Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infection


  • This topic is locked This topic is locked
7 replies to this topic

#1 ksavell

ksavell

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 20 April 2007 - 10:09 AM

Hi all,

I apparently have the winfixer virus. I've followed the steps here ( http://www.bleepingcomputer.com/forums/t/18610/how-to-remove-winfixer-virtumonde-msevents-trojanvundob/ ) and have an interesting error. After running VundoFix.exe, and clicking YES to remove the files, I get an error stating "cannot import C:/vundofix.reg : error opening file..."

The VirtumundoBeGone.exe in safe mode did not execute, gave some indication of a hard stop and forced reboot, then a blue screen (not THE blue screen), so I did the hard power reset.

Downloaded another copy of VundoFix.exe and had the same problem as above.

It consistently directs me to the ddccd.dll as the culprit on this machine, but has shown up as other application extensions (pmkhf.dll, fhkmp.ini, mljgd.dll)

So here is the hijackthis log (directions from http://www.bleepingcomputer.com/forums/topic34773.html )

*************************************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 10:56:28 AM, on 4/20/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\nslsvice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINNT\system32\RCMDSVC.EXE
C:\WINNT\system32\RKILLSRV.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\xloadnet\xloadnet.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\WINNT\updater.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
C:\Program Files\UA\uatc.exe
C:\Program Files\Workspace Macro Pro 6.0\WMPHotkeys.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.corp.rcn.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.corp.rcn.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by RCN Corporation
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINNT\system32\pnlhfkee.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RCN Desktop v2.0] "C:\WINNT\system32\RCN Desktop v2.0.EXE" /S
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [xloadnet] "C:\Program Files\xloadnet\xloadnet.exe"
O4 - HKLM\..\Run: [runner1] C:\WINNT\updater.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: ClearQuality.EXE
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O4 - Global Startup: Enable Wireless Optical Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ODBC_Control_Panel.lnk = C:\Program Files\ODBC Control Panel\ODBC_Control_Panel.EXE
O4 - Global Startup: Shortcut to uatc.exe.lnk = C:\Program Files\UA\uatc.exe
O4 - Global Startup: Workspace Macro Pro Hotkeys.lnk = C:\Program Files\Workspace Macro Pro 6.0\WMPHotkeys.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: SWF Capture tool - C:\Program Files\Eltima Software\Flash Decompiler\iebt.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://intranet.corp.rcn.net
O15 - Trusted Zone: http://*.clarify
O15 - Trusted Zone: http://clarify.corp.rcn.net
O15 - Trusted Zone: *.sxload.net (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {020f6116-407b-11d3-a3bb-00c04fa32518} - http://rcnprod.corp.rcn.net:8000/OA_HTML/US/jinit11718.exe
O16 - DPF: {06ED1FEF-3D05-11D2-8427-00609784D0F1} (ClarifyAppOcx Control) - http://10.131.40.25/~tuxedo/clfyappctrl128.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/i...ViewerSetup.cab
O16 - DPF: {CAFECAFE-0013-0001-0025-ABCDEFABCDEF} (JInitiator 1.3.1.25) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/client/v_mywebex-mw...bex/ieatgpc.cab
O16 - DPF: {E7C44C86-0CD3-11D2-9311-00A0247A4E65} (SEAGULL J Walk ActiveX Client) - http://172.24.20.169/JWALK/JWalk40/jwalkx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.corp.rcn.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BE07184-96B6-46C4-A9A7-47B342DD7602}: Domain = ad.corp.rcn.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.corp.rcn.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.corp.rcn.net
O20 - Winlogon Notify: ckpNotify - C:\WINNT\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: ddccd - C:\WINNT\system32\ddccd.dll (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINNT\system32\\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Notes\ntmulti.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Kill Service - Unknown owner - C:\WINNT\system32\RKILLSRV.EXE
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

*****************************************************************************************

Edited by ksavell, 20 April 2007 - 10:10 AM.


BC AdBot (Login to Remove)

 


m

#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:30 PM

Posted 20 April 2007 - 01:38 PM

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode.
Post the results of the AVG Anti-Spyware report scan. Then do this - download SUPERAntiSpyware Home Edition (free version)
  • Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information for me please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose copy.
  • Click close and close again to exit the program.
  • Please paste that information here for me with a new HijackThis log.

Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 ksavell

ksavell
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 23 April 2007 - 08:37 AM

Thank you..

I made an error somehow on step 6 of your instructions under AVG Anti-Spyware, and did not find the option to select "Automatically generate report ... ", and thus do not have a log for that. It did find dozens of tracking cookies and three medium and high threats

Not-A-Virus.Exploit.Win32.MS05013
Downloader.PurityScan.eg
Adware.Virtumonde


Here is the log from SuperAntiSpyware

SUPERAntiSpyware Scan Log
Generated 04/23/2007 at 09:22 AM

Application Version : 3.6.1000

Core Rules Database Version : 3222
Trace Rules Database Version: 1233

Scan type : Complete Scan
Total Scan Time : 00:25:07

Memory items scanned : 641
Memory threats detected : 0
Registry items scanned : 5684
Registry threats detected : 20
File items scanned : 25506
File threats detected : 185

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{1557B435-8242-4686-9AA3-9265BF7525A4}
HKCR\CLSID\{1557B435-8242-4686-9AA3-9265BF7525A4}
HKCR\CLSID\{1557B435-8242-4686-9AA3-9265BF7525A4}\InprocServer32
HKCR\CLSID\{1557B435-8242-4686-9AA3-9265BF7525A4}\InprocServer32#ThreadingModel
C:\WINNT\SYSTEM32\PNLHFKEE.DLL
HKLM\Software\Classes\CLSID\{41E3A050-6AC0-4CC1-A7F0-B111F22BDE8A}
HKCR\CLSID\{41E3A050-6AC0-4CC1-A7F0-B111F22BDE8A}
HKCR\CLSID\{41E3A050-6AC0-4CC1-A7F0-B111F22BDE8A}\InprocServer32
HKCR\CLSID\{41E3A050-6AC0-4CC1-A7F0-B111F22BDE8A}\InprocServer32#ThreadingModel
C:\WINNT\SYSTEM32\DDCCD.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1557B435-8242-4686-9AA3-9265BF7525A4}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{3F9D0C61-737D-44D1-BD80-91AF857061CC}
HKCR\CLSID\{1557B435-8242-4686-9AA3-9265BF7525A4}

Adware.Tracking Cookie
C:\Documents and Settings\Ken Savell\Cookies\ken savell@tribalfusion[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@sales.liveperson[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@adrevolver[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@anad.tacoda[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@adtech[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@79438661[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@adecn[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@trafficmp[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@adrevolver[3].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@atwola[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@list[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@realmedia[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@jamster[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@media.intelia[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@burstnet[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@www.burstnet[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@rcn.112.2o7[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@zedo[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@ads.expedia[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@adbrite[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@ads.monster[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@tacoda[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@redorbit[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@statse.webtrendslive[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@icc.intellisrv[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@partner2profit[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@75701581[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@2o7[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@adinterax[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@questionmarket[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@ads.cnn[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@mediaplex[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@50715070[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@revsci[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@ad.yieldmanager[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@network.realmedia[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@adjuggler[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@medianewsgroup[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@doubleclick[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@a[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@ads.glispa[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@m1.webstats4u[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@S142202[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@c.enhance[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@adopt.specificclick[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@fastclick[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@atdmt[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@ads.contactmusic[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@advertising[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@www.burstbeacon[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@azjmp[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@www.windowsmedia[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@image.masterstats[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@bannerspace[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@clickbank[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@cgi-bin[5].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@hitbox[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@ehg-mgnlimited.hitbox[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@casalemedia[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@nextag[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@rotator.adjuggler[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@ads.pointroll[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@ad[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@a.websponsors[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@anat.tacoda[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@mb[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@media.hotels[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@overture[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@74453203[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@qnsr[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@S119579[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@data1.perf.overture[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@ads.i-am-bored[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@h.starware[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@indextools[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@clicksor[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@bannerads.zwire[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@ads.realtechnetwork[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@4406519[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@www.dealtime[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@tracking.foxnews[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@belnk[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@adknowledge[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@S122606[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@S138735[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@sec1.liveperson[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@34869151[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@kanoodle[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@bannerads[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@mb[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@37010162[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@ads.belointeractive[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@try.starware[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@61446968[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@26748447[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@zscript[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@42435556[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@adv.webmd[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@xiti[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@ads.cartoonnetwork[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@yadro[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@mb[7].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@cgi-bin[4].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@ads.pgatour[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@cgi-bin[3].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@data3.perf.overture[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@winantivirus[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@mb[4].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@24218[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@1068865264[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@63152693[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@24208[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@mb[6].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@focalex[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@LPBofA1[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@rapidresponse.directtrack[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@gtcc1.acecounter[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@mb[5].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@s[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@directtrack[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@5223975[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@v7.stats.load[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@media.travelera[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@a.tribalfusion[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@campaign.indieclick[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@19472714[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@adlegend[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@ads.ft[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@mediastay.directtrack[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@78221172[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@wpni.112.2o7[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@media.adfrontiers[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@switzerland.advertserve[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@media.jcarter[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@ads.addesktop[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@33707992[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@cgi-bin[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@cpvfeed[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@interclick[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@rotabanner.rian[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@indiads[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@track.bestbuy[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@48493158[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@sxload[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@fastpspdownloads[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@stats1.reliablestats[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@ads.adbrite[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@webstat.yamaha[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@ad.thehill[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@imk_ad_farm[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@stats[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@stats[2].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@Stats[4].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@webstats[1].txt
C:\Documents and Settings\Ken Savell\Cookies\ken savell@wTracker[2].txt

Adware.ClickSpring/Outer Info Network
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#InstallLocation
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayVersion

Adware.ClickSpring/Yazzle
C:\PROGRAM FILES\COMMON FILES\YAZZLE1281OINUNINSTALLER.EXE

Trace.Known Threat Sources
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\3Z4KCB7N\box4[1].png
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\O5MF8H2N\bottom_threats[1].gif
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\G1A3G1A3\ico4[1].gif
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\O5MF8H2N\bkg3[1].gif
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\W1IZG96V\lo[1].gif
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\3Z4KCB7N\yes[1].gif
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\GLQRCXAB\box6[1].png
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\3Z4KCB7N\top_threats[1].gif
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\O5MF8H2N\hi[1].gif
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\89MJ8DQV\ico1[1].gif
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\G1A3G1A3\checksoft[1].js
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\O5MF8H2N\bt2[1].gif
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\8DMRK5A7\new-edition-label[1].gif
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\89MJ8DQV\bg_menu[1].gif
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\8DMRK5A7\med[1].gif
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\4LURW1AJ\ico3[1].gif
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\G1A3G1A3\box1c[1].gif
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\3Z4KCB7N\logo[3].gif
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\W1IZG96V\bkg7[1].gif
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\8DMRK5A7\box5[1].png
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\3Z4KCB7N\t_p1[1].png
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\W1IZG96V\box3[1].png
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\89MJ8DQV\no[1].gif
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\GLQRCXAB\getnow[1].gif
C:\Documents and Settings\Ken Savell\Local Settings\Temporary Internet Files\Content.IE5\O5MF8H2N\button_download[1].gif


And the new HTL

Logfile of HijackThis v1.99.1
Scan saved at 9:34:47 AM, on 4/23/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\nslsvice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINNT\system32\RCMDSVC.EXE
C:\WINNT\system32\RKILLSRV.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\AIM\aim.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
C:\Program Files\UA\uatc.exe
C:\Program Files\Workspace Macro Pro 6.0\WMPHotkeys.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.corp.rcn.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.corp.rcn.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by RCN Corporation
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RCN Desktop v2.0] "C:\WINNT\system32\RCN Desktop v2.0.EXE" /S
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: ClearQuality.EXE
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O4 - Global Startup: Enable Wireless Optical Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ODBC_Control_Panel.lnk = C:\Program Files\ODBC Control Panel\ODBC_Control_Panel.EXE
O4 - Global Startup: Shortcut to uatc.exe.lnk = C:\Program Files\UA\uatc.exe
O4 - Global Startup: Workspace Macro Pro Hotkeys.lnk = C:\Program Files\Workspace Macro Pro 6.0\WMPHotkeys.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: SWF Capture tool - C:\Program Files\Eltima Software\Flash Decompiler\iebt.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://intranet.corp.rcn.net
O15 - Trusted Zone: http://*.clarify
O15 - Trusted Zone: http://clarify.corp.rcn.net
O15 - Trusted Zone: *.sxload.net (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {020f6116-407b-11d3-a3bb-00c04fa32518} - http://rcnprod.corp.rcn.net:8000/OA_HTML/US/jinit11718.exe
O16 - DPF: {06ED1FEF-3D05-11D2-8427-00609784D0F1} (ClarifyAppOcx Control) - http://10.131.40.25/~tuxedo/clfyappctrl128.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/i...ViewerSetup.cab
O16 - DPF: {CAFECAFE-0013-0001-0025-ABCDEFABCDEF} (JInitiator 1.3.1.25) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/client/v_mywebex-mw...bex/ieatgpc.cab
O16 - DPF: {E7C44C86-0CD3-11D2-9311-00A0247A4E65} (SEAGULL J Walk ActiveX Client) - http://172.24.20.169/JWALK/JWalk40/jwalkx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.corp.rcn.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BE07184-96B6-46C4-A9A7-47B342DD7602}: Domain = ad.corp.rcn.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.corp.rcn.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.corp.rcn.net
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ckpNotify - C:\WINNT\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: ddccd - C:\WINNT\system32\ddccd.dll (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINNT\system32\\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Notes\ntmulti.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Kill Service - Unknown owner - C:\WINNT\system32\RKILLSRV.EXE
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

#4 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:30 PM

Posted 23 April 2007 - 12:55 PM

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O15 - Trusted Zone: *.sxload.net (HKLM)
O20 - Winlogon Notify: ddccd - C:\WINNT\system32\ddccd.dll (file missing)


Exit HijackThis when done. Reboot, rescan with HijackThis and post a new log here. Also:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#5 ksavell

ksavell
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 23 April 2007 - 01:48 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:45:17 PM, on 4/23/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\nslsvice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINNT\system32\RCMDSVC.EXE
C:\WINNT\system32\RKILLSRV.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
C:\Program Files\UA\uatc.exe
C:\Program Files\Workspace Macro Pro 6.0\WMPHotkeys.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.corp.rcn.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.corp.rcn.net
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RCN Desktop v2.0] "C:\WINNT\system32\RCN Desktop v2.0.EXE" /S
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: ClearQuality.EXE
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O4 - Global Startup: Enable Wireless Optical Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ODBC_Control_Panel.lnk = C:\Program Files\ODBC Control Panel\ODBC_Control_Panel.EXE
O4 - Global Startup: Shortcut to uatc.exe.lnk = C:\Program Files\UA\uatc.exe
O4 - Global Startup: Workspace Macro Pro Hotkeys.lnk = C:\Program Files\Workspace Macro Pro 6.0\WMPHotkeys.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: SWF Capture tool - C:\Program Files\Eltima Software\Flash Decompiler\iebt.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://intranet.corp.rcn.net
O15 - Trusted Zone: http://*.clarify
O15 - Trusted Zone: http://clarify.corp.rcn.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {020f6116-407b-11d3-a3bb-00c04fa32518} - http://rcnprod.corp.rcn.net:8000/OA_HTML/US/jinit11718.exe
O16 - DPF: {06ED1FEF-3D05-11D2-8427-00609784D0F1} (ClarifyAppOcx Control) - http://10.131.40.25/~tuxedo/clfyappctrl128.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/i...ViewerSetup.cab
O16 - DPF: {CAFECAFE-0013-0001-0025-ABCDEFABCDEF} (JInitiator 1.3.1.25) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/client/v_mywebex-mw...bex/ieatgpc.cab
O16 - DPF: {E7C44C86-0CD3-11D2-9311-00A0247A4E65} (SEAGULL J Walk ActiveX Client) - http://172.24.20.169/JWALK/JWalk40/jwalkx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.corp.rcn.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BE07184-96B6-46C4-A9A7-47B342DD7602}: Domain = ad.corp.rcn.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.corp.rcn.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.corp.rcn.net
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ckpNotify - C:\WINNT\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINNT\system32\\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Notes\ntmulti.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Kill Service - Unknown owner - C:\WINNT\system32\RKILLSRV.EXE
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe




********************************************************
combofix logfile
********************************************************

"Ken Savell" - Mon 04/23/2007 14:35:28 Service Pack 4
ComboFix 07-04-22.6V - Running from: "C:\Documents and Settings\Ken Savell\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\DOWNLO~1.\MyWebEx\419\atarm.dll
C:\WINNT\DOWNLO~1.\MyWebEx\419\atas32.dll
C:\WINNT\DOWNLO~1.\MyWebEx\419\atasanot.exe
C:\WINNT\DOWNLO~1.\MyWebEx\419\atasctrl.dll
C:\WINNT\DOWNLO~1.\MyWebEx\419\atasnt40.dll
C:\WINNT\DOWNLO~1.\MyWebEx\419\atcarmcl.dll
C:\WINNT\DOWNLO~1.\MyWebEx\419\atdl2006.dll
C:\WINNT\DOWNLO~1.\MyWebEx\419\atjpeg60.dll
C:\WINNT\DOWNLO~1.\MyWebEx\419\atkbctl.dll
C:\WINNT\DOWNLO~1.\MyWebEx\419\atlchat.dll
C:\WINNT\DOWNLO~1.\MyWebEx\419\atmemmgr.dll
C:\WINNT\DOWNLO~1.\MyWebEx\419\atnetext.dll
C:\WINNT\DOWNLO~1.\MyWebEx\419\atpack.dll
C:\WINNT\DOWNLO~1.\MyWebEx\419\atres.dll
C:\WINNT\DOWNLO~1.\MyWebEx\419\attp.dll
C:\WINNT\DOWNLO~1.\MyWebEx\419\atwbxui5.dll
C:\WINNT\DOWNLO~1.\MyWebEx\419\ieatgpc.dll
C:\WINNT\DOWNLO~1.\MyWebEx\419\mwm.ini
C:\WINNT\DOWNLO~1.\MyWebEx\419\mwmcliun.exe
C:\WINNT\DOWNLO~1.\MyWebEx\419\mwmproxy.dll
C:\WINNT\DOWNLO~1.\MyWebEx\419\mwmres.dll
C:\WINNT\DOWNLO~1.\MyWebEx\419\mwmupd.exe
C:\WINNT\DOWNLO~1.\MyWebEx\419\ratrace.dll
C:\WINNT\DOWNLO~1.\MyWebEx\419\raurl.dll
C:\WINNT\DOWNLO~1.\MyWebEx\419\uilibres.dll
C:\WINNT\DOWNLO~1.\MyWebEx\419\wbxcrypt.dll
C:\WINNT\DOWNLO~1.\MyWebEx\419\webexmgr.dll
C:\Program Files\xloadnet
C:\WINNT\DOWNLO~1.\MyWebEx


((((((((((((((((((((((((((((((( Files Created from 2002-01-07 to 20/23/2007 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2012/15/99 01:00a 10064 --a------ C:\WINNT\system32\drivers\dxapi.sys
2012/12/02 01:14a 7424 --a------ C:\WINNT\system32\drivers\mskssrv.sys
2012/12/02 01:14a 5504 --a------ C:\WINNT\system32\drivers\mstee.sys
2012/12/02 01:14a 5248 --a------ C:\WINNT\system32\drivers\mspclock.sys
2012/12/02 01:14a 4096 --a------ C:\WINNT\system32\drivers\swenum.sys
2012/12/02 01:14a 130304 --a------ C:\WINNT\system32\drivers\ks.sys
2012/07/99 01:00p 9680 --a------ C:\WINNT\system32\drivers\netdtect.sys
2012/07/99 01:00p 88816 --a------ C:\WINNT\system32\drivers\lvcam.sys
2012/07/99 01:00p 8016 --a------ C:\WINNT\system32\drivers\rasacd.sys
2012/07/99 01:00p 79120 --a------ C:\WINNT\system32\drivers\lvcodek.sys
2012/07/99 01:00p 6512 --a------ C:\WINNT\system32\drivers\parvdm.sys
2012/07/99 01:00p 6032 --a------ C:\WINNT\system32\drivers\rootmdm.sys
2012/07/99 01:00p 59280 --a------ C:\WINNT\system32\drivers\vdmindvd.sys
2012/07/99 01:00p 58480 --a------ C:\WINNT\system32\drivers\nwlnkspx.sys
2012/07/99 01:00p 57904 --a------ C:\WINNT\system32\drivers\atmarpc.sys
2012/07/99 01:00p 52048 --a------ C:\WINNT\system32\drivers\tosdvd.sys
2012/07/99 01:00p 4240 --a------ C:\WINNT\system32\drivers\wmilib.sys
2012/07/99 01:00p 4240 --a------ C:\WINNT\system32\drivers\mnmdd.sys
2012/07/99 01:00p 4080 --a------ C:\WINNT\system32\drivers\beep.sys
2012/07/99 01:00p 40432 --a------ C:\WINNT\system32\drivers\ndproxy.sys
2012/07/99 01:00p 37040 --a------ C:\WINNT\system32\drivers\npfs.sys
2012/07/99 01:00p 35344 --a------ C:\WINNT\system32\drivers\nwlnkfwd.sys
2012/07/99 01:00p 35024 --a------ C:\WINNT\system32\drivers\rawwan.sys
2012/07/99 01:00p 34416 --a------ C:\WINNT\system32\drivers\ipfltdrv.sys
2012/07/99 01:00p 33456 --a------ C:\WINNT\system32\drivers\netbios.sys
2012/07/99 01:00p 2800 --a------ C:\WINNT\system32\drivers\null.sys
2012/07/99 01:00p 272496 --a------ C:\WINNT\system32\drivers\cinemst2.sys
2012/07/99 01:00p 23888 --a------ C:\WINNT\system32\drivers\usbcamd.sys
2012/07/99 01:00p 22000 --a------ C:\WINNT\system32\drivers\tsbvcap.sys
2012/07/99 01:00p 21712 --a------ C:\WINNT\system32\drivers\rca.sys
2012/07/99 01:00p 21328 --a------ C:\WINNT\system32\drivers\msfs.sys
2012/07/99 01:00p 19984 --a------ C:\WINNT\system32\drivers\ipinip.sys
2012/07/99 01:00p 19088 --a------ C:\WINNT\system32\drivers\cdaudio.sys
2012/07/99 01:00p 17424 --a------ C:\WINNT\system32\drivers\lvsound.sys
2012/07/99 01:00p 16880 --a------ C:\WINNT\system32\drivers\raspti.sys
2012/07/99 01:00p 15120 --a------ C:\WINNT\system32\drivers\usbintel.sys
2012/07/99 01:00p 14832 --a------ C:\WINNT\system32\drivers\smclib.sys
2012/07/99 01:00p 13968 --a------ C:\WINNT\system32\drivers\vga.sys
2012/07/99 01:00p 12880 --a------ C:\WINNT\system32\drivers\class2.sys
2012/07/99 01:00p 12560 --a------ C:\WINNT\system32\drivers\nwlnkflt.sys
2012/07/99 01:00p 12368 --a------ C:\WINNT\system32\drivers\fsvga.sys
2012/07/99 01:00p 12016 --a------ C:\WINNT\system32\drivers\ws2ifsl.sys
2012/07/99 01:00p 105840 --a------ C:\WINNT\system32\drivers\streams.sys
2012/07/99 01:00p 102160 --a------ C:\WINNT\system32\drivers\nbf.sys
2012/04/00 09:39a 596824 --a------ C:\WINNT\system32\drivers\nv4_mini.sys
2012/02/04 06:07a 89328 --a------ C:\WINNT\system32\drivers\mup.sys
2012/02/04 06:07a 63280 --a------ C:\WINNT\system32\drivers\udfs.sys
2012/02/04 06:00a 116400 --a------ C:\WINNT\system32\drivers\ftdisk.sys
2012/01/05 03:57p 21760 --a------ C:\WINNT\system32\drivers\point32.sys
2011/16/04 10:03a 108791 --a------ C:\WINNT\system32\drivers\Apfiltr.sys
2011/11/99 11:13a 67440 --a------ C:\WINNT\system32\drivers\cwcwdm.sys
2011/11/99 11:13a 3344 --a------ C:\WINNT\system32\drivers\cwcos.sys
2011/11/99 11:13a 19056 --a------ C:\WINNT\system32\drivers\cwcspud3.sys
2011/11/99 11:13a 103120 --a------ C:\WINNT\system32\drivers\cwcspud.sys
2010/28/99 11:24a 51152 --a------ C:\WINNT\system32\drivers\DMusic.sys
2010/23/99 08:22a 61712 --a------ C:\WINNT\system32\drivers\el90xbc5.sys
2010/18/05 09:22a 17801 --a------ C:\WINNT\system32\drivers\AegisP.sys
2010/04/99 04:04p 13744 --a------ C:\WINNT\system32\drivers\kbdhid.sys
2010/04/99 03:03p 13904 --a------ C:\WINNT\system32\drivers\hidusb.sys
2009/29/03 08:10a 83008 --a------ C:\WINNT\system32\drivers\naiavf5x.sys
2009/25/99 06:36a 4816 --a------ C:\WINNT\system32\drivers\MSPQM.sys
2009/25/99 06:35a 2896 --a------ C:\WINNT\system32\drivers\audstub.sys
2009/20/03 08:32p 71888 --a------ C:\WINNT\system32\drivers\ksecdd.sys
2009/05/06 12:03p 3968 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2009/05/04 11:06p 161072 --a------ C:\WINNT\system32\drivers\nwrdr.sys
2008/23/04 02:45p 122616 --a------ C:\WINNT\system32\drivers\b57w2k.sys
2008/16/05 01:40a 30160 --a------ C:\WINNT\system32\drivers\mountmgr.sys
2008/16/05 01:02p 18432 -ra------ C:\WINNT\system32\drivers\RimSerial.sys
2008/12/04 08:44a 234496 --a------ C:\WINNT\system32\drivers\iwca.sys
2008/12/04 08:43a 21504 --a------ C:\WINNT\system32\drivers\iwca2k.sys
2008/11/04 03:42p 67344 --a------ C:\WINNT\system32\drivers\ipnat.sys
2007/22/05 11:02p 11354 --a------ C:\WINNT\system32\drivers\s24trans.sys
2007/19/05 09:16p 2931584 --a------ C:\WINNT\system32\drivers\w29n50.sys
2007/19/05 03:44a 142288 --a------ C:\WINNT\system32\drivers\fastfat.sys
2007/19/05 01:42a 170800 --a------ C:\WINNT\system32\drivers\rdbss.sys
2007/14/05 05:24a 74384 --a------ C:\WINNT\system32\drivers\SCSIPORT.SYS
2007/09/04 05:27a 48512 --a------ C:\WINNT\system32\drivers\stream.sys
2007/09/04 03:58a 83968 --a------ C:\WINNT\system32\drivers\nabtsfec.sys
2007/09/04 03:58a 56832 --a------ C:\WINNT\system32\drivers\msdv.sys
2007/09/04 03:58a 18688 --a------ C:\WINNT\system32\drivers\wstcodec.sys
2007/09/04 03:58a 16384 --a------ C:\WINNT\system32\drivers\ccdecode.sys
2007/09/04 03:58a 15104 --a------ C:\WINNT\system32\drivers\mpe.sys
2007/09/04 03:58a 14976 --a------ C:\WINNT\system32\drivers\streamip.sys
2007/09/04 03:58a 11392 --a------ C:\WINNT\system32\drivers\bdasup.sys
2007/09/04 03:58a 10880 --a------ C:\WINNT\system32\drivers\slip.sys
2007/09/04 03:58a 10112 --a------ C:\WINNT\system32\drivers\ndisip.sys
2006/19/03 12:05p 9904 --a------ C:\WINNT\system32\drivers\CmBatt.sys
2006/19/03 12:05p 93360 --a------ C:\WINNT\system32\drivers\ndiswan.sys
2006/19/03 12:05p 9264 --a------ C:\WINNT\system32\drivers\compbatt.sys
2006/19/03 12:05p 9200 --a------ C:\WINNT\system32\drivers\ndistapi.sys
2006/19/03 12:05p 91408 --a------ C:\WINNT\system32\drivers\nwlnkipx.sys
2006/19/03 12:05p 86672 --a------ C:\WINNT\system32\drivers\atapi.sys
2006/19/03 12:05p 7728 --a------ C:\WINNT\system32\drivers\diskperf.sys
2006/19/03 12:05p 7600 --a------ C:\WINNT\system32\drivers\fs_rec.sys
2006/19/03 12:05p 7312 --a------ C:\WINNT\system32\drivers\dmload.sys
2006/19/03 12:05p 7184 --a------ C:\WINNT\system32\drivers\battc.sys
2006/19/03 12:05p 65520 --a------ C:\WINNT\system32\drivers\nwlnknb.sys
2006/19/03 12:05p 62736 --a------ C:\WINNT\system32\drivers\serial.sys
2006/19/03 12:05p 60496 --a------ C:\WINNT\system32\drivers\psched.sys
2006/19/03 12:05p 60208 --a------ C:\WINNT\system32\drivers\parallel.sys
2006/19/03 12:05p 59312 --a------ C:\WINNT\system32\drivers\pci.sys
2006/19/03 12:05p 57296 --a------ C:\WINNT\system32\drivers\irda.sys
2006/19/03 12:05p 57264 --a------ C:\WINNT\system32\drivers\mf.sys
2006/19/03 12:05p 56112 --a------ C:\WINNT\system32\drivers\dlc.sys
2006/19/03 12:05p 52112 --a------ C:\WINNT\system32\drivers\rasl2tp.sys
2006/19/03 12:05p 50640 --a------ C:\WINNT\system32\drivers\videoprt.sys
2006/19/03 12:05p 49776 --a------ C:\WINNT\system32\drivers\usbhub20.sys
2006/19/03 12:05p 48496 --a------ C:\WINNT\system32\drivers\atmlane.sys
2006/19/03 12:05p 48464 --a------ C:\WINNT\system32\drivers\raspptp.sys
2006/19/03 12:05p 46992 --a------ C:\WINNT\system32\drivers\isapnp.sys
2006/19/03 12:05p 46992 --a------ C:\WINNT\system32\drivers\i8042prt.sys
2006/19/03 12:05p 4624 --a------ C:\WINNT\system32\drivers\intelide.sys
2006/19/03 12:05p 40176 --a------ C:\WINNT\system32\drivers\usbhub.sys
2006/19/03 12:05p 37552 --a------ C:\WINNT\system32\drivers\nmnt.sys
2006/19/03 12:05p 369104 --a------ C:\WINNT\system32\drivers\dmboot.sys
2006/19/03 12:05p 34832 --a------ C:\WINNT\system32\drivers\classpnp.sys
2006/19/03 12:05p 34704 --a------ C:\WINNT\system32\drivers\msgpc.sys
2006/19/03 12:05p 33616 --a------ C:\WINNT\system32\drivers\fips.sys
2006/19/03 12:05p 331088 --a------ C:\WINNT\system32\drivers\atmuni.sys
2006/19/03 12:05p 32848 --a------ C:\WINNT\system32\drivers\uhcd.sys
2006/19/03 12:05p 32272 --a------ C:\WINNT\system32\drivers\wanarp.sys
2006/19/03 12:05p 3088 --a------ C:\WINNT\system32\drivers\pciide.sys
2006/19/03 12:05p 30768 --a------ C:\WINNT\system32\drivers\disk.sys
2006/19/03 12:05p 29168 --a------ C:\WINNT\system32\drivers\modem.sys
2006/19/03 12:05p 27984 --a------ C:\WINNT\system32\drivers\cdrom.sys
2006/19/03 12:05p 27440 --a------ C:\WINNT\system32\drivers\efs.sys
2006/19/03 12:05p 26256 --a------ C:\WINNT\system32\drivers\fdc.sys
2006/19/03 12:05p 25104 --a------ C:\WINNT\system32\drivers\parport.sys
2006/19/03 12:05p 24752 --a------ C:\WINNT\system32\drivers\hidclass.sys
2006/19/03 12:05p 24528 --a------ C:\WINNT\system32\drivers\kbdclass.sys
2006/19/03 12:05p 23056 --a------ C:\WINNT\system32\drivers\hidparse.sys
2006/19/03 12:05p 22064 --a------ C:\WINNT\system32\drivers\sonydcam.sys
2006/19/03 12:05p 22064 --a------ C:\WINNT\system32\drivers\pciidex.sys
2006/19/03 12:05p 21776 --a------ C:\WINNT\system32\drivers\mouclass.sys
2006/19/03 12:05p 20688 --a------ C:\WINNT\system32\drivers\usbd.sys
2006/19/03 12:05p 20208 --a------ C:\WINNT\system32\drivers\msircomm.sys
2006/19/03 12:05p 19952 --a------ C:\WINNT\system32\drivers\irsir.sys
2006/19/03 12:05p 19920 --a------ C:\WINNT\system32\drivers\rasirda.sys
2006/19/03 12:05p 19728 --a------ C:\WINNT\system32\drivers\usbehci.sys
2006/19/03 12:05p 19312 --a------ C:\WINNT\system32\drivers\flpydisk.sys
2006/19/03 12:05p 17840 --a------ C:\WINNT\system32\drivers\asyncmac.sys
2006/19/03 12:05p 17680 --a------ C:\WINNT\system32\drivers\ptilink.sys
2006/19/03 12:05p 173232 --a------ C:\WINNT\system32\drivers\update.sys
2006/19/03 12:05p 170928 --a------ C:\WINNT\system32\drivers\ndis.sys
2006/19/03 12:05p 163120 --a------ C:\WINNT\system32\drivers\acpi.sys
2006/19/03 12:05p 16240 --a------ C:\WINNT\system32\drivers\tdi.sys
2006/19/03 12:05p 148400 --a------ C:\WINNT\system32\drivers\sfmatalk.sys
2006/19/03 12:05p 148208 --a------ C:\WINNT\system32\drivers\portcls.sys
2006/19/03 12:05p 14288 --a------ C:\WINNT\system32\drivers\diskdump.sys
2006/19/03 12:05p 14160 --a------ C:\WINNT\system32\drivers\serenum.sys
2006/19/03 12:05p 138288 --a------ C:\WINNT\system32\drivers\usbport.sys
2006/19/03 12:05p 137936 --a------ C:\WINNT\system32\drivers\dmio.sys
2006/19/03 12:05p 11984 --a------ C:\WINNT\system32\drivers\ndisuio.sys
2006/19/03 12:05p 11792 --a------ C:\WINNT\system32\drivers\partmgr.sys
2006/19/03 12:05p 11632 --a------ C:\WINNT\system32\drivers\mouhid.sys
2006/19/03 12:05p 11536 --a------ C:\WINNT\system32\drivers\acpiec.sys
2006/19/03 12:05p 109584 --a------ C:\WINNT\system32\drivers\pcmcia.sys
2006/19/03 12:05p 10928 --a------ C:\WINNT\system32\drivers\tape.sys
2006/19/03 12:05p 10384 --a------ C:\WINNT\system32\drivers\sfloppy.sys
2006/19/03 12:05p 10288 --a------ C:\WINNT\system32\drivers\irenum.sys
2006/19/03 08:05a 9808 --a------ C:\WINNT\system32\drivers\gameenum.sys
2006/19/03 08:05a 73872 --a------ C:\WINNT\system32\drivers\wdmaud.sys
2006/19/03 08:05a 53552 --a------ C:\WINNT\system32\drivers\swmidi.sys
2006/19/03 08:05a 47568 --a------ C:\WINNT\system32\drivers\sysaudio.sys
2006/19/03 08:05a 35344 --a------ C:\WINNT\system32\drivers\redbook.sys
2006/19/03 08:05a 21008 --a------ C:\WINNT\system32\drivers\AGP440.SYS
2006/19/03 08:05a 148304 --a------ C:\WINNT\system32\drivers\kmixer.sys
2005/31/06 03:14a 415536 --a------ C:\WINNT\system32\drivers\mrxsmb.sys
2005/10/05 02:20a 513424 --a------ C:\WINNT\system32\drivers\ntfs.sys
2005/09/05 09:57a 17286 --a------ C:\WINNT\system32\drivers\RimUsb.sys
2005/03/05 03:09p 1033728 --a------ C:\WINNT\system32\drivers\HSF_DPV.SYS
2005/03/05 03:08p 705408 --a------ C:\WINNT\system32\drivers\HSF_CNXT.sys
2005/03/05 03:08p 208384 --a------ C:\WINNT\system32\drivers\HSFHWICH.sys
2005/03/05 01:10a 238928 --a------ C:\WINNT\system32\drivers\SRV.SYS
2005/03/04 04:26p 80384 --a------ C:\WINNT\system32\drivers\gtipci21.sys
2004/25/06 07:08p 320336 --a------ C:\WINNT\system32\drivers\tcpip.sys
2004/21/05 01:03a 127568 --a------ C:\WINNT\system32\drivers\AFD.SYS
2004/21/03 11:49p 80848 --a------ C:\WINNT\system32\drivers\ipsec.sys
2004/13/05 11:59p 136880 --------- C:\WINNT\system32\drivers\fltmgr.sys
2004/08/05 04:51a 63248 --a------ C:\WINNT\system32\drivers\cdfs.sys
2004/08/05 04:51a 175632 --a------ C:\WINNT\system32\drivers\netbt.sys
2003/17/04 12:04p 13059 --a------ C:\WINNT\system32\drivers\mdmxsdk.sys
2003/10/05 04:56p 273168 --a------ C:\WINNT\system32\drivers\STAC97.sys
2003/01/05 07:49p 670128 --a------ C:\WINNT\system32\drivers\vpn.sys
2003/01/05 07:49p 2041904 --------- C:\WINNT\system32\drivers\fw.sys
2003/01/05 07:49p 17456 --a------ C:\WINNT\system32\drivers\scap.sys
2003/01/05 07:49p 14924 --a------ C:\WINNT\system32\drivers\OMVA.sys
2002/25/03 03:50p 8704 --a------ C:\WINNT\system32\drivers\UsbFltr.sys
2002/09/06 02:50a 8992 --a------ C:\WINNT\system32\drivers\idisw2km.sys
2002/09/06 02:50a 11744 --a------ C:\WINNT\system32\drivers\kbstuff5.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
@=""
"RCN Desktop v2.0"="\"C:\\WINNT\\system32\\RCN Desktop v2.0.EXE\" /S"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"googletalk"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"ctfmon.exe"="ctfmon.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=dword:00000000
"RunLogonScriptSync"=dword:00000000
"RunStartupScriptSync"=dword:00000001
"HideStartupScripts"=dword:00000001
"HideShutdownScripts"=dword:00000001
"MaxGPOScriptWait"=dword:00000000
"SynchronousMachineGroupPolicy"=dword:00000001
"SynchronousUserGroupPolicy"=dword:00000001
"LogonType"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispCPL"=dword:00000001
"NoDispBackgroundPage"=dword:00000001
"NoDispAppearancePage"=dword:00000001
"NoDispSettingsPage"=dword:00000001
"HideLegacyLogonScripts"=dword:00000000
"HideLogonScripts"=dword:00000000
"HideLogoffScripts"=dword:00000001
"ConnectHomeDirToRoot"=dword:00000000
"NoDispScrSavPage"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"=dword:00000001
"NoWelcomeScreen"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"=dword:00000002
"Btn_Forward"=dword:00000002
"Btn_Stop"=dword:00000002
"Btn_Refresh"=dword:00000002
"Btn_Home"=dword:00000002
"Btn_Search"=dword:00000002
"Btn_History"=dword:00000002
"Btn_Favorites"=dword:00000002
"Btn_Folders"=dword:00000002
"Btn_Fullscreen"=dword:00000002
"Btn_Tools"=dword:00000002
"Btn_MailNews"=dword:00000002
"Btn_Size"=dword:00000002
"Btn_Print"=dword:00000002
"Btn_Edit"=dword:00000002
"Btn_Discussions"=dword:00000002
"Btn_Cut"=dword:00000002
"Btn_Copy"=dword:00000002
"Btn_Paste"=dword:00000002
"Btn_Encoding"=dword:00000002
"EnforceShellExtensionSecurity"=dword:00000001
"NoHardwareTab"=dword:00000001
"NoChangeKeyboardNavigationIndicators"=dword:00000001
"NoDFSTab"=dword:00000001
"NoWindowsUpdate"=dword:00000001
"ForceStartMenuLogOff"=dword:00000001
"NoPropertiesMyDocuments"=dword:00000001
"NoPropertiesMyComputer"=dword:00000001
"DisablePersonalDirChange"=dword:00000001
"NoActiveDesktopChanges"=dword:00000001
"NoWelcomeScreen"=dword:00000001
"DisallowRun"=dword:00000001
"Intellimenus"=dword:00000001
"PromptRunasInstallNetPath"=dword:00000001
"NoThemesTab"=dword:00000001
"NoDesktopCleanupWizard"=dword:00000001
"NoAutoUpdate"=dword:00000001
"ConfirmFileDelete"=dword:00000001
"NoCDBurning"=dword:00000001
"NoSecurityTab"=dword:00000001
"NoThumbnailCache"=dword:00000001
"NoSimpleStartMenu"=dword:00000001
"NoSMConfigurePrograms"=dword:00000001
"ForceClassicControlPanel"=dword:00000001
"NoWebServices"=dword:00000001
"NoInternetOpenWith"=dword:00000001
"NoOnlinePrintsWizard"=dword:00000001
"NoPublishingWizard"=dword:00000001
"DisallowCpl"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowCpl]
"1"="Administrative Tools"
"2"="firewall.cpl"
"3"="Folder Options"
"4"="Fonts"
"5"="hdwwiz.cpl"
"6"="igfxcpl.cpl"
"7"="inetcpl.cpl"
"8"="intl.cpl"
"9"="irprops.cpl"
"10"="joy.cpl"
"11"="jpicpl32.cpl"
"12"="mmsys.cpl"
"13"="ncpa.cpl"
"14"="netsetup.cpl"
"15"="Network and Dial-up Connections"
"16"="nusrmgr.cpl"
"17"="nvcpl.cpl"
"18"="nvtuicpl.cpl"
"19"="nwc.cpl"
"20"="plugincpl13121.cpl"
"21"="plugincpl13122.cpl"
"22"="plugincpl13125.cpl"
"23"="powercfg.cpl"
"24"="s32lucp1.cpl"
"25"="Scheduled Tasks"
"26"="smaxesp.cpl"
"27"="smscfg.cpl"
"28"="sticpl.cpl"
"29"="SYSDM.cpl"
"30"="telephon.cpl"
"31"="timedate.cpl"
"32"="wscui.cpl"
"33"="wuaucpl.cpl"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]
"1"="freecell.exe"
"2"="MSOffice.exe"
"3"="pinball.exe"
"4"="sol.exe"
"5"="winmine.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
WmdmPmSN


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-23 14:37:59
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: Mon 04/23/2007 14:38:02
C:\ComboFix-quarantined-files.txt ... 04/23/07 02:38p

#6 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:30 PM

Posted 24 April 2007 - 01:24 AM

Looks better - how is it running now?
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#7 ksavell

ksavell
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 24 April 2007 - 06:40 AM

Perfect!

Thank you for your help and experience.

#8 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:30 PM

Posted 24 April 2007 - 01:15 PM

You're welcome - glad to help :thumbsup:

To help keep you clean follow the recommendations in the article here:

So how did I get infected?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users