murfc
2008-01-17, 01:21
In my internet browser, I am receiving the following message:
Warning: possible spyware or adware infection! Click here to scan your computer for spyware and adware...
I have run the Search and Destroy application, as well as HJT. I have attached the logs. What should I do next? Any help would be greatly appreciated!!
Search and Destroy Log Results
--- Search result list ---
Smitfraud-C.: [SBI $99A9870C] Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSVPS.MSVPSApp
Smitfraud-C.: [SBI $99A9870C] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5085333B-FD15-4754-A571-852F7077C5F2}
Smitfraud-C.: [SBI $99A9870C] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5085333B-FD15-4754-A571-852F7077C5F2}
Microsoft.Windows.Security.InternetExplorer: [SBI $366713D4] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe
Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start
Microsoft.Windows.disableSystemRestore: [SBI $3CB484DC] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR
Smitfraud-C.MSVPS: [SBI $6FE8300C] Text file (File, nothing done)
C:\WINDOWS\dat.txt
Zlob.Downloader.rid: [SBI $DDFE0B74] Library (File, nothing done)
C:\WINDOWS\bklgvsf.dll
Zlob.Downloader.rid: [SBI $17B92474] Library (File, nothing done)
C:\WINDOWS\ensfolr.dll
Zlob.Downloader.vcd: [SBI $D8DF6192] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin
Zlob.Downloader.vcd: [SBI $3A7819FB] Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo
Hijack This Log:
Running processes:
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CYBERA~1\pcshelp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Kontiki\khost.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Pointsec\P95tray.exe
C:\Program Files\AAP\ACQ\EY.AAP.Acquisition.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Connected\CBSysTray.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\DECLYNC1\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ey-home.ey.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iweb.ey.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iweb.ey.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Ernst & Young
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=internet:80;http=internet:80;https=internet:443
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.iweb.ey.com;169.254.*.*;*.eylink.com;*.ey.net;*.quickplace.ey.com;199.49.190.*;198.134.44.*;*.ltdcenter.ey.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BDEX System - {5085333B-FD15-4754-A571-852F7077C5F2} - C:\WINDOWS\dxpvqlmqng.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Groove Networks\Groove\Bin\GrooveShellExtensions.dll
O3 - Toolbar: The ensfolr - {A037112F-183D-4E98-8CEA-1A0D93BA9F48} - C:\WINDOWS\ensfolr.dll
O4 - HKLM\..\Run: [CyberArmorHelper] C:\PROGRA~1\CYBERA~1\pcshelp.exe -check
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [Kontiki] "C:\Program Files\Kontiki\khost.exe" -i -p ey-ey
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Protect Tray] "C:\Program Files\Pointsec\P95tray.exe"
O4 - HKLM\..\Run: [AAPAcqService] C:\Program Files\AAP\ACQ\EY.AAP.Acquisition.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\khost.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: Groove Virtual Office.lnk = C:\Program Files\Groove Networks\Groove\Bin\Groove.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\asdns.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\asdns.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.iweb.ey.com
O15 - Trusted Zone: http://*.ey.com
O15 - Trusted Zone: http://*.ey.net
O15 - Trusted Zone: http://*.eyleads.com
O15 - Trusted Zone: http://*.eylink.com
O15 - Trusted Zone: http://*.eyqa.net
O15 - Trusted Zone: http://*.eyua.net
O15 - Trusted Zone: http://ey.fincad.com
O15 - Trusted Zone: http://*.intellinex-asp.com
O15 - Trusted Zone: http://*.intellinex.com
O15 - Trusted Zone: http://web.lexis.com
O15 - Trusted Zone: http://intellinex.raindance.com
O15 - Trusted Zone: http://*.smarttrainer4.com
O15 - Trusted Zone: http://*.surveymonkey.com
O15 - Trusted Zone: http://*.thomsonib.com
O15 - Trusted Zone: http://cserver.xtremelearning.com
O15 - Trusted Zone: http://*.iweb.ey.com (HKLM)
O15 - Trusted Zone: http://*.ltdcenter.ey.com (HKLM)
O15 - Trusted Zone: http://*.ey.com (HKLM)
O15 - Trusted Zone: http://*.us.na.ey.net (HKLM)
O15 - Trusted Zone: http://*.ey.net (HKLM)
O15 - Trusted Zone: http://*.eyleads.com (HKLM)
O15 - Trusted Zone: http://*.eylink.com (HKLM)
O15 - Trusted Zone: http://*.eyqa.net (HKLM)
O15 - Trusted Zone: http://*.eyua.net (HKLM)
O15 - Trusted Zone: http://ey.fincad.com (HKLM)
O15 - Trusted Zone: http://*.intellinex-asp.com (HKLM)
O15 - Trusted Zone: http://*.intellinex.com (HKLM)
O15 - Trusted Zone: http://web.lexis.com (HKLM)
O15 - Trusted Zone: http://intellinex.raindance.com (HKLM)
O15 - Trusted Zone: http://*.smarttrainer4.com (HKLM)
O15 - Trusted Zone: http://*.surveymonkey.com (HKLM)
O15 - Trusted Zone: http://*.thomsonib.com (HKLM)
O15 - Trusted Zone: http://cserver.xtremelearning.com (HKLM)
O15 - Trusted IP range: http://199.51.65.79
O15 - Trusted IP range: http://199.51.65.79 (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.process.com/spycatcher/SpywareScanner.ocx
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://mail302.ey.net/iNotes6W.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {51B217FA-AA53-11D1-8295-006097970389} (NotesUserCtrl Class) - http://home.iweb.ey.com/kweb6/cab/notesuser.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopcast.com/download/SOPCORE.CAB
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = de.eurw.ey.net
O17 - HKLM\Software\..\Telephony: DomainName = de.eurw.ey.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = de.eurw.ey.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = de.eurw.ey.net,eurw.ey.net,ey.net,ey.com,eylink.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = de.eurw.ey.net,eurw.ey.net,ey.net,ey.com,eylink.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: cahooknt.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: OdysseyClient - C:\WINDOWS\SYSTEM32\odyEvent.dll
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Aventail Connect (As32Svc) - Aventail Corporation - C:\Program Files\Aventail\Connect\as32svc.exe
O23 - Service: SMS Agent Host (CcmExec) - Unknown owner - C:\WINDOWS\system32\CCM\CcmExec.exe
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - InfoExpress - C:\Program Files\CyberArmor\casvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: Network API Server (NetAPISrvr) - Unknown owner - C:\Program Files\EY AWS\bin\NetAPISrvr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: Pointsec - Unknown owner - C:\WINDOWS\system32\PROT_SRV.EXE
O23 - Service: Pointsec update agent (Pointsec_agent) - Unknown owner - C:\WINDOWS\system32\pagents.exe
O23 - Service: Pointsec service start (Pointsec_start) - Unknown owner - C:\WINDOWS\system32\PSTARTSR.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Warning: possible spyware or adware infection! Click here to scan your computer for spyware and adware...
I have run the Search and Destroy application, as well as HJT. I have attached the logs. What should I do next? Any help would be greatly appreciated!!
Search and Destroy Log Results
--- Search result list ---
Smitfraud-C.: [SBI $99A9870C] Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSVPS.MSVPSApp
Smitfraud-C.: [SBI $99A9870C] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5085333B-FD15-4754-A571-852F7077C5F2}
Smitfraud-C.: [SBI $99A9870C] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5085333B-FD15-4754-A571-852F7077C5F2}
Microsoft.Windows.Security.InternetExplorer: [SBI $366713D4] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe
Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start
Microsoft.Windows.disableSystemRestore: [SBI $3CB484DC] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR
Smitfraud-C.MSVPS: [SBI $6FE8300C] Text file (File, nothing done)
C:\WINDOWS\dat.txt
Zlob.Downloader.rid: [SBI $DDFE0B74] Library (File, nothing done)
C:\WINDOWS\bklgvsf.dll
Zlob.Downloader.rid: [SBI $17B92474] Library (File, nothing done)
C:\WINDOWS\ensfolr.dll
Zlob.Downloader.vcd: [SBI $D8DF6192] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin
Zlob.Downloader.vcd: [SBI $3A7819FB] Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo
Hijack This Log:
Running processes:
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CYBERA~1\pcshelp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Kontiki\khost.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Pointsec\P95tray.exe
C:\Program Files\AAP\ACQ\EY.AAP.Acquisition.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Connected\CBSysTray.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\DECLYNC1\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ey-home.ey.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iweb.ey.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iweb.ey.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Ernst & Young
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=internet:80;http=internet:80;https=internet:443
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.iweb.ey.com;169.254.*.*;*.eylink.com;*.ey.net;*.quickplace.ey.com;199.49.190.*;198.134.44.*;*.ltdcenter.ey.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BDEX System - {5085333B-FD15-4754-A571-852F7077C5F2} - C:\WINDOWS\dxpvqlmqng.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Groove Networks\Groove\Bin\GrooveShellExtensions.dll
O3 - Toolbar: The ensfolr - {A037112F-183D-4E98-8CEA-1A0D93BA9F48} - C:\WINDOWS\ensfolr.dll
O4 - HKLM\..\Run: [CyberArmorHelper] C:\PROGRA~1\CYBERA~1\pcshelp.exe -check
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [Kontiki] "C:\Program Files\Kontiki\khost.exe" -i -p ey-ey
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Protect Tray] "C:\Program Files\Pointsec\P95tray.exe"
O4 - HKLM\..\Run: [AAPAcqService] C:\Program Files\AAP\ACQ\EY.AAP.Acquisition.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\khost.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: Groove Virtual Office.lnk = C:\Program Files\Groove Networks\Groove\Bin\Groove.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\asdns.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\asdns.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.iweb.ey.com
O15 - Trusted Zone: http://*.ey.com
O15 - Trusted Zone: http://*.ey.net
O15 - Trusted Zone: http://*.eyleads.com
O15 - Trusted Zone: http://*.eylink.com
O15 - Trusted Zone: http://*.eyqa.net
O15 - Trusted Zone: http://*.eyua.net
O15 - Trusted Zone: http://ey.fincad.com
O15 - Trusted Zone: http://*.intellinex-asp.com
O15 - Trusted Zone: http://*.intellinex.com
O15 - Trusted Zone: http://web.lexis.com
O15 - Trusted Zone: http://intellinex.raindance.com
O15 - Trusted Zone: http://*.smarttrainer4.com
O15 - Trusted Zone: http://*.surveymonkey.com
O15 - Trusted Zone: http://*.thomsonib.com
O15 - Trusted Zone: http://cserver.xtremelearning.com
O15 - Trusted Zone: http://*.iweb.ey.com (HKLM)
O15 - Trusted Zone: http://*.ltdcenter.ey.com (HKLM)
O15 - Trusted Zone: http://*.ey.com (HKLM)
O15 - Trusted Zone: http://*.us.na.ey.net (HKLM)
O15 - Trusted Zone: http://*.ey.net (HKLM)
O15 - Trusted Zone: http://*.eyleads.com (HKLM)
O15 - Trusted Zone: http://*.eylink.com (HKLM)
O15 - Trusted Zone: http://*.eyqa.net (HKLM)
O15 - Trusted Zone: http://*.eyua.net (HKLM)
O15 - Trusted Zone: http://ey.fincad.com (HKLM)
O15 - Trusted Zone: http://*.intellinex-asp.com (HKLM)
O15 - Trusted Zone: http://*.intellinex.com (HKLM)
O15 - Trusted Zone: http://web.lexis.com (HKLM)
O15 - Trusted Zone: http://intellinex.raindance.com (HKLM)
O15 - Trusted Zone: http://*.smarttrainer4.com (HKLM)
O15 - Trusted Zone: http://*.surveymonkey.com (HKLM)
O15 - Trusted Zone: http://*.thomsonib.com (HKLM)
O15 - Trusted Zone: http://cserver.xtremelearning.com (HKLM)
O15 - Trusted IP range: http://199.51.65.79
O15 - Trusted IP range: http://199.51.65.79 (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.process.com/spycatcher/SpywareScanner.ocx
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://mail302.ey.net/iNotes6W.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {51B217FA-AA53-11D1-8295-006097970389} (NotesUserCtrl Class) - http://home.iweb.ey.com/kweb6/cab/notesuser.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopcast.com/download/SOPCORE.CAB
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = de.eurw.ey.net
O17 - HKLM\Software\..\Telephony: DomainName = de.eurw.ey.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = de.eurw.ey.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = de.eurw.ey.net,eurw.ey.net,ey.net,ey.com,eylink.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = de.eurw.ey.net,eurw.ey.net,ey.net,ey.com,eylink.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: cahooknt.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: OdysseyClient - C:\WINDOWS\SYSTEM32\odyEvent.dll
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Aventail Connect (As32Svc) - Aventail Corporation - C:\Program Files\Aventail\Connect\as32svc.exe
O23 - Service: SMS Agent Host (CcmExec) - Unknown owner - C:\WINDOWS\system32\CCM\CcmExec.exe
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - InfoExpress - C:\Program Files\CyberArmor\casvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: Network API Server (NetAPISrvr) - Unknown owner - C:\Program Files\EY AWS\bin\NetAPISrvr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: Pointsec - Unknown owner - C:\WINDOWS\system32\PROT_SRV.EXE
O23 - Service: Pointsec update agent (Pointsec_agent) - Unknown owner - C:\WINDOWS\system32\pagents.exe
O23 - Service: Pointsec service start (Pointsec_start) - Unknown owner - C:\WINDOWS\system32\PSTARTSR.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe