Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

visfx500new.exe [RESOLVED]


  • This topic is locked This topic is locked

#1
AbsolutStoli

AbsolutStoli

    New Member

  • Member
  • Pip
  • 9 posts
hello,

an IT guy was fixing something on my computer and he noticed this file on the c:/ drive and told me it doesnt belong there. i ran a search in the registry but it didnt find a listing for the file there. this is what he suggested first.

then i ran through the suggested malware removal steps and removed what came up. however, this visfx500new.exe didnt get picked up, it is still there and i dont know what it is or how to safely remove it. i cant risk screwing up the computer because its my work laptop.

here is the hijackthis log file, it doesnt appear on the log, but its definitely on my c:/ drive. can someone give me a clue? if you want me to post any other logs, let me know. thank you in advance!


Logfile of HijackThis v1.99.1
Scan saved at 2:16:01 AM, on 8/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINDOWS\System32\cusrvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\GlobeSoft\MultiNetwork Manager\NTx\GSBootTimeSrv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\vnxserv.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
C:\Program Files\KPMG\Global Desktop\MBL\Base\MBLTrigger.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
D:\Content Download\731439\Program\Digital Distribution.exe
C:\PROGRA~1\KPMGES~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\ltmsg.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\GlobeSoft\MultiNetwork Manager\NTX\MNMCtrl.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\KPMG eSupport Center\bin\mpbtn.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\eRoom 7\ERClient7.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
D:\Documents and Settings\dcotler\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.kworld.kp...rch/USearch.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kworld.kpmg.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.kworld.kpmg.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by KPMG
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://kpmgproxy.com/kpmg_ie6.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://kpmgproxy.com/kpmgproxy.pac:80
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Digital Distribution] "D:\Content Download\731439\Program\Digital Distribution.exe" -startup
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\KPMGES~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LU Check] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vpdn_lu.exe /s
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MNM] "C:\Program Files\GlobeSoft\MultiNetwork Manager\\NTX\MNMCtrl" /h /d 20
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe" /StartInTray
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\System32\wfxqhv.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: KPMG eSupport Center.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whlnsp.dll
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\netware\nwws2nds.dll' missing
O12 - Plugin for .MPG: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.kworld.kpmg.com
O15 - Trusted Zone: http://abcv.kworld.kpmg.com
O15 - Trusted Zone: http://conf.kworld.kpmg.com
O15 - Trusted Zone: http://cvsearch.kworld.kpmg.com
O15 - Trusted Zone: http://maint.kworld.kpmg.com
O15 - Trusted Zone: http://search.kworld.kpmg.com
O15 - Trusted Zone: http://suggestions.kworld.kpmg.com
O15 - Trusted Zone: http://training1.us.kworld.kpmg.com
O15 - Trusted Zone: http://www.kworld.kpmg.com
O15 - Trusted Zone: http://*.kpmgconsulting.com
O15 - Trusted Zone: http://www.kpmgtax.com
O15 - Trusted Zone: http://www.matrixcapitalonline.com
O15 - Trusted Zone: http://*.meomweb14
O15 - Trusted Zone: http://www.micromash.net
O15 - Trusted Zone: http://kworld2.newsedge-web.com
O15 - Trusted Zone: http://abcv.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://conf.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://cvsearch.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://maint.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://search.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://suggestions.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://training1.us.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://www.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://*.kpmgconsulting.com (HKLM)
O15 - Trusted Zone: http://www.kpmgtax.com (HKLM)
O15 - Trusted Zone: http://www.matrixcapitalonline.com (HKLM)
O15 - Trusted Zone: http://*.meomweb14 (HKLM)
O15 - Trusted Zone: http://www.micromash.net (HKLM)
O15 - Trusted Zone: http://kworld2.newsedge-web.com (HKLM)
O16 - DPF: TIMEnX - http://timenx.us.kwo....com/TIMEnX.cab
O16 - DPF: TIMEnX Client Library - http://timenx.us.kwo...m/tnxclient.cab
O16 - DPF: TIMEnX Fonts - http://timenx.us.kwo....com/TmxFnt.cab
O16 - DPF: TIMEnX JFC Library - http://timenx.us.kwo....com/tnxjfc.cab
O16 - DPF: TIMEnX VisiBroker Library - http://timenx.us.kwo...g.com/tnxvb.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_en_US.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6D59A1DF-87FB-11D4-836D-00805F6FC463} - http://usisweb.us.kw...20/SetupINF.cab
O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} (ERPageAddin Class) - https://s13.kclient....etup/client.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.virtualp...ecom1/msrdp.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://www.virtualp.../WhlCompMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.kworld.kpmg.com
O17 - HKLM\Software\..\Telephony: DomainName = us.kworld.kpmg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.kworld.kpmg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.kworld.kpmg.com
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Altiris eXpress NS Client (AeXNSClient) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
O23 - Service: Altiris eXpress NS Client Transport (AeXNSClientTransport) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GSBootTimeSrv - Globesoft® Corporation - C:\Program Files\GlobeSoft\MultiNetwork Manager\NTx\GSBootTimeSrv.exe
O23 - Service: HP Hard Drive Thermal (HDThermal) - Hewlett-Packard Company - C:\Program Files\HPQ\HDThermal\HDThermal.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: KPMG GD MBL Trigger (mblTrigger) - KPMG - C:\Program Files\KPMG\Global Desktop\MBL\Base\MBLTrigger.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Vsclient Service (Vsclient_Service) - Unknown owner - C:\WINDOWS\System32\vnxserv.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
  • 0

Advertisements


#2
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Click here, for instructions on how to enable hidden files and folders to be visible. After enabling, find, zip and send this file:

C:\WINDOWS\system32\wfxqhv.exe

to this e-mail address including a link to this thread in the body of the email. I'll get back to you about it if any further action is required.
  • 0

#3
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan and a new HijackThis log.

  • 0

#4
AbsolutStoli

AbsolutStoli

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
ok, ran the ewido scan, here is the report:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:39:09 PM 8/15/2006

+ Scan result:



D:\Documents and Settings\dcotler\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][2].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][1].txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][2].txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][1].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][2].txt -> TrackingCookie.Bridgetrack : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][1].txt -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][2].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][2].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][2].txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][2].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][2].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
D:\Documents and Settings\dcotler\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).


::Report end



here is the new hijack this report:

Logfile of HijackThis v1.99.1
Scan saved at 8:54:02 PM, on 8/15/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINDOWS\System32\cusrvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\GlobeSoft\MultiNetwork Manager\NTx\GSBootTimeSrv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\vnxserv.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
C:\Program Files\KPMG\Global Desktop\MBL\Base\MBLTrigger.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
D:\Content Download\731439\Program\Digital Distribution.exe
C:\PROGRA~1\KPMGES~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\ltmsg.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\GlobeSoft\MultiNetwork Manager\NTX\MNMCtrl.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\KPMG eSupport Center\bin\mpbtn.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\eRoom 7\ERClient7.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\dcotler\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://www.kworld.kp...rch/USearch.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kworld.kpmg.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.kworld.kpmg.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided

by KPMG
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL =

http://kpmgproxy.com/kpmg_ie6.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =

http://kpmgproxy.com/kpmgproxy.pac:80
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat

6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Digital Distribution] "D:\Content Download\731439\Program\Digital Distribution.exe"

-startup
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\KPMGES~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LU Check] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vpdn_lu.exe /s
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

-onlytray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MNM] "C:\Program Files\GlobeSoft\MultiNetwork Manager\\NTX\MNMCtrl" /h /d 20
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy

Sweeper\SpySweeperUI.exe" /StartInTray
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\System32\wfxqhv.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: KPMG eSupport Center.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook

Adapter\Gcc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whlnsp.dll
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\netware\nwws2nds.dll' missing
O12 - Plugin for .MPG: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.kworld.kpmg.com
O15 - Trusted Zone: http://abcv.kworld.kpmg.com
O15 - Trusted Zone: http://conf.kworld.kpmg.com
O15 - Trusted Zone: http://cvsearch.kworld.kpmg.com
O15 - Trusted Zone: http://maint.kworld.kpmg.com
O15 - Trusted Zone: http://search.kworld.kpmg.com
O15 - Trusted Zone: http://suggestions.kworld.kpmg.com
O15 - Trusted Zone: http://training1.us.kworld.kpmg.com
O15 - Trusted Zone: http://www.kworld.kpmg.com
O15 - Trusted Zone: http://*.kpmgconsulting.com
O15 - Trusted Zone: http://www.kpmgtax.com
O15 - Trusted Zone: http://www.matrixcapitalonline.com
O15 - Trusted Zone: http://*.meomweb14
O15 - Trusted Zone: http://www.micromash.net
O15 - Trusted Zone: http://kworld2.newsedge-web.com
O15 - Trusted Zone: http://abcv.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://conf.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://cvsearch.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://maint.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://search.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://suggestions.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://training1.us.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://www.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://*.kpmgconsulting.com (HKLM)
O15 - Trusted Zone: http://www.kpmgtax.com (HKLM)
O15 - Trusted Zone: http://www.matrixcapitalonline.com (HKLM)
O15 - Trusted Zone: http://*.meomweb14 (HKLM)
O15 - Trusted Zone: http://www.micromash.net (HKLM)
O15 - Trusted Zone: http://kworld2.newsedge-web.com (HKLM)
O16 - DPF: TIMEnX - http://timenx.us.kwo....com/TIMEnX.cab
O16 - DPF: TIMEnX Client Library - http://timenx.us.kwo...m/tnxclient.cab
O16 - DPF: TIMEnX Fonts - http://timenx.us.kwo....com/TmxFnt.cab
O16 - DPF: TIMEnX JFC Library - http://timenx.us.kwo....com/tnxjfc.cab
O16 - DPF: TIMEnX VisiBroker Library - http://timenx.us.kwo...g.com/tnxvb.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) -

http://www.lizardtec...ntrol_en_US.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -

http://upload.facebo...otoUploader.cab
O16 - DPF: {6D59A1DF-87FB-11D4-836D-00805F6FC463} -

http://usisweb.us.kw...20/SetupINF.cab
O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} (ERPageAddin Class) -

https://s13.kclient....etup/client.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) -

https://www.virtualp...2941851571885da

bc944/whalecom1/msrdp.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) -

https://www.virtualp.../WhlCompMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.kworld.kpmg.com
O17 - HKLM\Software\..\Telephony: DomainName = us.kworld.kpmg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.kworld.kpmg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.kworld.kpmg.com
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Altiris eXpress NS Client (AeXNSClient) - Altiris - C:\Program Files\Altiris\eXpress\NS

Client\AeXNSClient.exe
O23 - Service: Altiris eXpress NS Client Transport (AeXNSClientTransport) - Altiris - C:\Program

Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program

Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido

anti-spyware 4.0\guard.exe
O23 - Service: GSBootTimeSrv - Globesoft® Corporation - C:\Program Files\GlobeSoft\MultiNetwork

Manager\NTx\GSBootTimeSrv.exe
O23 - Service: HP Hard Drive Thermal (HDThermal) - Hewlett-Packard Company - C:\Program

Files\HPQ\HDThermal\HDThermal.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program

Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: KPMG GD MBL Trigger (mblTrigger) - KPMG - C:\Program Files\KPMG\Global

Desktop\MBL\Base\MBLTrigger.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook

Adapter\NICServ.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation -

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program

Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Vsclient Service (Vsclient_Service) - Unknown owner - C:\WINDOWS\System32\vnxserv.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program

Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. - C:\Program

Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
  • 0

#5
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Could you repost your HJT log without wordwrap - makes it easier to read.

Thanks.
  • 0

#6
AbsolutStoli

AbsolutStoli

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
sure thing, sorry about that.

i hope this works...


Logfile of HijackThis v1.99.1
Scan saved at 9:55:21 PM, on 8/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINDOWS\System32\cusrvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\GlobeSoft\MultiNetwork Manager\NTx\GSBootTimeSrv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\vnxserv.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
C:\Program Files\KPMG\Global Desktop\MBL\Base\MBLTrigger.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
D:\Content Download\731439\Program\Digital Distribution.exe
C:\PROGRA~1\KPMGES~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\ltmsg.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\GlobeSoft\MultiNetwork Manager\NTX\MNMCtrl.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\KPMG eSupport Center\bin\mpbtn.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\eRoom 7\ERClient7.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
D:\Documents and Settings\dcotler\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.kworld.kp...rch/USearch.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kworld.kpmg.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.kworld.kpmg.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by KPMG
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://kpmgproxy.com/kpmg_ie6.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://kpmgproxy.com/kpmgproxy.pac:80
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Digital Distribution] "D:\Content Download\731439\Program\Digital Distribution.exe" -startup
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\KPMGES~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LU Check] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vpdn_lu.exe /s
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MNM] "C:\Program Files\GlobeSoft\MultiNetwork Manager\\NTX\MNMCtrl" /h /d 20
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe" /StartInTray
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\System32\wfxqhv.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: KPMG eSupport Center.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whlnsp.dll
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\netware\nwws2nds.dll' missing
O12 - Plugin for .MPG: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.kworld.kpmg.com
O15 - Trusted Zone: http://abcv.kworld.kpmg.com
O15 - Trusted Zone: http://conf.kworld.kpmg.com
O15 - Trusted Zone: http://cvsearch.kworld.kpmg.com
O15 - Trusted Zone: http://maint.kworld.kpmg.com
O15 - Trusted Zone: http://search.kworld.kpmg.com
O15 - Trusted Zone: http://suggestions.kworld.kpmg.com
O15 - Trusted Zone: http://training1.us.kworld.kpmg.com
O15 - Trusted Zone: http://www.kworld.kpmg.com
O15 - Trusted Zone: http://*.kpmgconsulting.com
O15 - Trusted Zone: http://www.kpmgtax.com
O15 - Trusted Zone: http://www.matrixcapitalonline.com
O15 - Trusted Zone: http://*.meomweb14
O15 - Trusted Zone: http://www.micromash.net
O15 - Trusted Zone: http://kworld2.newsedge-web.com
O15 - Trusted Zone: http://abcv.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://conf.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://cvsearch.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://maint.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://search.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://suggestions.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://training1.us.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://www.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://*.kpmgconsulting.com (HKLM)
O15 - Trusted Zone: http://www.kpmgtax.com (HKLM)
O15 - Trusted Zone: http://www.matrixcapitalonline.com (HKLM)
O15 - Trusted Zone: http://*.meomweb14 (HKLM)
O15 - Trusted Zone: http://www.micromash.net (HKLM)
O15 - Trusted Zone: http://kworld2.newsedge-web.com (HKLM)
O16 - DPF: TIMEnX - http://timenx.us.kwo....com/TIMEnX.cab
O16 - DPF: TIMEnX Client Library - http://timenx.us.kwo...m/tnxclient.cab
O16 - DPF: TIMEnX Fonts - http://timenx.us.kwo....com/TmxFnt.cab
O16 - DPF: TIMEnX JFC Library - http://timenx.us.kwo....com/tnxjfc.cab
O16 - DPF: TIMEnX VisiBroker Library - http://timenx.us.kwo...g.com/tnxvb.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_en_US.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6D59A1DF-87FB-11D4-836D-00805F6FC463} - http://usisweb.us.kw...20/SetupINF.cab
O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} (ERPageAddin Class) - https://s13.kclient....etup/client.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.virtualp...ecom1/msrdp.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://www.virtualp.../WhlCompMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.kworld.kpmg.com
O17 - HKLM\Software\..\Telephony: DomainName = us.kworld.kpmg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.kworld.kpmg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.kworld.kpmg.com
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Altiris eXpress NS Client (AeXNSClient) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
O23 - Service: Altiris eXpress NS Client Transport (AeXNSClientTransport) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GSBootTimeSrv - Globesoft® Corporation - C:\Program Files\GlobeSoft\MultiNetwork Manager\NTx\GSBootTimeSrv.exe
O23 - Service: HP Hard Drive Thermal (HDThermal) - Hewlett-Packard Company - C:\Program Files\HPQ\HDThermal\HDThermal.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: KPMG GD MBL Trigger (mblTrigger) - KPMG - C:\Program Files\KPMG\Global Desktop\MBL\Base\MBLTrigger.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Vsclient Service (Vsclient_Service) - Unknown owner - C:\WINDOWS\System32\vnxserv.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe

Edited by AbsolutStoli, 16 August 2006 - 07:57 PM.

  • 0

#7
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Hmm.. Ewido should have removed that file you first mentioned - had you already deleted it prior to running the scan? Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\System32\wfxqhv.exe"
O18 - Filter: text/html - (no CLSID) - (no file)


Exit HijackThis when done. Reboot, rescan with HijackThis and post a new log here. Also, download and run Silent Runners.vbs from HERE

It generates a log, please post the information back in this thread

Edited by Daemon, 17 August 2006 - 12:32 AM.

  • 0

#8
AbsolutStoli

AbsolutStoli

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
nope, i have not deleted the visfx file, its still in my c:\ drive. i also think its strange why its not showing up in any of the scans.

here is the hijackthis log after i fixed the two lines you indicated.

Logfile of HijackThis v1.99.1
Scan saved at 2:59:29 AM, on 8/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINDOWS\System32\cusrvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\GlobeSoft\MultiNetwork Manager\NTx\GSBootTimeSrv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\vnxserv.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
C:\Program Files\KPMG\Global Desktop\MBL\Base\MBLTrigger.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
D:\Content Download\731439\Program\Digital Distribution.exe
C:\PROGRA~1\KPMGES~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\ltmsg.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\GlobeSoft\MultiNetwork Manager\NTX\MNMCtrl.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\KPMG eSupport Center\bin\mpbtn.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\eRoom 7\ERClient7.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
D:\Documents and Settings\dcotler\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.kworld.kp...rch/USearch.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kworld.kpmg.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.kworld.kpmg.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by KPMG
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://kpmgproxy.com/kpmg_ie6.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://kpmgproxy.com/kpmgproxy.pac:80
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Digital Distribution] "D:\Content Download\731439\Program\Digital Distribution.exe" -startup
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\KPMGES~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LU Check] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vpdn_lu.exe /s
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MNM] "C:\Program Files\GlobeSoft\MultiNetwork Manager\\NTX\MNMCtrl" /h /d 20
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe" /StartInTray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: KPMG eSupport Center.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whlnsp.dll
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\netware\nwws2nds.dll' missing
O12 - Plugin for .MPG: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.kworld.kpmg.com
O15 - Trusted Zone: http://abcv.kworld.kpmg.com
O15 - Trusted Zone: http://conf.kworld.kpmg.com
O15 - Trusted Zone: http://cvsearch.kworld.kpmg.com
O15 - Trusted Zone: http://maint.kworld.kpmg.com
O15 - Trusted Zone: http://search.kworld.kpmg.com
O15 - Trusted Zone: http://suggestions.kworld.kpmg.com
O15 - Trusted Zone: http://training1.us.kworld.kpmg.com
O15 - Trusted Zone: http://www.kworld.kpmg.com
O15 - Trusted Zone: http://*.kpmgconsulting.com
O15 - Trusted Zone: http://www.kpmgtax.com
O15 - Trusted Zone: http://www.matrixcapitalonline.com
O15 - Trusted Zone: http://*.meomweb14
O15 - Trusted Zone: http://www.micromash.net
O15 - Trusted Zone: http://kworld2.newsedge-web.com
O15 - Trusted Zone: http://abcv.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://conf.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://cvsearch.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://maint.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://search.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://suggestions.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://training1.us.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://www.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://*.kpmgconsulting.com (HKLM)
O15 - Trusted Zone: http://www.kpmgtax.com (HKLM)
O15 - Trusted Zone: http://www.matrixcapitalonline.com (HKLM)
O15 - Trusted Zone: http://*.meomweb14 (HKLM)
O15 - Trusted Zone: http://www.micromash.net (HKLM)
O15 - Trusted Zone: http://kworld2.newsedge-web.com (HKLM)
O16 - DPF: TIMEnX - http://timenx.us.kwo....com/TIMEnX.cab
O16 - DPF: TIMEnX Client Library - http://timenx.us.kwo...m/tnxclient.cab
O16 - DPF: TIMEnX Fonts - http://timenx.us.kwo....com/TmxFnt.cab
O16 - DPF: TIMEnX JFC Library - http://timenx.us.kwo....com/tnxjfc.cab
O16 - DPF: TIMEnX VisiBroker Library - http://timenx.us.kwo...g.com/tnxvb.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_en_US.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6D59A1DF-87FB-11D4-836D-00805F6FC463} - http://usisweb.us.kw...20/SetupINF.cab
O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} (ERPageAddin Class) - https://s13.kclient....etup/client.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.virtualp...ecom1/msrdp.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://www.virtualp.../WhlCompMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.kworld.kpmg.com
O17 - HKLM\Software\..\Telephony: DomainName = us.kworld.kpmg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.kworld.kpmg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.kworld.kpmg.com
O23 - Service: Altiris eXpress NS Client (AeXNSClient) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
O23 - Service: Altiris eXpress NS Client Transport (AeXNSClientTransport) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GSBootTimeSrv - Globesoft® Corporation - C:\Program Files\GlobeSoft\MultiNetwork Manager\NTx\GSBootTimeSrv.exe
O23 - Service: HP Hard Drive Thermal (HDThermal) - Hewlett-Packard Company - C:\Program Files\HPQ\HDThermal\HDThermal.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: KPMG GD MBL Trigger (mblTrigger) - KPMG - C:\Program Files\KPMG\Global Desktop\MBL\Base\MBLTrigger.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Vsclient Service (Vsclient_Service) - Unknown owner - C:\WINDOWS\System32\vnxserv.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe



here is the silent runner report:

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]
"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"vptray" = "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe" ["Symantec Corporation"]
"Digital Distribution" = ""D:\Content Download\731439\Program\Digital Distribution.exe" -startup" ["BackWeb Technologies Inc. "]
"Motive SmartBridge" = "C:\PROGRA~1\KPMGES~1\SMARTB~1\MotiveSB.exe" ["Motive Communications, Inc."]
"LU Check" = "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vpdn_lu.exe /s" ["Symantec Corporation"]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"NWTRAY" = "NWTRAY.EXE" ["Novell, Inc."]
"LTWinModem1" = "ltmsg.exe 9" ["LUCENT TECHNOLOGIES"]
"hkss" = "C:\Program Files\Compaq\Hotkey Software\hkss.exe" ["Compaq Computer Corporation"]
"eabconfg.cpl" = "C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start" ["Compaq"]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"AeXSWDUsr" = ""C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"" ["Altiris"]
"DataLayer" = "C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" ["Nokia Mobile Phones Ltd."]
"PCSuiteTrayApplication" = "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray" ["Nokia"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Drag'n'Drop_Autolaunch" = ""C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"" ["Iomega Corporation"]
"ViewMgr" = "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" ["Viewpoint Corporation"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"MNM" = ""C:\Program Files\GlobeSoft\MultiNetwork Manager\\NTX\MNMCtrl" /h /d 20" ["Globesoft® Corporation"]
"SpySweeperEnterprise" = ""C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe" /StartInTray" ["Webroot Software, Inc."]
"defender" = (empty string)
"keyboard" = (empty string)

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{AF8DE18D-9065-4102-BC40-EB294A95BB07}" = "Novell Connections"
-> {HKLM...CLSID} = "Novell Connections"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nwshlxnt.dll" ["Novell, Inc."]
"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "PhoneBrowser"
-> {HKLM...CLSID} = "Nokia Phone Browser"
\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]
"{C0C4375A-5B72-4efe-929D-3B848C3A1E91}" = "Message View"
-> {HKLM...CLSID} = "Message View"
\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\MessageView.dll" ["Nokia"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{C8E5821C-9D3A-48A4-953D-8C748802D2AE}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\lmann11N.dll" [file not found]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" = (no title provided)
-> {HKLM...CLSID} = "Internet Shortcut"
\InProcServer32\(Default) = "shdocvw.dll" [MS]
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "GinaDLL" = "NWGINA.DLL" ["Novell, Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
NetWareMenuItems\(Default) = "{e3bbbfc0-f61f-11cf-bb16-00c04fd371f4}"
-> {HKLM...CLSID} = "Menu Handlers for NetWare Capture"
\InProcServer32\(Default) = "novnpnt.dll" ["Novell, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Ipswitch\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
NetWareMenuItems\(Default) = "{e3bbbfc0-f61f-11cf-bb16-00c04fd371f4}"
-> {HKLM...CLSID} = "Menu Handlers for NetWare Capture"
\InProcServer32\(Default) = "novnpnt.dll" ["Novell, Inc."]
NetWareServerMenu\(Default) = "{9b173360-732b-11ce-aa22-00805f9834b0}"
-> {HKLM...CLSID} = "Shell Extensions for NetWare Trees and Servers"
\InProcServer32\(Default) = "novnpnt.dll" ["Novell, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Ipswitch\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]


Group Policies [Description] {enabled Group Policy setting}:
------------------------------------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\
HIJACK WARNING! "DisableWindowsUpdateAccess"=dword:00000001
[disables Windows Update web site functionality]
{User Configuration|Administrative Templates|Windows Components|
Windows Update|Remove access to use all Windows Update features}

HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore\
HIJACK WARNING! "DisableConfig"=dword:00000001
[disables options on Control Panel|System|System Restore (tab)]
{Computer Configuration|Administrative Templates|System|System Restore|
Turn off Configuration}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Documents and Settings\dcotler\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
  • 0

#9
AbsolutStoli

AbsolutStoli

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
so this thread kind of died...i havent heard anything since my last post, any news? thanks again for your help.
  • 0

#10
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Apologies - I didn't get a notification of your previous reply. Delete that rogue file from your C drive.

The logs look OK - post a updated HJT log for a final check.
  • 0

#11
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP