232 bytes free
Post-Run: 123 278 807 040 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

345

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:24 AM

Posted 15 June 2009 - 12:31 PM

Hi,

I don't see anything bad on the log. Even those files removed by ComboFix might be false positives. They look to be regenerated again as the application reinstalls those again.

How is your computer running?

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:24 AM

Posted 15 June 2009 - 02:08 PM

Could you please upload those DDLs for analysis, they are removed but like before they should be regenerated after reboot:

We would like to take a look at the following files:
  • c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll

  • Zip them first, to do that:
    • Go to the directory where are located: c:\program files\ActivIdentity\ActivClient\Resources\Merged
    • Hold down the Ctrl key and select the files one by one until you have selected all of them.
    • Right-click one of the selected file and select Send To from the Context menu => select Compressed (zip) Folder
    • Click Yes to any prompt. A zip file will be created in the same directory the files are located.
  • Click on this link: http://www.bleepingcomputer.com/submit-malware.php?channel=4
  • Click Browse... and navigate to the zip file and highlight it to select.
  • Click Open.
  • Copy the link to this topic in the appropriate box.
  • Click Send File.
Please let me know if the files are uploaded.

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:24 AM

Posted 17 June 2009 - 02:07 PM

Thanks for uploading the files. They got removed because they lacked properties of a legit file. But they are not bad.

You mentioned it is an office computer but I don't see any proxy setting, what we see often in case of office computers. They get connected via a proxy setting.

To have a final check for possible suspicious activity please do the following:

cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt&del log.txt

A command window opens, wait until a log file opens. Please post its content to your reply.

#15 summersa

summersa
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:01:24 AM

Posted 18 June 2009 - 03:00 AM

Hi farbar, Thanks. Contents of the command are below:



Windows IP Configuration



Host Name . . . . . . . . . . . . : SummerSa

Primary Dns Suffix . . . . . . . : sabc.co.za

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : sabc.co.za

sabc.co.za

co.za



Ethernet adapter Wireless Network Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Intel® Wireless WiFi Link 4965AG

Physical Address. . . . . . . . . : 00-13-E8-4A-1A-83



Ethernet adapter Local Area Connection 2:



Connection-specific DNS Suffix . : sabc.co.za

Description . . . . . . . . . . . : Intel® 82566MM Gigabit Network Connection

Physical Address. . . . . . . . . : 00-17-A4-EA-00-2E

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 155.234.218.48

Subnet Mask . . . . . . . . . . . : 255.255.252.0

Default Gateway . . . . . . . . . : 155.234.219.254

DHCP Server . . . . . . . . . . . : 155.234.212.1

DNS Servers . . . . . . . . . . . : 155.234.212.1

155.234.212.2

Primary WINS Server . . . . . . . : 155.234.212.1

Secondary WINS Server . . . . . . : 155.234.212.2

Lease Obtained. . . . . . . . . . : 18 June 2009 09:43:55 AM

Lease Expires . . . . . . . . . . : 04 July 2009 09:43:55 AM

Server: jhb-raddc.sabc.co.za
Address: 155.234.212.1

Name: google.com
Addresses: 74.125.67.100, 74.125.45.100, 74.125.127.100



Pinging google.com [74.125.45.100] with 32 bytes of data:



Request timed out.

Request timed out.



Ping statistics for 74.125.45.100:

Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 13 e8 4a 1a 83 ...... Intel® Wireless WiFi Link 4965AG - Teefer2 Miniport
0x20003 ...00 17 a4 ea 00 2e ...... Intel® 82566MM Gigabit Network Connection - Teefer2 Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 155.234.219.254 155.234.218.48 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
155.234.216.0 255.255.252.0 155.234.218.48 155.234.218.48 20
155.234.218.48 255.255.255.255 127.0.0.1 127.0.0.1 20
155.234.255.255 255.255.255.255 155.234.218.48 155.234.218.48 20
224.0.0.0 240.0.0.0 155.234.218.48 155.234.218.48 20
255.255.255.255 255.255.255.255 155.234.218.48 155.234.218.48 1
255.255.255.255 255.255.255.255 155.234.218.48 2 1
Default Gateway: 155.234.219.254
===========================================================================
Persistent Routes:
None




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users