shri999
2007-11-25, 21:25
Hi,
I am infected with Trojan and other spywares. I followed the instructions from the 'Before you Post' topic by Tashi.
a) Here are is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:50 PM, on 11/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Cisco Systems\CSAgent\bin\CSAControl.exe
C:\Program Files\Cisco Systems\CSAgent\bin\leventmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\CatPC\CatSYS\CatSystemSvc.exe
C:\Program Files\Siemens\CAT Bulletin Board\CBBS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
C:\WINDOWS\TEMP\BAD14C.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Siemens\CAT Bulletin Board\CBB.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Siemens\Card API\bin\siecacst.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\OfficeScan NT\Pccntmon.exe
C:\Program Files\CryptoEx\Common\CexTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CryptoEx\Common\EASServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MWSnap\MWSnap.exe
C:\Program Files\Insider\Insider.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Open Text\Livelink Explorer\LLSynch3.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.siemens.net/cgi-bin/iesearch.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.siemens.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.siemens.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Siemens Energy & Automation, Inc
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = isaproxy.us002.siemens.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.siemens.com;*.siemens.net;*.sitest.net;*.sbs.de;*.spls.de;*.murrayconnect.com;*.murrayelectrical.com;*.smartpipes.net;*.esm.uu.net;*.siemens.co.in;*.pbk.mci.com;*.siemens.de;sales.asirobicon.com;*.us.na-asirob.local;*.siemensvdo.com;*.berwanger.n*;<local>
F2 - REG:system.ini: UserInit=CatUInit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {456E797E-FEEE-4A6C-A6F4-D9461B7CEDBE} - C:\Program Files\Common Files\niwy24418.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: LLIEHlprObj Class - {F757FBBF-10E5-4DDA-BBEA-2357E54BEA2B} - C:\Program Files\Open Text\Livelink Explorer\LLBHO3.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Java Profiles Fix] C:\Program Files\Java\Profile Fix\Java_Profile.exe
O4 - HKLM\..\Run: [JavaProfileFix2] C:\Program Files\Java\Profile Fix\Java_Profile_2.exe
O4 - HKLM\..\Run: [SIECACST] C:\Program Files\Siemens\Card API\bin\siecacst.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [StoreCleanup] RunDLL32 c:\PROGRA~1\NETMAN~1\common\nmconfig.dll,StoreCleanup
O4 - HKLM\..\Run: [NetManage LaunchNow Init] RunDLL32 c:\PROGRA~1\NETMAN~1\common\nmgoinn.dll,VerifyStartMenu
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [CfgDownload] C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe
O4 - HKLM\..\Run: [Migrator] "C:\Program Files\CryptoEx\Migrator\Migrator.exe" -StartUp
O4 - HKLM\..\Run: [CryptoExTrayV3] "C:\Program Files\CryptoEx\Common\CexTray.exe" /ShowTrayIcon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CatUserRun] exec32 /wh /c chgreg5 /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MWSnap] "C:\Program Files\MWSnap\MWSnap.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - Startup: Livelink Explorer Synchronizer.lnk = C:\Program Files\Open Text\Livelink Explorer\LLSynch3.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Cisco Security Agent.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://go.siemens.com
O15 - Trusted Zone: *.3dpublisher.net
O15 - Trusted Zone: *.asirobicon.com
O15 - Trusted Zone: *.authoria.com
O15 - Trusted Zone: *.berwanger.com
O15 - Trusted Zone: *.bmgi.com
O15 - Trusted Zone: *.bxwa.com
O15 - Trusted Zone: *.cargill.com
O15 - Trusted Zone: *.carrlane.com
O15 - Trusted Zone: *.cchgroup.com
O15 - Trusted Zone: *.charteroneonline.com
O15 - Trusted Zone: *.cisco.com
O15 - Trusted Zone: *.citizensbankonline.com
O15 - Trusted Zone: *.cognos.com
O15 - Trusted Zone: *.construction.com
O15 - Trusted Zone: *.dell.com
O15 - Trusted Zone: *.e-qip.opm.gov
O15 - Trusted Zone: *.enternetbank.com
O15 - Trusted Zone: *.eworkplace.bz
O15 - Trusted Zone: *.fdnet.com
O15 - Trusted Zone: *.fedex.com
O15 - Trusted Zone: *.fidelity.com
O15 - Trusted Zone: *.geindustrial.com
O15 - Trusted Zone: *.gensurvey.com
O15 - Trusted Zone: *.hewitt.com
O15 - Trusted Zone: *.hubspan.net
O15 - Trusted Zone: *.imagex.com
O15 - Trusted Zone: *.indx.com
O15 - Trusted Zone: *.infotriever.com
O15 - Trusted Zone: *.lmig.com
O15 - Trusted Zone: *.meetingplace.net
O15 - Trusted Zone: *.merc-int.com
O15 - Trusted Zone: *.mobilephone.net
O15 - Trusted Zone: *.moneycentral.msn.com
O15 - Trusted Zone: *.mymeetings.com
O15 - Trusted Zone: *.nationalcar.com
O15 - Trusted Zone: *.netglearning.com
O15 - Trusted Zone: *.newark.com
O15 - Trusted Zone: *.newarkinone.com
O15 - Trusted Zone: *.octanner.com
O15 - Trusted Zone: *.opm.gov
O15 - Trusted Zone: *.pbe.org
O15 - Trusted Zone: *.pcconnection.com
O15 - Trusted Zone: *.peopleclick.com
O15 - Trusted Zone: *.placeware.com
O15 - Trusted Zone: *.pwrm.com
O15 - Trusted Zone: *.quickparts.com
O15 - Trusted Zone: *.sap-ag.de
O15 - Trusted Zone: *.sap.com
O15 - Trusted Zone: *.shi.com
O15 - Trusted Zone: *.siemens-pmct.com
O15 - Trusted Zone: qms.sea.siemens.com
O15 - Trusted Zone: qmsqa.sea.siemens.com
O15 - Trusted Zone: qmsdev.us002.siemens.net
O15 - Trusted Zone: *.siemenshealthservices.com
O15 - Trusted Zone: *.siequence.com
O15 - Trusted Zone: *.smsds.com
O15 - Trusted Zone: *.tbgfinancial.com
O15 - Trusted Zone: *.trammellcrow.com
O15 - Trusted Zone: *.us.na-asirob.local
O15 - Trusted Zone: *.usbank.com
O15 - Trusted Zone: *.webex.com
O15 - Trusted Zone: *.sap-ag.de (HKLM)
O15 - Trusted Zone: *.sap.com (HKLM)
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://connect.sea.siemens.com/vdesk/terminal/urxvpn.cab#version=5600,0,61228,0058
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://connect.sea.siemens.com/vdesk/terminal/InstallerControl.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://connect.sea.siemens.com/vdesk/terminal/urTermProxy.cab#version=5600,0,61228,0055
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://connect.sea.siemens.com/vdesk/terminal/urxshost.cab#version=5600,0,61017,0703
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://connect.sea.siemens.com/vdesk/terminal/urxhost.cab#version=5600,0,61228,0050
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us002.siemens.net
O17 - HKLM\Software\..\Telephony: DomainName = us002.siemens.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C69307D-A8BE-4611-AF2E-A956128B55A8}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{58BD7518-DE43-45F4-A4B8-7B9F20623C24}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBE9404B-751B-45B5-B403-0D2A3C046C0E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us002.siemens.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = us002.siemens.net,sea.siemens.com,siemens.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{4C69307D-A8BE-4611-AF2E-A956128B55A8}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = us002.siemens.net,sea.siemens.com,siemens.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: csauser.dll
O20 - Winlogon Notify: CexTrayWinLogon - C:\Program Files\CryptoEx\Common\CexTrayWinLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CatSystem (CatSystemSvc) - Siemens AG - C:\WINDOWS\CatPC\CatSYS\CatSystemSvc.exe
O23 - Service: CAT Bulletin Board (CBBS) - Unknown owner - C:\Program Files\Siemens\CAT Bulletin Board\CBBS.exe
O23 - Service: Cisco Security Agent (CSAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CSAgent\bin\CSAControl.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\CORINA VPN\Extranet_serv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT Echtzeitsuche (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe
--
End of file - 12791 bytes
_________________________________________________________________
I didn't have administrative rights to run online scan with Kaspersky Online Scanner.
Just for the record, I also ran SpyBot S & D too.
Thanks in advance.
Regards
Shri
I am infected with Trojan and other spywares. I followed the instructions from the 'Before you Post' topic by Tashi.
a) Here are is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:50 PM, on 11/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Cisco Systems\CSAgent\bin\CSAControl.exe
C:\Program Files\Cisco Systems\CSAgent\bin\leventmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\CatPC\CatSYS\CatSystemSvc.exe
C:\Program Files\Siemens\CAT Bulletin Board\CBBS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
C:\WINDOWS\TEMP\BAD14C.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Siemens\CAT Bulletin Board\CBB.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Siemens\Card API\bin\siecacst.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\OfficeScan NT\Pccntmon.exe
C:\Program Files\CryptoEx\Common\CexTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CryptoEx\Common\EASServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MWSnap\MWSnap.exe
C:\Program Files\Insider\Insider.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Open Text\Livelink Explorer\LLSynch3.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.siemens.net/cgi-bin/iesearch.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.siemens.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.siemens.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Siemens Energy & Automation, Inc
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = isaproxy.us002.siemens.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.siemens.com;*.siemens.net;*.sitest.net;*.sbs.de;*.spls.de;*.murrayconnect.com;*.murrayelectrical.com;*.smartpipes.net;*.esm.uu.net;*.siemens.co.in;*.pbk.mci.com;*.siemens.de;sales.asirobicon.com;*.us.na-asirob.local;*.siemensvdo.com;*.berwanger.n*;<local>
F2 - REG:system.ini: UserInit=CatUInit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {456E797E-FEEE-4A6C-A6F4-D9461B7CEDBE} - C:\Program Files\Common Files\niwy24418.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: LLIEHlprObj Class - {F757FBBF-10E5-4DDA-BBEA-2357E54BEA2B} - C:\Program Files\Open Text\Livelink Explorer\LLBHO3.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Java Profiles Fix] C:\Program Files\Java\Profile Fix\Java_Profile.exe
O4 - HKLM\..\Run: [JavaProfileFix2] C:\Program Files\Java\Profile Fix\Java_Profile_2.exe
O4 - HKLM\..\Run: [SIECACST] C:\Program Files\Siemens\Card API\bin\siecacst.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [StoreCleanup] RunDLL32 c:\PROGRA~1\NETMAN~1\common\nmconfig.dll,StoreCleanup
O4 - HKLM\..\Run: [NetManage LaunchNow Init] RunDLL32 c:\PROGRA~1\NETMAN~1\common\nmgoinn.dll,VerifyStartMenu
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [CfgDownload] C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe
O4 - HKLM\..\Run: [Migrator] "C:\Program Files\CryptoEx\Migrator\Migrator.exe" -StartUp
O4 - HKLM\..\Run: [CryptoExTrayV3] "C:\Program Files\CryptoEx\Common\CexTray.exe" /ShowTrayIcon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CatUserRun] exec32 /wh /c chgreg5 /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MWSnap] "C:\Program Files\MWSnap\MWSnap.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - Startup: Livelink Explorer Synchronizer.lnk = C:\Program Files\Open Text\Livelink Explorer\LLSynch3.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Cisco Security Agent.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://go.siemens.com
O15 - Trusted Zone: *.3dpublisher.net
O15 - Trusted Zone: *.asirobicon.com
O15 - Trusted Zone: *.authoria.com
O15 - Trusted Zone: *.berwanger.com
O15 - Trusted Zone: *.bmgi.com
O15 - Trusted Zone: *.bxwa.com
O15 - Trusted Zone: *.cargill.com
O15 - Trusted Zone: *.carrlane.com
O15 - Trusted Zone: *.cchgroup.com
O15 - Trusted Zone: *.charteroneonline.com
O15 - Trusted Zone: *.cisco.com
O15 - Trusted Zone: *.citizensbankonline.com
O15 - Trusted Zone: *.cognos.com
O15 - Trusted Zone: *.construction.com
O15 - Trusted Zone: *.dell.com
O15 - Trusted Zone: *.e-qip.opm.gov
O15 - Trusted Zone: *.enternetbank.com
O15 - Trusted Zone: *.eworkplace.bz
O15 - Trusted Zone: *.fdnet.com
O15 - Trusted Zone: *.fedex.com
O15 - Trusted Zone: *.fidelity.com
O15 - Trusted Zone: *.geindustrial.com
O15 - Trusted Zone: *.gensurvey.com
O15 - Trusted Zone: *.hewitt.com
O15 - Trusted Zone: *.hubspan.net
O15 - Trusted Zone: *.imagex.com
O15 - Trusted Zone: *.indx.com
O15 - Trusted Zone: *.infotriever.com
O15 - Trusted Zone: *.lmig.com
O15 - Trusted Zone: *.meetingplace.net
O15 - Trusted Zone: *.merc-int.com
O15 - Trusted Zone: *.mobilephone.net
O15 - Trusted Zone: *.moneycentral.msn.com
O15 - Trusted Zone: *.mymeetings.com
O15 - Trusted Zone: *.nationalcar.com
O15 - Trusted Zone: *.netglearning.com
O15 - Trusted Zone: *.newark.com
O15 - Trusted Zone: *.newarkinone.com
O15 - Trusted Zone: *.octanner.com
O15 - Trusted Zone: *.opm.gov
O15 - Trusted Zone: *.pbe.org
O15 - Trusted Zone: *.pcconnection.com
O15 - Trusted Zone: *.peopleclick.com
O15 - Trusted Zone: *.placeware.com
O15 - Trusted Zone: *.pwrm.com
O15 - Trusted Zone: *.quickparts.com
O15 - Trusted Zone: *.sap-ag.de
O15 - Trusted Zone: *.sap.com
O15 - Trusted Zone: *.shi.com
O15 - Trusted Zone: *.siemens-pmct.com
O15 - Trusted Zone: qms.sea.siemens.com
O15 - Trusted Zone: qmsqa.sea.siemens.com
O15 - Trusted Zone: qmsdev.us002.siemens.net
O15 - Trusted Zone: *.siemenshealthservices.com
O15 - Trusted Zone: *.siequence.com
O15 - Trusted Zone: *.smsds.com
O15 - Trusted Zone: *.tbgfinancial.com
O15 - Trusted Zone: *.trammellcrow.com
O15 - Trusted Zone: *.us.na-asirob.local
O15 - Trusted Zone: *.usbank.com
O15 - Trusted Zone: *.webex.com
O15 - Trusted Zone: *.sap-ag.de (HKLM)
O15 - Trusted Zone: *.sap.com (HKLM)
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://connect.sea.siemens.com/vdesk/terminal/urxvpn.cab#version=5600,0,61228,0058
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://connect.sea.siemens.com/vdesk/terminal/InstallerControl.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://connect.sea.siemens.com/vdesk/terminal/urTermProxy.cab#version=5600,0,61228,0055
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://connect.sea.siemens.com/vdesk/terminal/urxshost.cab#version=5600,0,61017,0703
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://connect.sea.siemens.com/vdesk/terminal/urxhost.cab#version=5600,0,61228,0050
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us002.siemens.net
O17 - HKLM\Software\..\Telephony: DomainName = us002.siemens.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C69307D-A8BE-4611-AF2E-A956128B55A8}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{58BD7518-DE43-45F4-A4B8-7B9F20623C24}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBE9404B-751B-45B5-B403-0D2A3C046C0E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us002.siemens.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = us002.siemens.net,sea.siemens.com,siemens.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{4C69307D-A8BE-4611-AF2E-A956128B55A8}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = us002.siemens.net,sea.siemens.com,siemens.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: csauser.dll
O20 - Winlogon Notify: CexTrayWinLogon - C:\Program Files\CryptoEx\Common\CexTrayWinLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CatSystem (CatSystemSvc) - Siemens AG - C:\WINDOWS\CatPC\CatSYS\CatSystemSvc.exe
O23 - Service: CAT Bulletin Board (CBBS) - Unknown owner - C:\Program Files\Siemens\CAT Bulletin Board\CBBS.exe
O23 - Service: Cisco Security Agent (CSAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CSAgent\bin\CSAControl.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\CORINA VPN\Extranet_serv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT Echtzeitsuche (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe
--
End of file - 12791 bytes
_________________________________________________________________
I didn't have administrative rights to run online scan with Kaspersky Online Scanner.
Just for the record, I also ran SpyBot S & D too.
Thanks in advance.
Regards
Shri