Hi, I hope someone can help me. I have a Hijacker that just keeps coming back. It happens with Internet Explorer and Firefox…but more with IE. Here are a few sites that are coming up…

w ww.wallst.net
w ww.setthetrend.com
w ww.commercialloansolutions.net

Also my cookie setting is always changing back to “Accept all Cookies”

After following your instructions here are my results..

You have no idea how much I appreciate what you are doing …Thank you!!!!



Kaspersky Text File:


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, January 12, 2008 10:21:35 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/01/2008
Kaspersky Anti-Virus database records: 508736
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
H:\
T:\

Scan Statistics:
Total number of scanned objects: 85535
Number of viruses found: 4
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 00:59:26

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_RI001SU-DBY1E.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_RI001SU-DBY1E.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080111_Time-164406375_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080111_Time-164406375_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\RI001SU\Application Data\Microsoft\Templates\Live Meeting Toolbar Cusomizations.dot Object is locked skipped
C:\Documents and Settings\RI001SU\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\RI001SU\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\RI001SU\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\RI001SU\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\RI001SU\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\RI001SU\Local Settings\Temp\~DF23AE.tmp Object is locked skipped
C:\Documents and Settings\RI001SU\Local Settings\Temp\~DF248A.tmp Object is locked skipped
C:\Documents and Settings\RI001SU\Local Settings\Temp\~DF7E35.tmp Object is locked skipped
C:\Documents and Settings\RI001SU\Local Settings\Temp\~DF7E53.tmp Object is locked skipped
C:\Documents and Settings\RI001SU\Local Settings\Temp\~DFDA.tmp Object is locked skipped
C:\Documents and Settings\RI001SU\Local Settings\Temp\~DFFB71.tmp Object is locked skipped
C:\Documents and Settings\RI001SU\Local Settings\Temp\~WRD0003.doc Object is locked skipped
C:\Documents and Settings\RI001SU\Local Settings\Temp\~WRF0002.tmp Object is locked skipped
C:\Documents and Settings\RI001SU\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\RI001SU\My Documents\interwise\participant\Logs\PLLog9.log Object is locked skipped
C:\Documents and Settings\RI001SU\My Documents\sites.doc Object is locked skipped
C:\Documents and Settings\RI001SU\My Documents\~WRL1025.tmp Object is locked skipped
C:\Documents and Settings\RI001SU\ntuser.dat Object is locked skipped
C:\Documents and Settings\RI001SU\ntuser.dat.LOG Object is locked skipped
C:\Program Files\BigFix Enterprise\BES Client\__BESData\__Global\Logs\20080112.log Object is locked skipped
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Microsoft Office\OFFICE11\STARTUP\PALMAPP.DOT Object is locked skipped
C:\Program Files\Network Associates\System Compliance Profiler\PtchScan.log Object is locked skipped
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Novadigm\Log\radexecd.log Object is locked skipped
C:\Program Files\Novadigm\Log\radsched.log Object is locked skipped
C:\Program Files\Novadigm\Log\radstgms.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B902E4F9-4EA6-4060-8AFF-1C7C775FF910}\RP122\A0072508.exe/file1 Infected: not-a-virus:FraudTool.Win32.AntiSpyware.a skipped
C:\System Volume Information\_restore{B902E4F9-4EA6-4060-8AFF-1C7C775FF910}\RP122\A0072508.exe/file3 Infected: not-a-virus:FraudTool.Win32.AntiSpyware.a skipped
C:\System Volume Information\_restore{B902E4F9-4EA6-4060-8AFF-1C7C775FF910}\RP122\A0072508.exe Inno: infected - 2 skipped
C:\System Volume Information\_restore{B902E4F9-4EA6-4060-8AFF-1C7C775FF910}\RP122\A0072512.exe Infected: not-a-virus:FraudTool.Win32.AntiSpyware.a skipped
C:\System Volume Information\_restore{B902E4F9-4EA6-4060-8AFF-1C7C775FF910}\RP134\A0075751.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{B902E4F9-4EA6-4060-8AFF-1C7C775FF910}\RP134\change.log Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\Netlogon.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\IE7_main.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped
C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\drivers\fidbox.dat Object is locked skipped
C:\WINNT\system32\drivers\fidbox.idx Object is locked skipped
C:\WINNT\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINNT\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\jkkjj.dll Infected: Virus.Win32.Trats.c skipped
C:\WINNT\system32\jkkjj.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\wiadebug.log Object is locked skipped
C:\WINNT\wiaservc.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.


Hijackthis LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:11 AM, on 01/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\nslsvice.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\system32\enstart.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\notes\ntmulti.exe
C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\wuauclt.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Interwise\Participant\pull.exe
C:\Program Files\WallData\SYSTEM\BrskStrt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://pitbowa/hod/HODCached.html
F3 - REG:win.ini: load=C:\WINNT\system32\jkkjj.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - Global Startup: AT&T Global Network Client Monitor.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Push Client.LNK = C:\Program Files\Interwise\Participant\pull.exe
O4 - Global Startup: RUMBA Lightning.lnk = C:\Program Files\WallData\SYSTEM\BrskStrt.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.pbi.global.pvt
O15 - Trusted Zone: *.pb.com
O15 - Trusted Zone: *.pitneybowes.ca
O15 - Trusted IP range: 161.228.211.79
O16 - DPF: MATCastInstaller - http://www.matcast.net/NewMATCastInstaller.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://notesshecl1.pb.com/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187981573285
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex.com/client/v_mywebex-pso-attwm/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pbi.global.pvt
O17 - HKLM\Software\..\Telephony: DomainName = pbi.global.pvt
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pbi.global.pvt
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = pbi.global.pvt,ct.pb.com,nw.pb.com,pitneybowes.ca,g1.com,pb.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = pbi.global.pvt
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = pbi.global.pvt,ct.pb.com,nw.pb.com,pitneybowes.ca,g1.com,pb.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = pbi.global.pvt,ct.pb.com,nw.pb.com,pitneybowes.ca,g1.com,pb.com
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: enstart - Unknown owner - C:\WINNT\system32\enstart.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINNT\system32\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\Program Files\notes\ntmulti.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Radia Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8477 bytes

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Step 1

Please download and install CCleaner (http://www.ccleaner.com/download/builds/downloading-slim).

Open CCleaner. On the Windows tab, leave the default options alone.

On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
Click on the Run Cleaner button at the bottom right hand corner.
When the cleaner has completed, click Tools in the Left Pane.
Verify that Uninstall is highlighted in color, or click on it.
In the lower right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt.
Click Save, then exit Ccleaner.

Step 2

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix (C:\Combofix.txt) when you've accomplished that, along with a new HijackThis log and the CCleaner Uninstall List (install.txt).

Got it thank you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:18:39 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\nslsvice.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\system32\enstart.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\notes\ntmulti.exe
C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Interwise\Participant\pull.exe
C:\Program Files\WallData\SYSTEM\BrskStrt.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\renames.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pbwebb.ct.pb.com/pbw/pbweb/ep/usaHome.do
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pb.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - Global Startup: AT&T Global Network Client Monitor.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Push Client.LNK = C:\Program Files\Interwise\Participant\pull.exe
O4 - Global Startup: RUMBA Lightning.lnk = C:\Program Files\WallData\SYSTEM\BrskStrt.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.pbi.global.pvt
O15 - Trusted Zone: *.pb.com
O15 - Trusted Zone: *.pitneybowes.ca
O15 - Trusted IP range: 161.228.211.79
O16 - DPF: MATCastInstaller - http://www.matcast.net/NewMATCastInstaller.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://notesshecl1.pb.com/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187981573285
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex.com/client/v_mywebex-pso-attwm/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pbi.global.pvt
O17 - HKLM\Software\..\Telephony: DomainName = pbi.global.pvt
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pbi.global.pvt
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = pbi.global.pvt,ct.pb.com,nw.pb.com,pitneybowes.ca,g1.com,pb.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = pbi.global.pvt
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = pbi.global.pvt,ct.pb.com,nw.pb.com,pitneybowes.ca,g1.com,pb.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = pbi.global.pvt,ct.pb.com,nw.pb.com,pitneybowes.ca,g1.com,pb.com
O20 - Winlogon Notify: hggefcd - hggefcd.dll (file missing)
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: enstart - Unknown owner - C:\WINNT\system32\enstart.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINNT\system32\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\Program Files\notes\ntmulti.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Radia Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8401 bytes

AddressRight Pro
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.5
Adobe Shockwave Player
ApplicationXtender Adobe Component
ApplicationXtender KeyView Component
ApplicationXtender Scanning Component 5.30
Arrival Demonstrator
Arrival Product Demo
Arrival Runtime
a-squared Anti-Malware 3.1
a-squared HiJackFree 3.0
AT&T Global Network Client Professional
ATI Display Driver
Audacity 1.2.6
BigFix Enterprise Client
CCleaner (remove only)
Conexant D110 MDC V.9x Modem
Conexant HDA D110 MDC V.92 Modem
Cool Timer 2.1
Data Access Objects (DAO) 3.5
EasySync Pro
Firefox Windows Media Player XPI
Freecorder Toolbar 3.0 Application
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
IBM MQSeries Client V5.2
ieSpell
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet/Wireless Software
InterVideo WinDVD
Interwise Participant
IPTV Viewer
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Kaspersky Online Scanner
Lotus Notes 6.0.3
McAfee VirusScan Enterprise
mCore
mDriver
mDrWiFi
MetaFrame Presentation Server Web Client for Win32
mGina
mHlpDell
Microsoft .NET Compact Framework 2.0 SP1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886904)
Microsoft .NET Framework 2.0
Microsoft Access 2000 SR-1
Microsoft Office Live Meeting 2005
Microsoft Office Live Meeting Add-in Pack
Microsoft Office Live Meeting PowerPoint Add-In
Microsoft Office Standard Edition 2003
Microsoft Office Visio Viewer 2003 (English)
mIWA
mLogView
mMHouse
Mozilla Firefox (2.0.0.11)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
mToolkit
mWlsSafe
mWMI
mXML
MySiebel75r20
mZConfig
NVIDIA Windows 2000/XP Display Drivers
PB Add Printer Utility
PB FIRST PD
PCTEL 2304WT V.9x MDC Modem Drivers
Pitney Bowes Addressing Printer
Pitney Bowes ScreenSaver 1.0
Pitney Bowes SmartMailer
Portfolio Browser
PrimoPDF Redistribution Package
Print Messenger 2.5.0.8
QuickTime
Radia Client
RealPlayer
RegCure 1.5.0.0
RUMBA 95 NT
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
ShipRequest
SIP Approval
Sonic RecordNow! Plus
SPT Desktop
Spybot - Search & Destroy
TrueCrypt
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
WebEx
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format 11 runtime
Windows Media Player 11
XoftSpySE

The Combo fix one won't fit? What should I do?

I'll attach it, I hope this ok?

I just split it....

ComboFix 08-01-09.2 - salesadmin 2008-01-14 17:44:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1501 [GMT -5:00]
Running from: C:\Documents and Settings\salesadmin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\pos10.tmp
C:\pos100.tmp
C:\pos101.tmp
C:\pos102.tmp
C:\pos103.tmp
C:\pos104.tmp
C:\pos105.tmp
C:\pos106.tmp
C:\pos107.tmp
C:\pos108.tmp
C:\pos109.tmp
C:\pos10A.tmp
C:\pos10B.tmp
C:\pos10C.tmp
C:\pos10D.tmp
C:\pos10E.tmp
C:\pos10F.tmp
C:\pos11.tmp
C:\pos110.tmp
C:\pos111.tmp
C:\pos112.tmp
C:\pos113.tmp
C:\pos114.tmp
C:\pos115.tmp
C:\pos116.tmp
C:\pos117.tmp
C:\pos118.tmp
C:\pos119.tmp
C:\pos11A.tmp
C:\pos11B.tmp
C:\pos11C.tmp
C:\pos11D.tmp
C:\pos11E.tmp
C:\pos11F.tmp
C:\pos12.tmp
C:\pos120.tmp
C:\pos121.tmp
C:\pos122.tmp
C:\pos123.tmp
C:\pos124.tmp
C:\pos125.tmp
C:\pos126.tmp
C:\pos127.tmp
C:\pos128.tmp
C:\pos129.tmp
C:\pos12A.tmp
C:\pos12B.tmp
C:\pos12C.tmp
C:\pos12D.tmp
C:\pos12E.tmp
C:\pos12F.tmp
C:\pos13.tmp
C:\pos130.tmp
C:\pos131.tmp
C:\pos132.tmp
C:\pos133.tmp
C:\pos134.tmp
C:\pos135.tmp
C:\pos136.tmp
C:\pos137.tmp
C:\pos138.tmp
C:\pos139.tmp
C:\pos13A.tmp
C:\pos13B.tmp
C:\pos13C.tmp
C:\pos13D.tmp
C:\pos13E.tmp
C:\pos13F.tmp
C:\pos14.tmp
C:\pos140.tmp
C:\pos141.tmp
C:\pos142.tmp
C:\pos143.tmp
C:\pos144.tmp
C:\pos145.tmp
C:\pos146.tmp
C:\pos147.tmp
C:\pos148.tmp
C:\pos149.tmp
C:\pos14A.tmp
C:\pos14B.tmp
C:\pos14C.tmp
C:\pos14D.tmp
C:\pos14E.tmp
C:\pos14F.tmp
C:\pos15.tmp
C:\pos150.tmp
C:\pos151.tmp
C:\pos152.tmp
C:\pos153.tmp
C:\pos154.tmp
C:\pos155.tmp
C:\pos156.tmp
C:\pos157.tmp
C:\pos158.tmp
C:\pos159.tmp
C:\pos15A.tmp
C:\pos15B.tmp
C:\pos15C.tmp
C:\pos15D.tmp
C:\pos15E.tmp
C:\pos15F.tmp
C:\pos16.tmp
C:\pos160.tmp
C:\pos161.tmp
C:\pos162.tmp
C:\pos163.tmp
C:\pos164.tmp
C:\pos165.tmp
C:\pos166.tmp
C:\pos167.tmp
C:\pos168.tmp
C:\pos169.tmp
C:\pos16A.tmp
C:\pos16B.tmp
C:\pos16C.tmp
C:\pos16D.tmp
C:\pos16E.tmp
C:\pos16F.tmp
C:\pos17.tmp
C:\pos170.tmp
C:\pos171.tmp
C:\pos172.tmp
C:\pos173.tmp
C:\pos174.tmp
C:\pos175.tmp
C:\pos176.tmp
C:\pos177.tmp
C:\pos178.tmp
C:\pos179.tmp
C:\pos17A.tmp
C:\pos17B.tmp
C:\pos17C.tmp
C:\pos17D.tmp
C:\pos17E.tmp
C:\pos17F.tmp
C:\pos18.tmp
C:\pos180.tmp
C:\pos181.tmp
C:\pos182.tmp
C:\pos183.tmp
C:\pos184.tmp
C:\pos185.tmp
C:\pos186.tmp
C:\pos187.tmp
C:\pos188.tmp
C:\pos189.tmp
C:\pos18A.tmp
C:\pos18B.tmp
C:\pos18C.tmp
C:\pos18D.tmp
C:\pos18E.tmp
C:\pos18F.tmp
C:\pos19.tmp
C:\pos190.tmp
C:\pos191.tmp
C:\pos192.tmp
C:\pos193.tmp
C:\pos194.tmp
C:\pos195.tmp
C:\pos196.tmp
C:\pos197.tmp
C:\pos198.tmp
C:\pos199.tmp
C:\pos19A.tmp
C:\pos19B.tmp
C:\pos19C.tmp
C:\pos19D.tmp
C:\pos19E.tmp
C:\pos19F.tmp
C:\pos1A.tmp
C:\pos1A0.tmp
C:\pos1A1.tmp
C:\pos1A2.tmp
C:\pos1A3.tmp
C:\pos1A4.tmp
C:\pos1A5.tmp
C:\pos1A6.tmp
C:\pos1A7.tmp
C:\pos1A8.tmp
C:\pos1A9.tmp
C:\pos1AA.tmp
C:\pos1AB.tmp
C:\pos1AC.tmp
C:\pos1AD.tmp
C:\pos1AE.tmp
C:\pos1AF.tmp
C:\pos1B.tmp
C:\pos1B0.tmp
C:\pos1B1.tmp
C:\pos1B2.tmp
C:\pos1B3.tmp
C:\pos1B4.tmp
C:\pos1B5.tmp
C:\pos1B6.tmp
C:\pos1B7.tmp
C:\pos1B8.tmp
C:\pos1B9.tmp
C:\pos1BA.tmp
C:\pos1BB.tmp
C:\pos1BC.tmp
C:\pos1BD.tmp
C:\pos1BE.tmp
C:\pos1BF.tmp
C:\pos1C.tmp
C:\pos1C0.tmp
C:\pos1C1.tmp
C:\pos1C2.tmp
C:\pos1C3.tmp
C:\pos1C4.tmp
C:\pos1C5.tmp
C:\pos1C6.tmp
C:\pos1C7.tmp
C:\pos1C8.tmp
C:\pos1C9.tmp
C:\pos1CA.tmp
C:\pos1CB.tmp
C:\pos1CC.tmp
C:\pos1CD.tmp
C:\pos1CE.tmp
C:\pos1CF.tmp
C:\pos1D.tmp
C:\pos1D0.tmp
C:\pos1D1.tmp
C:\pos1D2.tmp
C:\pos1D3.tmp
C:\pos1D4.tmp
C:\pos1D5.tmp
C:\pos1D6.tmp
C:\pos1D7.tmp
C:\pos1D8.tmp
C:\pos1D9.tmp
C:\pos1DA.tmp
C:\pos1DB.tmp
C:\pos1DC.tmp
C:\pos1DD.tmp
C:\pos1DE.tmp
C:\pos1DF.tmp
C:\pos1E.tmp
C:\pos1E0.tmp
C:\pos1E1.tmp
C:\pos1E2.tmp
C:\pos1E3.tmp
C:\pos1E4.tmp
C:\pos1E5.tmp
C:\pos1E6.tmp
C:\pos1E7.tmp
C:\pos1E8.tmp
C:\pos1E9.tmp
C:\pos1EA.tmp
C:\pos1EB.tmp
C:\pos1EC.tmp
C:\pos1ED.tmp
C:\pos1EE.tmp
C:\pos1EF.tmp
C:\pos1F.tmp
C:\pos1F0.tmp
C:\pos1F1.tmp
C:\pos1F2.tmp
C:\pos1F3.tmp
C:\pos1F4.tmp
C:\pos1F5.tmp
C:\pos1F6.tmp
C:\pos1F7.tmp
C:\pos1F8.tmp
C:\pos1F9.tmp
C:\pos1FA.tmp
C:\pos1FB.tmp
C:\pos1FC.tmp
C:\pos1FD.tmp
C:\pos1FE.tmp
C:\pos1FF.tmp
C:\pos20.tmp
C:\pos200.tmp
C:\pos201.tmp
C:\pos202.tmp
C:\pos203.tmp
C:\pos204.tmp
C:\pos205.tmp
C:\pos206.tmp
C:\pos207.tmp
C:\pos208.tmp
C:\pos209.tmp
C:\pos20A.tmp
C:\pos20B.tmp
C:\pos20C.tmp
C:\pos20D.tmp
C:\pos20E.tmp
C:\pos20F.tmp
C:\pos21.tmp
C:\pos210.tmp
C:\pos211.tmp
C:\pos212.tmp
C:\pos213.tmp
C:\pos214.tmp
C:\pos215.tmp
C:\pos216.tmp
C:\pos217.tmp
C:\pos218.tmp
C:\pos219.tmp
C:\pos21A.tmp
C:\pos21B.tmp
C:\pos21C.tmp
C:\pos21D.tmp
C:\pos21E.tmp
C:\pos21F.tmp
C:\pos22.tmp
C:\pos220.tmp
C:\pos221.tmp
C:\pos222.tmp
C:\pos223.tmp
C:\pos224.tmp
C:\pos225.tmp
C:\pos226.tmp
C:\pos227.tmp
C:\pos228.tmp
C:\pos229.tmp
C:\pos22A.tmp
C:\pos22B.tmp
C:\pos22C.tmp
C:\pos22D.tmp
C:\pos22E.tmp
C:\pos22F.tmp
C:\pos23.tmp
C:\pos230.tmp
C:\pos231.tmp
C:\pos232.tmp
C:\pos233.tmp
C:\pos234.tmp
C:\pos235.tmp
C:\pos236.tmp
C:\pos237.tmp
C:\pos238.tmp
C:\pos239.tmp
C:\pos23A.tmp
C:\pos23B.tmp
C:\pos23C.tmp
C:\pos23D.tmp
C:\pos23E.tmp
C:\pos23F.tmp
C:\pos24.tmp
C:\pos240.tmp
C:\pos241.tmp
C:\pos242.tmp
C:\pos243.tmp
C:\pos244.tmp
C:\pos245.tmp
C:\pos246.tmp
C:\pos247.tmp
C:\pos248.tmp
C:\pos249.tmp
C:\pos24A.tmp
C:\pos24B.tmp
C:\pos24C.tmp
C:\pos24D.tmp
C:\pos24E.tmp
C:\pos24F.tmp
C:\pos25.tmp
C:\pos250.tmp
C:\pos251.tmp
C:\pos252.tmp
C:\pos253.tmp
C:\pos254.tmp
C:\pos255.tmp
C:\pos256.tmp
C:\pos257.tmp
C:\pos258.tmp
C:\pos259.tmp
C:\pos25A.tmp
C:\pos25B.tmp
C:\pos25C.tmp
C:\pos25D.tmp
C:\pos25E.tmp
C:\pos25F.tmp
C:\pos26.tmp
C:\pos260.tmp
C:\pos261.tmp
C:\pos262.tmp
C:\pos263.tmp
C:\pos264.tmp
C:\pos265.tmp
C:\pos266.tmp
C:\pos267.tmp
C:\pos268.tmp
C:\pos269.tmp
C:\pos26A.tmp
C:\pos26B.tmp
C:\pos26C.tmp
C:\pos26D.tmp
C:\pos26E.tmp
C:\pos26F.tmp
C:\pos27.tmp
C:\pos270.tmp
C:\pos271.tmp
C:\pos272.tmp
C:\pos273.tmp
C:\pos274.tmp
C:\pos275.tmp
C:\pos276.tmp
C:\pos277.tmp
C:\pos278.tmp
C:\pos279.tmp
C:\pos27A.tmp
C:\pos27B.tmp
C:\pos27C.tmp
C:\pos27D.tmp
C:\pos27E.tmp
C:\pos27F.tmp
C:\pos28.tmp
C:\pos280.tmp
C:\pos281.tmp
C:\pos282.tmp
C:\pos283.tmp
C:\pos284.tmp
C:\pos285.tmp
C:\pos286.tmp
C:\pos287.tmp
C:\pos288.tmp
C:\pos289.tmp
C:\pos28A.tmp
C:\pos28B.tmp
C:\pos28C.tmp
C:\pos28D.tmp
C:\pos28E.tmp
C:\pos28F.tmp
C:\pos29.tmp
C:\pos29D.tmp
C:\pos29E.tmp
C:\pos29F.tmp
C:\pos2A.tmp
C:\pos2A0.tmp
C:\pos2A1.tmp
C:\pos2A2.tmp
C:\pos2A3.tmp
C:\pos2A4.tmp
C:\pos2A5.tmp
C:\pos2A6.tmp
C:\pos2A7.tmp
C:\pos2A8.tmp
C:\pos2A9.tmp
C:\pos2AB.tmp
C:\pos2AC.tmp
C:\pos2AD.tmp
C:\pos2AE.tmp
C:\pos2AF.tmp
C:\pos2B.tmp
C:\pos2B0.tmp
C:\pos2B1.tmp
C:\pos2B2.tmp
C:\pos2B3.tmp
C:\pos2B4.tmp
C:\pos2B5.tmp
C:\pos2B6.tmp
C:\pos2B7.tmp
C:\pos2B8.tmp
C:\pos2B9.tmp
C:\pos2BA.tmp
C:\pos2BB.tmp
C:\pos2BC.tmp
C:\pos2BD.tmp
C:\pos2BE.tmp
C:\pos2BF.tmp
C:\pos2C.tmp
C:\pos2C0.tmp
C:\pos2C1.tmp
C:\pos2C2.tmp
C:\pos2C3.tmp
C:\pos2C4.tmp
C:\pos2C5.tmp
C:\pos2C6.tmp
C:\pos2C7.tmp
C:\pos2C8.tmp
C:\pos2C9.tmp
C:\pos2CA.tmp
C:\pos2CB.tmp
C:\pos2CC.tmp
C:\pos2CD.tmp
C:\pos2CE.tmp
C:\pos2CF.tmp
C:\pos2D.tmp
C:\pos2D0.tmp
C:\pos2D1.tmp
C:\pos2D2.tmp
C:\pos2D3.tmp
C:\pos2D4.tmp
C:\pos2D5.tmp
C:\pos2D6.tmp
C:\pos2D7.tmp
C:\pos2D8.tmp
C:\pos2D9.tmp
C:\pos2DA.tmp
C:\pos2DB.tmp
C:\pos2DC.tmp
C:\pos2DD.tmp
C:\pos2DE.tmp
C:\pos2DF.tmp
C:\pos2E.tmp
C:\pos2E0.tmp
C:\pos2E1.tmp
C:\pos2E2.tmp
C:\pos2E3.tmp
C:\pos2E4.tmp
C:\pos2E5.tmp
C:\pos2E6.tmp
C:\pos2E7.tmp
C:\pos2E8.tmp
C:\pos2E9.tmp
C:\pos2EA.tmp
C:\pos2EB.tmp
C:\pos2EC.tmp
C:\pos2EE.tmp
C:\pos2EF.tmp
C:\pos2F.tmp
C:\pos2F0.tmp
C:\pos2F1.tmp
C:\pos2F2.tmp
C:\pos2F3.tmp
C:\pos2F4.tmp
C:\pos2F5.tmp
C:\pos2F6.tmp
C:\pos2F7.tmp
C:\pos2F8.tmp
C:\pos2F9.tmp
C:\pos2FA.tmp
C:\pos2FB.tmp
C:\pos2FC.tmp
C:\pos2FD.tmp
C:\pos2FE.tmp
C:\pos2FF.tmp
C:\pos3.tmp
C:\pos30.tmp
C:\pos300.tmp
C:\pos301.tmp
C:\pos302.tmp
C:\pos303.tmp
C:\pos304.tmp
C:\pos305.tmp
C:\pos306.tmp
C:\pos307.tmp
C:\pos308.tmp
C:\pos309.tmp
C:\pos30A.tmp
C:\pos30B.tmp
C:\pos30C.tmp
C:\pos30D.tmp
C:\pos30E.tmp
C:\pos30F.tmp
C:\pos31.tmp
C:\pos310.tmp
C:\pos311.tmp
C:\pos312.tmp
C:\pos313.tmp
C:\pos314.tmp
C:\pos315.tmp
C:\pos316.tmp
C:\pos317.tmp
C:\pos318.tmp
C:\pos319.tmp
C:\pos31A.tmp
C:\pos31B.tmp
C:\pos31C.tmp
C:\pos31D.tmp
C:\pos31E.tmp
C:\pos31F.tmp
C:\pos32.tmp
C:\pos320.tmp
C:\pos321.tmp
C:\pos322.tmp
C:\pos323.tmp
C:\pos324.tmp
C:\pos325.tmp
C:\pos326.tmp
C:\pos327.tmp
C:\pos328.tmp
C:\pos329.tmp
C:\pos32A.tmp
C:\pos32B.tmp
C:\pos32C.tmp
C:\pos32D.tmp
C:\pos32E.tmp
C:\pos32F.tmp
C:\pos33.tmp
C:\pos330.tmp
C:\pos331.tmp
C:\pos332.tmp
C:\pos333.tmp
C:\pos334.tmp
C:\pos335.tmp
C:\pos336.tmp
C:\pos337.tmp
C:\pos338.tmp
C:\pos339.tmp
C:\pos33A.tmp
C:\pos33B.tmp
C:\pos33C.tmp
C:\pos33D.tmp
C:\pos33E.tmp
C:\pos33F.tmp
C:\pos34.tmp
C:\pos340.tmp
C:\pos341.tmp
C:\pos342.tmp
C:\pos343.tmp
C:\pos344.tmp
C:\pos345.tmp
C:\pos346.tmp
C:\pos347.tmp
C:\pos348.tmp
C:\pos349.tmp
C:\pos34A.tmp
C:\pos34B.tmp
C:\pos34C.tmp
C:\pos34D.tmp
C:\pos34E.tmp
C:\pos34F.tmp
C:\pos35.tmp
C:\pos350.tmp
C:\pos351.tmp
C:\pos352.tmp
C:\pos353.tmp
C:\pos354.tmp
C:\pos355.tmp
C:\pos356.tmp
C:\pos357.tmp
C:\pos358.tmp
C:\pos359.tmp
C:\pos35A.tmp
C:\pos35B.tmp
C:\pos35C.tmp
C:\pos35D.tmp
C:\pos35E.tmp
C:\pos35F.tmp
C:\pos36.tmp
C:\pos360.tmp
C:\pos361.tmp
C:\pos362.tmp
C:\pos363.tmp
C:\pos364.tmp
C:\pos365.tmp
C:\pos366.tmp
C:\pos367.tmp
C:\pos368.tmp
C:\pos369.tmp
C:\pos36A.tmp
C:\pos36B.tmp
C:\pos36C.tmp
C:\pos36D.tmp
C:\pos36E.tmp
C:\pos36F.tmp
C:\pos37.tmp
C:\pos370.tmp
C:\pos371.tmp
C:\pos372.tmp
C:\pos373.tmp
C:\pos374.tmp
C:\pos375.tmp
C:\pos376.tmp
C:\pos377.tmp
C:\pos378.tmp
C:\pos379.tmp
C:\pos37A.tmp
C:\pos37B.tmp
C:\pos37C.tmp
C:\pos37D.tmp
C:\pos37E.tmp
C:\pos37F.tmp
C:\pos38.tmp
C:\pos380.tmp
C:\pos381.tmp
C:\pos382.tmp
C:\pos383.tmp
C:\pos384.tmp
C:\pos385.tmp
C:\pos386.tmp
C:\pos387.tmp
C:\pos388.tmp
C:\pos389.tmp
C:\pos38A.tmp
C:\pos38B.tmp
C:\pos38C.tmp
C:\pos38D.tmp
C:\pos38E.tmp
C:\pos38F.tmp
C:\pos39.tmp
C:\pos390.tmp
C:\pos391.tmp
C:\pos392.tmp
C:\pos393.tmp
C:\pos394.tmp
C:\pos395.tmp
C:\pos396.tmp
C:\pos397.tmp
C:\pos398.tmp
C:\pos399.tmp
C:\pos39A.tmp
C:\pos39B.tmp
C:\pos39C.tmp
C:\pos39D.tmp
C:\pos39E.tmp
C:\pos39F.tmp
C:\pos3A.tmp
C:\pos3A0.tmp
C:\pos3A1.tmp
C:\pos3A2.tmp
C:\pos3A3.tmp
C:\pos3A4.tmp
C:\pos3A5.tmp
C:\pos3A6.tmp
C:\pos3A7.tmp
C:\pos3A8.tmp
C:\pos3A9.tmp
C:\pos3AA.tmp
C:\pos3AB.tmp
C:\pos3AC.tmp
C:\pos3AD.tmp
C:\pos3AE.tmp
C:\pos3AF.tmp
C:\pos3B.tmp
C:\pos3B0.tmp
C:\pos3B1.tmp
C:\pos3B2.tmp
C:\pos3B3.tmp
C:\pos3B4.tmp
C:\pos3B5.tmp
C:\pos3B6.tmp
C:\pos3B7.tmp
C:\pos3B8.tmp
C:\pos3B9.tmp
C:\pos3BA.tmp
C:\pos3BB.tmp
C:\pos3BC.tmp
C:\pos3BD.tmp
C:\pos3BE.tmp
C:\pos3BF.tmp
C:\pos3C.tmp
C:\pos3C0.tmp
C:\pos3C1.tmp
C:\pos3C2.tmp
C:\pos3C3.tmp
C:\pos3C4.tmp
C:\pos3C5.tmp
C:\pos3C6.tmp
C:\pos3C7.tmp
C:\pos3C8.tmp
C:\pos3C9.tmp
C:\pos3CA.tmp
C:\pos3CB.tmp
C:\pos3CC.tmp
C:\pos3CD.tmp
C:\pos3CE.tmp
C:\pos3CF.tmp
C:\pos3D.tmp
C:\pos3D0.tmp
C:\pos3D1.tmp
C:\pos3D2.tmp
C:\pos3D3.tmp
C:\pos3D4.tmp
C:\pos3D5.tmp
C:\pos3D6.tmp
C:\pos3D7.tmp
C:\pos3D8.tmp
C:\pos3D9.tmp
C:\pos3DA.tmp
C:\pos3DB.tmp
C:\pos3DC.tmp
C:\pos3DD.tmp
C:\pos3DE.tmp
C:\pos3DF.tmp
C:\pos3E.tmp
C:\pos3E0.tmp
C:\pos3E1.tmp
C:\pos3E2.tmp
C:\pos3E3.tmp
C:\pos3E4.tmp
C:\pos3E5.tmp
C:\pos3E6.tmp
C:\pos3E7.tmp
C:\pos3E8.tmp
C:\pos3E9.tmp
C:\pos3EA.tmp
C:\pos3EB.tmp
C:\pos3EC.tmp
C:\pos3ED.tmp
C:\pos3EE.tmp
C:\pos3EF.tmp
C:\pos3F.tmp
C:\pos3F0.tmp
C:\pos3F1.tmp
C:\pos3F2.tmp
C:\pos3F3.tmp
C:\pos3F4.tmp
C:\pos3F5.tmp
C:\pos3F6.tmp
C:\pos3F7.tmp
C:\pos3F8.tmp
C:\pos3F9.tmp
C:\pos3FA.tmp
C:\pos3FB.tmp
C:\pos3FC.tmp
C:\pos3FD.tmp
C:\pos3FE.tmp
C:\pos3FF.tmp
C:\pos4.tmp
C:\pos40.tmp
C:\pos400.tmp
C:\pos401.tmp
C:\pos402.tmp
C:\pos403.tmp
C:\pos404.tmp
C:\pos405.tmp
C:\pos406.tmp
C:\pos407.tmp
C:\pos408.tmp
C:\pos409.tmp
C:\pos40A.tmp
C:\pos40B.tmp
C:\pos40C.tmp
C:\pos40D.tmp
C:\pos40E.tmp
C:\pos40F.tmp
C:\pos41.tmp
C:\pos410.tmp
C:\pos411.tmp
C:\pos412.tmp
C:\pos413.tmp
C:\pos414.tmp
C:\pos415.tmp
C:\pos416.tmp
C:\pos417.tmp
C:\pos418.tmp
C:\pos419.tmp
C:\pos41A.tmp
C:\pos41B.tmp
C:\pos41C.tmp
C:\pos41D.tmp
C:\pos41E.tmp
C:\pos41F.tmp
C:\pos42.tmp
C:\pos420.tmp
C:\pos421.tmp
C:\pos422.tmp
C:\pos423.tmp
C:\pos424.tmp
C:\pos425.tmp
C:\pos426.tmp
C:\pos427.tmp
C:\pos428.tmp
C:\pos429.tmp
C:\pos42A.tmp
C:\pos42B.tmp
C:\pos42C.tmp
C:\pos42D.tmp
C:\pos42E.tmp
C:\pos42F.tmp
C:\pos43.tmp
C:\pos430.tmp
C:\pos431.tmp
C:\pos432.tmp
C:\pos433.tmp
C:\pos434.tmp
C:\pos435.tmp
C:\pos436.tmp
C:\pos437.tmp
C:\pos438.tmp
C:\pos439.tmp
C:\pos43A.tmp
C:\pos43B.tmp
C:\pos43C.tmp
C:\pos43D.tmp
C:\pos43E.tmp
C:\pos43F.tmp
C:\pos44.tmp
C:\pos440.tmp
C:\pos441.tmp
C:\pos442.tmp
C:\pos443.tmp
C:\pos444.tmp
C:\pos445.tmp
C:\pos446.tmp
C:\pos447.tmp
C:\pos448.tmp
C:\pos449.tmp
C:\pos44A.tmp
C:\pos44B.tmp
C:\pos44C.tmp
C:\pos44D.tmp
C:\pos44E.tmp
C:\pos44F.tmp
C:\pos45.tmp
C:\pos450.tmp
C:\pos451.tmp
C:\pos452.tmp
C:\pos453.tmp
C:\pos454.tmp
C:\pos455.tmp
C:\pos456.tmp
C:\pos457.tmp
C:\pos458.tmp
C:\pos459.tmp
C:\pos45A.tmp
C:\pos45B.tmp
C:\pos45C.tmp
C:\pos45D.tmp
C:\pos45E.tmp
C:\pos45F.tmp
C:\pos46.tmp
C:\pos460.tmp
C:\pos461.tmp
C:\pos462.tmp
C:\pos463.tmp
C:\pos464.tmp
C:\pos465.tmp
C:\pos466.tmp
C:\pos467.tmp
C:\pos468.tmp
C:\pos469.tmp
C:\pos46A.tmp
C:\pos46B.tmp
C:\pos46C.tmp
C:\pos46D.tmp
C:\pos46E.tmp
C:\pos46F.tmp
C:\pos47.tmp
C:\pos470.tmp
C:\pos471.tmp
C:\pos472.tmp
C:\pos473.tmp
C:\pos474.tmp
C:\pos475.tmp
C:\pos476.tmp
C:\pos477.tmp
C:\pos478.tmp
C:\pos479.tmp
C:\pos47A.tmp
C:\pos47B.tmp
C:\pos47C.tmp
C:\pos47D.tmp
C:\pos47E.tmp
C:\pos47F.tmp
C:\pos48.tmp
C:\pos480.tmp
C:\pos481.tmp
C:\pos482.tmp
C:\pos483.tmp
C:\pos484.tmp
C:\pos485.tmp
C:\pos486.tmp
C:\pos487.tmp
C:\pos488.tmp
C:\pos489.tmp
C:\pos48A.tmp
C:\pos48B.tmp
C:\pos48C.tmp
C:\pos48D.tmp
C:\pos48E.tmp
C:\pos48F.tmp
C:\pos49.tmp
C:\pos490.tmp
C:\pos491.tmp
C:\pos492.tmp
C:\pos4A.tmp
C:\pos4B.tmp
C:\pos4C.tmp
C:\pos4D.tmp
C:\pos4E.tmp
C:\pos4F.tmp
C:\pos5.tmp
C:\pos50.tmp
C:\pos51.tmp
C:\pos52.tmp
C:\pos53.tmp
C:\pos54.tmp
C:\pos55.tmp
C:\pos56.tmp
C:\pos57.tmp
C:\pos58.tmp
C:\pos59.tmp
C:\pos5A.tmp
C:\pos5B.tmp
C:\pos5C.tmp
C:\pos5D.tmp
C:\pos5E.tmp
C:\pos5F.tmp
C:\pos6.tmp
C:\pos60.tmp
C:\pos61.tmp
C:\pos62.tmp
C:\pos63.tmp
C:\pos64.tmp
C:\pos65.tmp
C:\pos66.tmp
C:\pos67.tmp
C:\pos68.tmp
C:\pos69.tmp
C:\pos6A.tmp
C:\pos6B.tmp
C:\pos6C.tmp
C:\pos6D.tmp
C:\pos6E.tmp
C:\pos6F.tmp
C:\pos7.tmp
C:\pos70.tmp
C:\pos71.tmp
C:\pos72.tmp
C:\pos73.tmp
C:\pos74.tmp
C:\pos75.tmp
C:\pos76.tmp
C:\pos77.tmp
C:\pos78.tmp
C:\pos79.tmp
C:\pos7A.tmp
C:\pos7B.tmp
C:\pos7C.tmp
C:\pos7D.tmp
C:\pos7E.tmp
C:\pos7F.tmp
C:\pos8.tmp
C:\pos80.tmp
C:\pos81.tmp
C:\pos82.tmp
C:\pos83.tmp
C:\pos84.tmp
C:\pos85.tmp
C:\pos86.tmp
C:\pos87.tmp
C:\pos88.tmp
C:\pos89.tmp
C:\pos8A.tmp
C:\pos8B.tmp
C:\pos8C.tmp
C:\pos8D.tmp
C:\pos8E.tmp
C:\pos8F.tmp
C:\pos9.tmp
C:\pos90.tmp
C:\pos91.tmp
C:\pos92.tmp
C:\pos93.tmp
C:\pos94.tmp
C:\pos95.tmp
C:\pos96.tmp
C:\pos97.tmp
C:\pos98.tmp
C:\pos99.tmp
C:\pos9A.tmp
C:\pos9B.tmp
C:\pos9C.tmp
C:\pos9D.tmp
C:\pos9E.tmp
C:\pos9F.tmp
C:\posA.tmp
C:\posA0.tmp
C:\posA1.tmp
C:\posA2.tmp
C:\posA3.tmp
C:\posA4.tmp
C:\posA5.tmp
C:\posA6.tmp
C:\posA7.tmp
C:\posA8.tmp
C:\posA9.tmp
C:\posAA.tmp
C:\posAB.tmp
C:\posAC.tmp
C:\posAD.tmp
C:\posAE.tmp
C:\posAF.tmp
C:\posB.tmp
C:\posB0.tmp
C:\posB1.tmp
C:\posB2.tmp
C:\posB3.tmp
C:\posB4.tmp
C:\posB5.tmp
C:\posB6.tmp
C:\posB7.tmp
C:\posB8.tmp
C:\posB9.tmp
C:\posBA.tmp
C:\posBB.tmp
C:\posBC.tmp
C:\posBD.tmp
C:\posBE.tmp
C:\posBF.tmp
C:\posC.tmp
C:\posC0.tmp
C:\posC1.tmp
C:\posC2.tmp
C:\posC3.tmp
C:\posC4.tmp
C:\posC5.tmp
C:\posC6.tmp
C:\posC7.tmp
C:\posC8.tmp
C:\posC9.tmp
C:\posCA.tmp
C:\posCB.tmp
C:\posCC.tmp
C:\posCD.tmp
C:\posCE.tmp
C:\posCF.tmp
C:\posD.tmp
C:\posD0.tmp
C:\posD1.tmp
C:\posD2.tmp
C:\posD3.tmp
C:\posD4.tmp
C:\posD5.tmp
C:\posD6.tmp
C:\posD7.tmp
C:\posD8.tmp
C:\posD9.tmp
C:\posDA.tmp
C:\posDB.tmp
C:\posDC.tmp
C:\posDD.tmp
C:\posDE.tmp
C:\posDF.tmp
C:\posE.tmp
C:\posE0.tmp
C:\posE1.tmp
C:\posE2.tmp
C:\posE3.tmp
C:\posE4.tmp
C:\posE5.tmp
C:\posE6.tmp
C:\posE7.tmp
C:\posE8.tmp
C:\posE9.tmp
C:\posEA.tmp
C:\posEB.tmp
C:\posEC.tmp
C:\posED.tmp
C:\posEE.tmp
C:\posEF.tmp
C:\posF.tmp
C:\posF0.tmp
C:\posF1.tmp
C:\posF2.tmp
C:\posF3.tmp
C:\posF4.tmp
C:\posF5.tmp
C:\posF6.tmp
C:\posF7.tmp
C:\posF8.tmp
C:\posF9.tmp
C:\posFA.tmp
C:\posFB.tmp
C:\posFC.tmp
C:\posFD.tmp
C:\posFE.tmp
C:\posFF.tmp
C:\WINNT\cookies.ini
C:\WINNT\system32\aexpcsmc.dll
C:\WINNT\system32\bpfowuhr.ini
C:\WINNT\system32\daselmki.dll
C:\WINNT\system32\drivers\entdrv51.sys
C:\WINNT\system32\fteuwotj.dll
C:\WINNT\system32\ivdxmsdx.ini
C:\WINNT\system32\jjkkj.ini
C:\WINNT\system32\jjkkj.ini2
C:\WINNT\system32\jkkjj.dll
C:\WINNT\system32\jkkjj.exe
C:\WINNT\system32\jrfmvoro.ini
C:\WINNT\system32\kroaxapy.dll
C:\WINNT\system32\kroaxapy.dllbox
C:\WINNT\system32\maqbonra.dll
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\nyxkdhvt.dll
C:\WINNT\system32\oclukghu.dll
C:\WINNT\system32\windows
C:\WINNT\system32\xesldofe.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-14 17:42 . 2000-08-31 08:00 51,200 --a------ C:\WINNT\NirCmd.exe
2008-01-14 12:22 . 2008-01-14 12:22 <DIR> d-------- C:\Program Files\CCleaner
2008-01-14 12:09 . 2008-01-14 12:09 3,079 --a------ C:\WINNT\system32\cvgjxinm.dll
2008-01-14 12:03 . 2008-01-14 12:03 3,079 --a------ C:\WINNT\system32\cafrvori.dll
2008-01-14 12:02 . 2008-01-14 12:02 3,079 --a------ C:\WINNT\system32\qwxdmtud.dll
2008-01-12 09:11 . 2008-01-12 09:11 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-01-11 14:32 . 2008-01-11 15:15 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-01-11 14:24 . 2008-01-11 14:24 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-01-11 13:58 . 2008-01-11 13:58 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-11 13:41 . 2005-08-25 18:19 115,920 --a------ C:\WINNT\system32\MSINET.OCX
2008-01-09 22:56 . 2008-01-12 11:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-09 22:18 . 2008-01-09 22:23 <DIR> d-------- C:\Program Files\RegCure
2008-01-09 21:58 . 2008-01-12 11:40 3,109,152 --ahs---- C:\WINNT\system32\drivers\fidbox.dat
2008-01-09 21:58 . 2008-01-12 11:40 436,512 --ahs---- C:\WINNT\system32\drivers\fidbox2.dat
2008-01-09 21:58 . 2008-01-12 11:40 42,716 --ahs---- C:\WINNT\system32\drivers\fidbox.idx
2008-01-09 21:58 . 2008-01-12 11:40 41,996 --ahs---- C:\WINNT\system32\drivers\fidbox2.idx
2008-01-09 21:55 . 2008-01-09 21:55 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-09 21:54 . 2008-01-09 21:54 <DIR> d-------- C:\KAV
2008-01-09 21:23 . 2008-01-09 21:23 <DIR> d-------- C:\WINNT\ERUNT
2008-01-09 21:10 . 2008-01-09 21:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-09 20:52 . 2008-01-11 16:40 <DIR> d-------- C:\VundoFix Backups
2008-01-09 20:13 . 2008-01-09 20:21 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-09 20:03 . 2008-01-09 20:36 <DIR> d-------- C:\Program Files\AdwareAlert
2008-01-09 20:03 . 2008-01-09 20:04 <DIR> d-------- C:\Documents and Settings\RI001SU\Application Data\AdwareAlert
2008-01-09 19:57 . 2008-01-09 20:34 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-09 19:56 . 2008-01-09 21:05 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-09 19:33 . 2008-01-09 19:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-09 16:46 . 2008-01-09 22:02 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-07 13:18 . 2008-01-09 14:44 <DIR> d-------- C:\Documents and Settings\RI001SU\Application Data\AntiSpyware
2008-01-07 08:55 . 2008-01-09 20:32 1,846,679 --ahs---- C:\WINNT\system32\aruknmxt.ini
2007-12-22 16:49 . 2007-12-23 12:51 <DIR> d-------- C:\WINNT\SxsCaPendDel
2007-12-22 16:43 . 2007-12-27 20:58 77,824 --a------ C:\WINNT\system32\hkcmd .exe
2007-12-22 16:43 . 2007-12-22 16:43 1,024 --a------ C:\WINNT\system32\drivers\536391BB-0722-44CC-AA1F-5DD835B737EF.cxv
2007-12-22 16:42 . 2007-12-27 10:21 94,208 --a------ C:\WINNT\system32\igfxtray .exe
2007-12-22 16:36 . 2007-12-22 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-20 22:48 . 2008-01-12 09:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-20 22:04 . 2007-12-20 22:04 1,024 --a------ C:\WINNT\system32\drivers\25633D73-769E-4692-9C81-77B31F394BCB.cxv
2007-12-20 16:52 . 2007-12-22 16:49 <DIR> d-------- C:\Program Files\STOPzilla!
2007-12-20 16:52 . 2007-12-20 16:52 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-12-20 16:52 . 2007-12-22 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-10 16:05 --------- d-----w C:\Program Files\Pitney Bowes SmartMailer
2008-01-10 15:39 --------- d-----w C:\Program Files\notes
2008-01-10 03:03 --------- d-----w C:\Program Files\Novadigm
2008-01-10 01:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-06 23:59 --------- d-----w C:\Program Files\AT&T Global Network Client
2008-01-02 14:53 491,520 ----a-w C:\WINNT\system32\enstart.exe
2008-01-02 14:53 491,520 ----a-w C:\WINNT\system32\_enstart.exe
2008-01-02 14:53 31,616 ----a-w C:\WINNT\system32\enstart_.sys
2007-12-11 14:23 --------- d-----w C:\Program Files\Interwise
2007-12-03 16:18 --------- d-----w C:\Program Files\MATCast
2007-11-29 21:06 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-29 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2007-11-27 01:00 59,904 ----a-w C:\WINNT\system32\drivers\mvstdi5x.sys
2007-11-27 01:00 36,922 ----a-w C:\WINNT\system32\entapi.dll
2007-11-27 01:00 117,024 ----a-w C:\WINNT\system32\drivers\naiavf5x.sys
2007-11-20 15:00 --------- d-----w C:\Program Files\Common Files\PitneyBowes Shared
2007-11-14 07:26 450,560 ----a-w C:\WINNT\system32\dllcache\jscript.dll
2007-11-13 17:27 184,897 ----a-w C:\WINNT\system32\atasnt40.dll
2007-11-07 09:26 721,920 ----a-w C:\WINNT\system32\lsasrv.dll
2007-11-07 09:26 721,920 ----a-w C:\WINNT\system32\dllcache\lsasrv.dll
2007-10-30 17:20 360,064 ----a-w C:\WINNT\system32\dllcache\tcpip.sys
2007-10-30 10:16 3,058,688 ----a-w C:\WINNT\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINNT\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINNT\system32\dllcache\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINNT\system32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINNT\system32\dllcache\wmasf.dll
2007-10-26 03:36 8,454,656 ----a-w C:\WINNT\system32\dllcache\shell32.dll
2007-10-24 15:40 28,672 ----a-w C:\WINNT\system32\CPRN00.DLL
2007-10-24 15:29 40,960 ----a-w C:\WINNT\system32\CONTAN01.DLL
2007-10-24 15:29 28,672 ----a-w C:\WINNT\system32\PSOEL00.DLL
2007-10-24 15:29 24,576 ----a-w C:\WINNT\system32\CONTAN00.DLL
.

<pre>
----a-w 1,816,208 2008-01-11 20:06:11 C:\Program Files\a-squared Anti-Malware\a2guard .exe
----a-w 6,366,448 2008-01-10 01:34:42 C:\Program Files\AdwareAlert\AdwareAlert .exe
----a-w 24,576 2007-12-23 23:43:29 C:\Program Files\AT&T Global Network Client\NetSP .exe
----a-w 147,514 2007-12-29 12:48:07 C:\Program Files\Common Files\Network Associates\TalkBack\tbmon .exe
----a-w 28,672 2008-01-10 03:03:43 C:\Program Files\Common Files\XCPCSync\Translators\LtNts4\NtsAgent .exe
----a-w 2,080,857 2008-01-03 17:40:33 C:\Program Files\EFI\PrintMessenger\dsfhost .exe
----a-w 847,872 2008-01-11 20:06:10 C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe
----a-w 6,731,312 2008-01-10 02:37:29 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
----a-w 696,320 2008-01-10 03:03:43 C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
----a-w 802,816 2008-01-09 18:43:11 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc .exe
----a-w 132,496 2008-01-10 02:37:08 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 231,952 2008-01-12 16:34:23 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
----a-w 136,512 2007-12-31 16:51:54 C:\Program Files\Network Associates\Common Framework\UdaterUI .exe
----a-w 98,304 2008-01-10 03:03:38 C:\Program Files\Network Associates\VirusScan\SHSTAT .EXE
----a-w 250,036 2008-01-10 03:03:41 C:\Program Files\Novadigm\radskman .exe
----a-w 1,103,752 2008-01-10 01:30:17 C:\Program Files\Spyware Doctor\pctsTray .exe
----a-w 866,584 2008-01-10 02:37:14 C:\Program Files\Windows Defender\MSASCui .exe
----a-w 151,322 2008-01-06 23:58:41 C:\WINNT\PBCache\ATTGlobal680\ATTGlobal .exe
----a-w 77,824 2007-12-28 01:58:45 C:\WINNT\system32\hkcmd .exe
----a-w 94,208 2007-12-27 15:21:56 C:\WINNT\system32\igfxtray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [ ]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINNT\system32\bthprops.cpl]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AT&T Global Network Client Monitor.lnk - C:\WINNT\Installer\{706CD0EB-D191-4821-A2FA-471CB1C6292A}\NetGM_1B536450052A4C0BA1B8FC31F1D473F7.exe [2007-08-21 09:41:33]
HotSync Manager.lnk - C:\Palm\HOTSYNC.EXE [2007-08-27 10:37:43]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]
Push Client.LNK - C:\Program Files\Interwise\Participant\pull.exe [2007-12-11 09:23:44]
RUMBA Lightning.lnk - C:\Program Files\WallData\SYSTEM\BrskStrt.exe [1996-10-28 02:17:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggefcd]
hggefcd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 16:30 249856 c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 16:30 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MATCast]
--a------ 2007-11-16 12:23 655360 C:\Program Files\MATCast\MATCast.exe

R0 a320raid;a320raid;C:\WINNT\system32\DRIVERS\a320raid.sys [2004-06-15 12:06]
R1 enstart_;enstart_;C:\WINNT\system32\enstart_.sys [2008-01-02 09:53]
R2 agnwifi;AT&T Wi-Fi Support Driver;C:\WINNT\system32\DRIVERS\agnwifi.sys [2004-04-29 16:19]
R2 enstart;enstart;C:\WINNT\system32\enstart.exe [2008-01-02 09:53]
R2 radexecd;Radia Notify Daemon;"C:\Program Files\Novadigm\radexecd.exe" [2005-05-04 15:35]
R2 radsched;Radia Scheduler Daemon;"C:\Program Files\Novadigm\radsched.exe" [2004-08-25 12:05]
R2 Radstgms;Radia MSI Redirector;"C:\Program Files\Novadigm\Radstgms.exe" [2006-06-07 09:58]
R3 agnfilt;AGN Filter Interface;C:\WINNT\system32\DRIVERS\agnfilt.sys [2006-05-19 08:46]
R3 RadiaMsi;RadiaMsi;C:\WINNT\system32\DRIVERS\radiamsi.sys [2006-05-15 11:20]
S3 avpnnic;AGN Virtual Network Adapter;C:\WINNT\system32\DRIVERS\avpnnic.sys [2003-04-04 11:48]
S3 COAX;COAX;C:\WINNT\system32\drivers\COAX.sys [1997-12-22 12:43]
S3 GTIPCI21;GTIPCI21;C:\WINNT\system32\DRIVERS\gtipci21.sys [2004-05-03 09:26]
S3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINNT\system32\DRIVERS\ozscr.sys [2002-11-08 13:13]
S3 PCX500;Cisco Wireless LAN Adapters Driver;C:\WINNT\system32\DRIVERS\pcx500.sys [2004-08-03 22:06]
S3 RMBS;RMBS;C:\WINNT\system32\drivers\RMBS.sys [1998-02-06 16:04]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-10 08:00:00 C:\WINNT\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert .ex
- C:\Program Files\AdwareAlert
"2008-01-10 08:00:00 C:\WINNT\Tasks\AntiSpyware Scheduled Scan.job"
- C:\Program Files\AntiSpywareApp\AntiSpyware.ex
- C:\Program Files\AntiSpywareApp
"2008-01-10 07:22:27 C:\WINNT\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-14 23:11:36 C:\WINNT\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-10 13:02:26 C:\WINNT\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-14 23:11:36 C:\WINNT\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-10 01:13:53 C:\WINNT\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 18:12:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-14 18:14:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-14 23:14:55

Hi :)

Step 1

Please go to VirusTotal (http://www.virustotal.com/) or Jotti (http://virusscan.jotti.org/) and upload C:\WINNT\system32\drivers\COAX.sys for scanning.

For VirusTotal:

Please copy and paste C:\WINNT\system32\drivers\COAX.sys in the text box next to the Browse... button.
Click on Send File.

For Jotti:

Please copy and paste C:\WINNT\system32\drivers\COAX.sys in the text box next to the Browse... button.
Click on Submit.

Copy/paste the results in Notepad and save them to your desktop.

Also do this for C:\WINNT\system32\drivers\RMBS.sys.

Step 2

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:


File::

C:\WINNT\system32\cvgjxinm.dll
C:\WINNT\system32\cafrvori.dll
C:\WINNT\system32\qwxdmtud.dll
C:\WINNT\system32\CPRN00.DLL
C:\WINNT\system32\CONTAN01.DLL
C:\WINNT\system32\PSOEL00.DLL
C:\WINNT\system32\CONTAN00.DLL

Folder::

C:\VundoFix Backups
C:\Program Files\AdwareAlert
C:\Documents and Settings\RI001SU\Application Data\AdwareAlert
C:\WINNT\system32\aruknmxt.ini

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggefcd]

RenV::

C:\Program Files\a-squared Anti-Malware\a2guard .exe
C:\Program Files\AdwareAlert\AdwareAlert .exe
C:\Program Files\AT&T Global Network Client\NetSP .exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon .exe
C:\Program Files\Common Files\XCPCSync\Translators\LtNts4\NtsAgent .exe
C:\Program Files\EFI\PrintMessenger\dsfhost .exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
C:\Program Files\Network Associates\Common Framework\UdaterUI .exe
C:\Program Files\Network Associates\VirusScan\SHSTAT .EXE
C:\Program Files\Novadigm\radskman .exe
C:\Program Files\Spyware Doctor\pctsTray .exe
C:\Program Files\Windows Defender\MSASCui .exe
C:\WINNT\PBCache\ATTGlobal680\ATTGlobal .exe
C:\WINNT\system32\hkcmd .exe
C:\WINNT\system32\igfxtray .exe

Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Close any open windows.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 3

Click on Start, then Control Panel. Double click on Add or Remove Programs.

Please remove the following program(s):

J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 2
Java(TM) 6 Update 3

Then download and install Java Runtime Environment (JRE) 6 Update 4 (http://java.sun.com/javase/downloads/index.jsp).

Step 4

In your next reply, please post:

the Virustotal/Jotti results
the Combofix log (C:\Combofix.txt)
a new HijackThis log

Got it

File COAX.sys received on 01.15.2008 13:14:18 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 49 and 70 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.1.15.11 2008.01.15 -
AntiVir 7.6.0.46 2008.01.15 -
Authentium 4.93.8 2008.01.13 -
Avast 4.7.1098.0 2008.01.14 -
AVG 7.5.0.516 2008.01.14 -
BitDefender 7.2 2008.01.15 -
CAT-QuickHeal 9.00 2008.01.14 -
ClamAV 0.91.2 2008.01.14 -
DrWeb 4.44.0.09170 2008.01.15 -
eSafe 7.0.15.0 2008.01.14 -
eTrust-Vet 31.3.5459 2008.01.15 -
Ewido 4.0 2008.01.14 -
FileAdvisor 1 2008.01.15 -
Fortinet 3.14.0.0 2008.01.15 -
F-Prot 4.4.2.54 2008.01.14 -
F-Secure 6.70.13030.0 2008.01.15 -
Ikarus T3.1.1.20 2008.01.15 -
Kaspersky 7.0.0.125 2008.01.15 -
McAfee 5206 2008.01.14 -
Microsoft 1.3109 2008.01.15 -
NOD32v2 2792 2008.01.15 -
Norman 5.80.02 2008.01.15 -
Panda 9.0.0.4 2008.01.14 -
Prevx1 V2 2008.01.15 -
Rising 20.27.12.00 2008.01.15 -
Sophos 4.24.0 2008.01.15 -
Sunbelt 2.2.907.0 2008.01.15 -
Symantec 10 2008.01.15 -
TheHacker 6.2.9.187 2008.01.13 -
VBA32 3.12.2.5 2008.01.13 -
VirusBuster 4.3.26:9 2008.01.15 -
Webwasher-Gateway 6.6.2 2008.01.15 -
Additional information
File size: 26368 bytes
MD5: a9d72fb4b7924597f3507c66268aac50
SHA1: a3db69672fde81124d29c32062260975829e400e
PEiD: -


File RMBS.sys received on 01.15.2008 13:22:54 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 45 and 65 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.1.15.11 2008.01.15 -
AntiVir 7.6.0.46 2008.01.15 -
Authentium 4.93.8 2008.01.13 -
Avast 4.7.1098.0 2008.01.14 -
AVG 7.5.0.516 2008.01.14 -
BitDefender 7.2 2008.01.15 -
CAT-QuickHeal 9.00 2008.01.14 -
ClamAV 0.91.2 2008.01.14 -
DrWeb 4.44.0.09170 2008.01.15 -
eSafe 7.0.15.0 2008.01.14 -
eTrust-Vet 31.3.5459 2008.01.15 -
Ewido 4.0 2008.01.14 -
FileAdvisor 1 2008.01.15 -
Fortinet 3.14.0.0 2008.01.15 -
F-Prot 4.4.2.54 2008.01.14 -
F-Secure 6.70.13030.0 2008.01.15 -
Ikarus T3.1.1.20 2008.01.15 -
Kaspersky 7.0.0.125 2008.01.15 -
McAfee 5206 2008.01.14 -
Microsoft 1.3109 2008.01.15 -
NOD32v2 2792 2008.01.15 -
Norman 5.80.02 2008.01.15 -
Panda 9.0.0.4 2008.01.14 -
Prevx1 V2 2008.01.15 -
Rising 20.27.12.00 2008.01.15 -
Sophos 4.24.0 2008.01.15 -
Sunbelt 2.2.907.0 2008.01.15 -
Symantec 10 2008.01.15 -
TheHacker 6.2.9.187 2008.01.13 -
VBA32 3.12.2.5 2008.01.13 -
VirusBuster 4.3.26:9 2008.01.15 -
Webwasher-Gateway 6.6.2 2008.01.15 -
Additional information
File size: 18048 bytes
MD5: e4de912199565d39fdaf35c9fd89769c
SHA1: 8c867028fb7466ec82023c9bb6cdd818a5eac563
PEiD: -

ComboFix 08-01-09.2 - salesadmin 2008-01-15 7:34:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1551 [GMT -5:00]
Running from: C:\Documents and Settings\salesadmin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\salesadmin\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINNT\system32\cafrvori.dll
C:\WINNT\system32\CONTAN00.DLL
C:\WINNT\system32\CONTAN01.DLL
C:\WINNT\system32\CPRN00.DLL
C:\WINNT\system32\cvgjxinm.dll
C:\WINNT\system32\PSOEL00.DLL
C:\WINNT\system32\qwxdmtud.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\RI001SU\Application Data\AdwareAlert
C:\Documents and Settings\RI001SU\Application Data\AdwareAlert\Log\2008 Jan 09 - 08_03_48 PM_546.log
C:\Documents and Settings\RI001SU\Application Data\AdwareAlert\Log\2008 Jan 09 - 08_03_55 PM_953.log
C:\Documents and Settings\RI001SU\Application Data\AdwareAlert\Log\2008 Jan 09 - 08_30_51 PM_093.log
C:\Documents and Settings\RI001SU\Application Data\AdwareAlert\Log\2008 Jan 09 - 08_34_23 PM_953.log
C:\Documents and Settings\RI001SU\Application Data\AdwareAlert\Log\2008 Jan 09 - 08_34_43 PM_593.log
C:\Documents and Settings\RI001SU\Application Data\AdwareAlert\rs.dat
C:\Documents and Settings\RI001SU\Application Data\AdwareAlert\Settings\ScanResults.pie
C:\Program Files\AdwareAlert
C:\Program Files\AdwareAlert\AdwareAlert.exe
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\fuycbypf.dll.bad
C:\VundoFix Backups\gceobaaj.dll.bad
C:\VundoFix Backups\jjkkj.ini.bad
C:\VundoFix Backups\jjkkj.ini2.bad
C:\VundoFix Backups\ovbvqcdc.dll.bad
C:\VundoFix Backups\qtvbnyos.dll.bad
C:\VundoFix Backups\uninstall.exe.bad
C:\WINNT\system32\aruknmxt.ini\
C:\WINNT\system32\cafrvori.dll
C:\WINNT\system32\CONTAN00.DLL
C:\WINNT\system32\CONTAN01.DLL
C:\WINNT\system32\CPRN00.DLL
C:\WINNT\system32\cvgjxinm.dll
C:\WINNT\system32\PSOEL00.DLL
C:\WINNT\system32\qwxdmtud.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-14 17:42 . 2000-08-31 08:00 51,200 --a------ C:\WINNT\NirCmd.exe
2008-01-14 12:22 . 2008-01-14 12:22 <DIR> d-------- C:\Program Files\CCleaner
2008-01-12 09:11 . 2008-01-12 09:11 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-01-11 14:32 . 2008-01-15 07:34 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-01-11 14:24 . 2008-01-11 14:24 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-01-11 13:58 . 2008-01-11 13:58 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-11 13:41 . 2005-08-25 18:19 115,920 --a------ C:\WINNT\system32\MSINET.OCX
2008-01-09 22:56 . 2008-01-12 11:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-09 22:18 . 2008-01-09 22:23 <DIR> d-------- C:\Program Files\RegCure
2008-01-09 21:58 . 2008-01-12 11:40 3,109,152 --ahs---- C:\WINNT\system32\drivers\fidbox.dat
2008-01-09 21:58 . 2008-01-12 11:40 436,512 --ahs---- C:\WINNT\system32\drivers\fidbox2.dat
2008-01-09 21:58 . 2008-01-12 11:40 42,716 --ahs---- C:\WINNT\system32\drivers\fidbox.idx
2008-01-09 21:58 . 2008-01-12 11:40 41,996 --ahs---- C:\WINNT\system32\drivers\fidbox2.idx
2008-01-09 21:55 . 2008-01-09 21:55 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-09 21:54 . 2008-01-09 21:54 <DIR> d-------- C:\KAV
2008-01-09 21:23 . 2008-01-09 21:23 <DIR> d-------- C:\WINNT\ERUNT
2008-01-09 21:10 . 2008-01-09 21:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-09 20:13 . 2008-01-09 20:21 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-09 19:57 . 2008-01-09 20:34 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-09 19:56 . 2008-01-15 07:34 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-09 19:33 . 2008-01-09 19:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-09 16:46 . 2008-01-15 07:34 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-07 13:18 . 2008-01-09 14:44 <DIR> d-------- C:\Documents and Settings\RI001SU\Application Data\AntiSpyware
2008-01-07 08:55 . 2008-01-09 20:32 1,846,679 --ahs---- C:\WINNT\system32\aruknmxt.ini
2007-12-22 16:49 . 2007-12-23 12:51 <DIR> d-------- C:\WINNT\SxsCaPendDel
2007-12-22 16:43 . 2007-12-27 20:58 77,824 --a------ C:\WINNT\system32\hkcmd.exe
2007-12-22 16:43 . 2007-12-22 16:43 1,024 --a------ C:\WINNT\system32\drivers\536391BB-0722-44CC-AA1F-5DD835B737EF.cxv
2007-12-22 16:42 . 2007-12-27 10:21 94,208 --a------ C:\WINNT\system32\igfxtray.exe
2007-12-22 16:36 . 2007-12-22 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-20 22:48 . 2008-01-12 09:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-20 22:04 . 2007-12-20 22:04 1,024 --a------ C:\WINNT\system32\drivers\25633D73-769E-4692-9C81-77B31F394BCB.cxv
2007-12-20 16:52 . 2007-12-22 16:49 <DIR> d-------- C:\Program Files\STOPzilla!
2007-12-20 16:52 . 2007-12-20 16:52 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-12-20 16:52 . 2007-12-22 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 12:34 --------- d-----w C:\Program Files\Novadigm
2008-01-15 12:34 --------- d-----w C:\Program Files\AT&T Global Network Client
2008-01-10 16:05 --------- d-----w C:\Program Files\Pitney Bowes SmartMailer
2008-01-10 15:39 --------- d-----w C:\Program Files\notes
2008-01-10 01:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-02 14:53 491,520 ----a-w C:\WINNT\system32\enstart.exe
2008-01-02 14:53 491,520 ----a-w C:\WINNT\system32\_enstart.exe
2008-01-02 14:53 31,616 ----a-w C:\WINNT\system32\enstart_.sys
2007-12-11 14:23 --------- d-----w C:\Program Files\Interwise
2007-12-03 16:18 --------- d-----w C:\Program Files\MATCast
2007-11-29 21:06 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-29 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2007-11-27 01:00 59,904 ----a-w C:\WINNT\system32\drivers\mvstdi5x.sys
2007-11-27 01:00 36,922 ----a-w C:\WINNT\system32\entapi.dll
2007-11-27 01:00 117,024 ----a-w C:\WINNT\system32\drivers\naiavf5x.sys
2007-11-20 15:00 --------- d-----w C:\Program Files\Common Files\PitneyBowes Shared
2007-11-14 07:26 450,560 ----a-w C:\WINNT\system32\dllcache\jscript.dll
2007-11-13 17:27 184,897 ----a-w C:\WINNT\system32\atasnt40.dll
2007-11-07 09:26 721,920 ----a-w C:\WINNT\system32\lsasrv.dll
2007-11-07 09:26 721,920 ----a-w C:\WINNT\system32\dllcache\lsasrv.dll
2007-10-30 17:20 360,064 ----a-w C:\WINNT\system32\dllcache\tcpip.sys
2007-10-30 10:16 3,058,688 ----a-w C:\WINNT\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINNT\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINNT\system32\dllcache\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINNT\system32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINNT\system32\dllcache\wmasf.dll
2007-10-26 03:36 8,454,656 ----a-w C:\WINNT\system32\dllcache\shell32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-14_18.14.28.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-14 22:42:52 241,664 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-15 12:33:47 241,664 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-14 22:42:52 8,192 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-15 12:33:47 8,192 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-14 22:42:52 241,664 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-15 12:33:47 241,664 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-14 22:42:52 8,192 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-15 12:33:47 8,192 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-14 22:42:52 2,244,608 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-15 12:33:47 2,244,608 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-14 22:42:52 184,320 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-15 12:33:47 184,320 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-06 23:58:41 151,322 ----a-w C:\WINNT\PBCache\ATTGlobal680\ATTGlobal.exe
- 2008-01-14 17:21:28 62,746 ----a-w C:\WINNT\system32\perfc009.dat
+ 2008-01-14 23:15:24 62,746 ----a-w C:\WINNT\system32\perfc009.dat
- 2008-01-14 17:21:29 401,632 ----a-w C:\WINNT\system32\perfh009.dat
+ 2008-01-14 23:15:24 401,632 ----a-w C:\WINNT\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2007-12-31 11:51 136512]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINNT\system32\bthprops.cpl]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2008-01-11 15:06 1816208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AT&T Global Network Client Monitor.lnk - C:\WINNT\Installer\{706CD0EB-D191-4821-A2FA-471CB1C6292A}\NetGM_1B536450052A4C0BA1B8FC31F1D473F7.exe [2007-08-21 09:41:33]
HotSync Manager.lnk - C:\Palm\HOTSYNC.EXE [2007-08-27 10:37:43]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]
Push Client.LNK - C:\Program Files\Interwise\Participant\pull.exe [2007-12-11 09:23:44]
RUMBA Lightning.lnk - C:\Program Files\WallData\SYSTEM\BrskStrt.exe [1996-10-28 02:17:12]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 16:30 249856 c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 16:30 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MATCast]
--a------ 2007-11-16 12:23 655360 C:\Program Files\MATCast\MATCast.exe

R0 a320raid;a320raid;C:\WINNT\system32\DRIVERS\a320raid.sys [2004-06-15 12:06]
R1 enstart_;enstart_;C:\WINNT\system32\enstart_.sys [2008-01-02 09:53]
R2 agnwifi;AT&T Wi-Fi Support Driver;C:\WINNT\system32\DRIVERS\agnwifi.sys [2004-04-29 16:19]
R2 enstart;enstart;C:\WINNT\system32\enstart.exe [2008-01-02 09:53]
R2 radexecd;Radia Notify Daemon;"C:\Program Files\Novadigm\radexecd.exe" [2005-05-04 15:35]
R2 radsched;Radia Scheduler Daemon;"C:\Program Files\Novadigm\radsched.exe" [2004-08-25 12:05]
R2 Radstgms;Radia MSI Redirector;"C:\Program Files\Novadigm\Radstgms.exe" [2006-06-07 09:58]
R3 agnfilt;AGN Filter Interface;C:\WINNT\system32\DRIVERS\agnfilt.sys [2006-05-19 08:46]
R3 RadiaMsi;RadiaMsi;C:\WINNT\system32\DRIVERS\radiamsi.sys [2006-05-15 11:20]
S3 avpnnic;AGN Virtual Network Adapter;C:\WINNT\system32\DRIVERS\avpnnic.sys [2003-04-04 11:48]
S3 COAX;COAX;C:\WINNT\system32\drivers\COAX.sys [1997-12-22 12:43]
S3 GTIPCI21;GTIPCI21;C:\WINNT\system32\DRIVERS\gtipci21.sys [2004-05-03 09:26]
S3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINNT\system32\DRIVERS\ozscr.sys [2002-11-08 13:13]
S3 PCX500;Cisco Wireless LAN Adapters Driver;C:\WINNT\system32\DRIVERS\pcx500.sys [2004-08-03 22:06]
S3 RMBS;RMBS;C:\WINNT\system32\drivers\RMBS.sys [1998-02-06 16:04]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-10 08:00:00 C:\WINNT\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert .ex
- C:\Program Files\AdwareAlert
"2008-01-10 08:00:00 C:\WINNT\Tasks\AntiSpyware Scheduled Scan.job"
- C:\Program Files\AntiSpywareApp\AntiSpyware.ex
- C:\Program Files\AntiSpywareApp
"2008-01-10 07:22:27 C:\WINNT\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-15 12:38:25 C:\WINNT\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-10 13:02:26 C:\WINNT\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-15 12:38:25 C:\WINNT\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-10 01:13:53 C:\WINNT\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 07:39:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-15 7:42:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-15 12:42:29
ComboFix2.txt 2008-01-14 23:14:57

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:32 AM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\nslsvice.exe
C:\WINNT\system32\nsl.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\system32\enstart.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\notes\ntmulti.exe
C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\alg.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Interwise\Participant\pull.exe
C:\Program Files\WallData\SYSTEM\BrskStrt.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\renames.exe
C:\WINNT\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pbwebb.ct.pb.com/pbw/pbweb/ep/usaHome.do
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pb.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - Global Startup: AT&T Global Network Client Monitor.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Push Client.LNK = C:\Program Files\Interwise\Participant\pull.exe
O4 - Global Startup: RUMBA Lightning.lnk = C:\Program Files\WallData\SYSTEM\BrskStrt.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.pbi.global.pvt
O15 - Trusted Zone: *.pb.com
O15 - Trusted Zone: *.pitneybowes.ca
O15 - Trusted IP range: 161.228.211.79
O16 - DPF: MATCastInstaller - http://www.matcast.net/NewMATCastInstaller.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://notesshecl1.pb.com/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187981573285
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex.com/client/v_mywebex-pso-attwm/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pbi.global.pvt
O17 - HKLM\Software\..\Telephony: DomainName = pbi.global.pvt
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pbi.global.pvt
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = pbi.global.pvt,ct.pb.com,nw.pb.com,pitneybowes.ca,g1.com,pb.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = pbi.global.pvt
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = pbi.global.pvt,ct.pb.com,nw.pb.com,pitneybowes.ca,g1.com,pb.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = pbi.global.pvt,ct.pb.com,nw.pb.com,pitneybowes.ca,g1.com,pb.com
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: enstart - Unknown owner - C:\WINNT\system32\enstart.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINNT\system32\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\Program Files\notes\ntmulti.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Radia Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8959 bytes

Hi :)

Step 1

Open HijackThis, perform a scan and put a check next to the following items (if present):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: MATCastInstaller - http://www.matcast.net/NewMATCastInstaller.cab

Close all programs except HijackThis and click on Fix checked.

Step 2

Be sure that you are set to see hidden files and folders:

Close all programs so that you are at your desktop.
Double-click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labelled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labelled Hide file extensions for known file types.
Remove the checkmark from the checkbox labelled Hide protected operating system files. Answer Yes to the prompt.
Press the Apply button and then the OK button and close My Computer.

Step 3

Navigate to the following file using Windows Explorer and delete it when found:

C:\WINNT\system32\aruknmxt.ini

In your next reply, please let me know how your computer is currently running.

I have been running for a few hours without any issues or browsers opening up :bigthumb:

You are a genius!!

I will keep you informed if anything changes.

Thank you VERY much, I truly appreciate the time you put in to helping others you don't even know.

Best regards

Rich

Hi :)

I'm glad to hear your PC is running OK again. You can follow these simple steps to keep your computer clean in the future:

Click Start then Run....

Type Combofix /u in the runbox and click OK. (Note: The space between the x and the /u needs to be there)

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png


This will uninstall Combofix.

Make your Internet Explorer More Secure

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab.
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt.
Change the Download unsigned ActiveX controls to Disable.
Change the Initialise and script ActiveX controls not marked as safe to Disable.
Change the Installation of desktop items to Prompt.
Change the Launching programs and files in an IFRAME to Prompt.
Change the Navigate sub-frames across different domains to Prompt.
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Use a Firewall - Without a firewall your computer is susceptible to being hacked and taken over. The Windows firewall isn't sufficient as it only monitors incoming connections.

Here are a few (free) firewalls, please download and install one of them:

Kerio Personall Firewall (http://www.sunbelt-software.com/Home-Home-Office/Sunbelt-Personal-Firewall/)
Comodo Free Firewall (http://www.personalfirewall.comodo.com/)

Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ (http://update.microsoft.com/) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Spybot - Search and Destroy - Download and install Spybot - Search and Destroy with its TeaTimer option. This will provide real time spyware and hijacker protection on your computer alongside your virus protection. You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here: http://www.bleepingcomputer.com/tutorials/tutorial43.html

Install Ad-Aware - Download and install Ad-Aware (if you have Ad-Aware SE note that it is outdated, and you should update to Ad-Aware 2007). You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here: http://www.bleepingcomputer.com/tutorials/tutorial48.html

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial can be found here: http://www.bleepingcomputer.com/tutorials/tutorial49.html

Install IE-Spyad - IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here: http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD

Update All Your Security Programs Regularly - Make sure you update all your security programs (Anti-Virus, Firewall, Anti-Spyware) regularly (once a weak, at least). Without regular updates you WILL NOT be protected when new malicious programs are released.

You can also read this excellent article by TonyKlein: So how did I get infected in the first place? (http://www.castlecops.com/p35268-So_how_did_I_get_infected_in_the_first_place.html#35268)

Follow this list and your potential for being infected again will reduce dramatically.

Stand Up and Be Counted! (http://www.malwarecomplaints.info/index.php) - Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. You have to be registered to post. After registering just find your country room and register your complaint. The infection you had was Vundo (Virtumundo).