Hi, I would like some help with the below matter. I believe there is some sort of spyware or malware in my computer. Symptoms are unknown instances of IE running with some 3rd party webpage (takes up 200mb of ram) and also there are some possible viruses that were detected using Panda Activescan. It seems like the antivirus scanner picked up alot more stuff than the spybot as well.

Would appreciate any help and input to clean the computer.

Attached are the hijackthis and activescan reports

Logfile of HijackThis v1.99.1
Scan saved at 6:42:57 PM, on 12/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Fujitsu\updnavi\updnavi.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
D:\PROGRA~1\MICROS~1\rapimgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
D:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe


I will attach the antivirus scan report in the next post.

As attached. Thanks

Incident Status Location

Spyware:Cookie/2o7
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@112.2o7[2].txt
Spyware:Cookie/Atlas DMT
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@atdmt[2].txt
Spyware:Cookie/Serving-sys
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@bs.serving-sys[1].txt
Spyware:Cookie/Doubleclick
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@doubleclick[1].txt
Spyware:Cookie/Hitbox
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@ehg-dig.hitbox[1].txt
Spyware:Cookie/FastClick
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@fastclick[2].txt
Spyware:Cookie/Go
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@go[1].txt
Spyware:Cookie/Hitbox
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@hitbox[1].txt
Spyware:Cookie/HotLog
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@hotlog[2].txt
Spyware:Cookie/Mysearch
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@mysearch[2].txt
Spyware:Cookie/Serving-sys
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@serving-sys[2].txt
Spyware:Cookie/onestat.com
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@stat.onestat[1].txt
Spyware:Cookie/Tribalfusion
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@tribalfusion[1].txt
Spyware:Cookie/Tucows
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@tucows[1].txt
Spyware:Cookie/Xiti
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@xiti[1].txt
Spyware:Cookie/Xmts
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@xmts[1].txt
Spyware:Cookie/Yadro
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@yadro[1].txt
Possible Virus.
Not disinfected
C:\Documents and Settings\nicholas.tan\Local Settings\Temp\c8.exe.exe
Possible Virus.
Not disinfected
C:\Documents and Settings\nicholas.tan\Local Settings\Temp\ck3.exe.exe
Possible Virus.
Not disinfected
C:\Documents and Settings\nicholas.tan\Local Settings\Temp\Rar$EX05.671\crack.exe
Possible Virus.
Not disinfected
C:\Documents and Settings\nicholas.tan\Local Settings\Temp\Rar$EX06.140\crack.exe
Possible Virus.
Not disinfected
C:\Documents and Settings\nicholas.tan\Local Settings\Temp\shua.exe.exe
Adware:Adware/Maxifiles
Not disinfected
C:\Documents and Settings\nicholas.tan\Local Settings\Temporary Internet Files\Content.IE5\54CRD541\wlzip32[1].exe
Adware:Adware/Yazzle
Not disinfected
C:\Documents and Settings\nicholas.tan\Local Settings\Temporary Internet Files\Content.IE5\GH67KPEN\mulbin32[1].exe
Adware:Adware/SuperSpider
Not disinfected
C:\Documents and Settings\nicholas.tan\Local Settings\Temporary Internet Files\Content.IE5\I9B01KVY\antzom[1].exe
Adware:Adware/SecurityError
Not disinfected
C:\Documents and Settings\nicholas.tan\Local Settings\Temporary Internet Files\Content.IE5\UFM3EDYF\l11[1].exe
Possible Virus.
Not disinfected
C:\Program Files\Internet Explorer\IEXPLORE.Bak
Possible Virus.
Not disinfected
C:\Program Files\Internet Explorer\IEXPLORE.bbs
Possible Virus.
Not disinfected
C:\Program Files\Internet Explorer\IEXPLORE.Dat
Possible Virus.
Not disinfected
C:\Program Files\Internet Explorer\IEXPLORE.ime
Possible Virus.
Not disinfected
C:\Program Files\Internet Explorer\IEXPLORE.jmp
Possible Virus.
Not disinfected
C:\Program Files\Internet Explorer\IEXPLORE.New
Possible Virus.
Not disinfected
C:\Program Files\Internet Explorer\IEXPLORE.Sys
Possible Virus.
Not disinfected
C:\Program Files\Internet Explorer\IEXPLORE.Tmp
Possible Virus.
Not disinfected
C:\Program Files\Internet Explorer\IEXPLORE.win
Adware:Adware/DriveCleaner
Not disinfected
C:\WINDOWS\Temp\mst1F.tmp
Adware:Adware/Maxifiles
Not disinfected
C:\WINDOWS\Temp\win1B.tmp.exe
Adware:Adware/Yazzle
Not disinfected
C:\WINDOWS\Temp\win20.tmp.exe
Adware:Adware/SecurityError
Not disinfected
C:\WINDOWS\Temp\win23.tmp.exe

Welcome cool_ting

Why dont we see an antivirus program running on your PC ?

What version of SpyBot Search & Destroy is it you have ?

Hi Lonny,

Thanks for the reply,

I am running spybot 1.4. As for the antivirus, it used to be "PC Cillin" installed in the computer. However, just recently, I noticed it was disabled, together with my firewall, that was when I suspected I may have been infected with a spyware or virus. I couldnt get the antivirus to work again so I uninstalled it, as it just couldnt scan anymore.

The same thing with my firewall, but after running spybot, it manages to run again. Therefore my seeking help on this forum to see if there is anything else I could do to remove the other spyware stuck in this computer, as evident from the activescan from panda software.

Hope to hear your comments!!

Download Pocket Killbox to the desktop
http://www.downloads.subratam.org/KillBox.exe
Start Killbox place a tick next to [x]Delete on reboot Press the ALL Files button
Copy this whole list into the windows clipboard, all the Bolded below.

C:\Program Files\Internet Explorer\IEXPLORE.Bak
C:\Program Files\Internet Explorer\IEXPLORE.bbs
C:\Program Files\Internet Explorer\IEXPLORE.Dat
C:\Program Files\Internet Explorer\IEXPLORE.ime
C:\Program Files\Internet Explorer\IEXPLORE.jmp
C:\Program Files\Internet Explorer\IEXPLORE.New
C:\Program Files\Internet Explorer\IEXPLORE.Sys
C:\Program Files\Internet Explorer\IEXPLORE.Tmp
C:\Program Files\Internet Explorer\IEXPLORE.win
C:\WINDOWS\Temp\mst1F.tmp
C:\WINDOWS\Temp\win1B.tmp.exe
C:\WINDOWS\Temp\win20.tmp.exe
C:\WINDOWS\Temp\win23.tmp.exe

Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt to restart the pc.


Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.

Done killbox, here is the silent runner log with supp search. Thanks

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"LogitechSoftwareUpdate" = ""C:\Program Files\Logitech\Video\ManifestEngine.exe" boot" ["Logitech Inc."]
"H/PC Connection Agent" = ""D:\Program Files\Microsoft ActiveSync\wcescomm.exe"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"ATSwpNav" = ""C:\Program Files\Fingerprint Sensor\ATSwpNav" -run" ["AuthenTec, Inc."]
"OmniPass" = "C:\Program Files\Softex\OmniPass\scureapp.exe" [null data]
"igfxhkcmd" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"igfxpers" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
"FJUPDNV_Chitose" = "C:\Program Files\Fujitsu\updnavi\updnavi.exe" ["FUJITSU LIMITED"]
"LoadFUJ02E3" = "C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe" ["FUJITSU LIMITED"]
"IndicatorUtility" = "C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" ["FUJITSU LIMITED"]
"LoadFujitsuQuickTouch" = "C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe" ["FUJITSU LIMITED"]
"LoadBtnHnd" = "C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe" ["FUJITSU LIMITED"]
"IntelZeroConfig" = ""C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"" ["Intel Corporation"]
"IntelWireless" = ""C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless" ["Intel Corporation"]
"EOUApp" = ""C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"" ["Intel Corporation"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" ["HP"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"LVCOMSX" = "C:\WINDOWS\system32\LVCOMSX.EXE" ["Logitech Inc."]
"LogitechVideoRepair" = "C:\Program Files\Logitech\Video\ISStart.exe " ["Logitech Inc."]
"LogitechVideoTray" = "C:\Program Files\Logitech\Video\LogiTray.exe" ["Logitech Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{31FF080D-12A3-439A-A2EF-4BA95A3148E8}\(Default) = "*Z*Z´*L*" (unwritable string)
-> {HKLM...CLSID} = "bho2gr Class"
\InProcServer32\(Default) = "C:\Program Files\GetRight\xx2gr.dll" ["Headlight Software, Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{D0CE97A0-415B-42E9-B251-34393AF2D5F6}" = "OmniPass Shell Extension"
-> {HKLM...CLSID} = "Softex OmniPass Encrypted File"
\InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opfolderext.dll" ["Softex Inc."]
"{D5B1944E-DB4E-482E-B3F1-DB05827F0978}" = "OmniPass ShellNameSpace Extension"
-> {HKLM...CLSID} = "Softex OmniPass Encrypted Folder"
\InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opfolderext.dll" ["Softex Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
-> {HKLM...CLSID} = "My Logitech Pictures"
\InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Logitech Inc."]
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
-> {HKLM...CLSID} = "Mobile Device"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Wcesview.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{6E44887F-5214-41F2-AB46-4728735C4CC6}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Internet Explorer\PLUGINS\system18.sys" [file not found]
<<!>> "{99F1D023-7CEB-4586-80F7-BB1A98DB7602}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Internet Explorer\IEXPLORE.Sys" [file not found]
<<!>> "{FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Internet Explorer\IEXPLORE.Dat" [file not found]
<<!>> "{923509F1-45CB-4EC0-BDE0-1DED35B8FD60}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Internet Explorer\IEXPLORE.win" [file not found]

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "load" = "C:\WINDOWS\rundl132.exe" [empty string]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]
<<!>> OPXPGina\DLLName = "C:\Program Files\Softex\OmniPass\opxpgina.dll" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
MorpheusShellExt\(Default) = "{7DBF2913-1F89-4104-B1F4-932A29945C13}"
-> {HKLM...CLSID} = "ExplorerMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Morpheus\MorphShellExt.dll" ["TODO: <Company name>"]
OPShellExt\(Default) = "{D0CE97A0-415B-42E9-B251-34393AF2D5F6}"
-> {HKLM...CLSID} = "Softex OmniPass Encrypted File"
\InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opfolderext.dll" ["Softex Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
OPShellExt\(Default) = "{D0CE97A0-415B-42E9-B251-34393AF2D5F6}"
-> {HKLM...CLSID} = "Softex OmniPass Encrypted File"
\InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opfolderext.dll" ["Softex Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
MorpheusShellExt\(Default) = "{7DBF2913-1F89-4104-B1F4-932A29945C13}"
-> {HKLM...CLSID} = "ExplorerMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Morpheus\MorphShellExt.dll" ["TODO: <Company name>"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

"HomePage" = (REG_DWORD) hex:0x00000031
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|
Disable changing home page settings}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\FJSaver.scr" ["FUJITSU LIMITED"]


Startup items in "nicholas.tan" & "All Users" startup folders:
--------------------------------------------------------------

C:\Documents and Settings\nicholas.tan\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Bluetooth Manager" -> shortcut to: "C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\INetRepl.dll" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Create Mobile Favorite..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\INetRepl.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" ["Yahoo! Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Intel(R) PROSet/Wireless Event Log, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
Intel(R) PROSet/Wireless Registry Service, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
Intel(R) PROSet/Wireless Service, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
O2Micro Flash Memory, O2Flash, "C:\WINDOWS\system32\o2flash.exe" ["O2Micro International"]
Softex OmniPass Service, omniserv, "C:\Program Files\Softex\OmniPass\Omniserv.exe" ["Softex Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
HP Standard TCP/IP Port\Driver = "hptcpmon.dll" ["Hewlett Packard"]
hpzlnt12\Driver = "hpzlnt12.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
PDFCreator\Driver = "pdfcmnnt.dll" [null data]
Toshiba Bluetooth Monitor\Driver = "tbtmon.dll" ["Toshiba America Business Solutions, Inc."]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 94 seconds.
---------- (total run time: 123 seconds)

Thanks

Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.


Windows Registry Editor Version 5.00
;
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"=-
"load"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6E44887F-5214-41F2-AB46-4728735C4CC6}"=-
"{99F1D023-7CEB-4586-80F7-BB1A98DB7602}"=-
"{FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}"=-
"{923509F1-45CB-4EC0-BDE0-1DED35B8FD60}"=-
;

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.
Restart your PC.

Install your antivirus and firewall programs again, update and do a full system scan.
If your interested there are several free programs mentioned here
http://forums.spybot.info/showthread.php?t=279
Only install one antivirus and firewall


Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.

Hi Lonny, both done. fixme.reg as well as combo fix, and also installed the Avst scanner too.

Thanks.

Any further actions to take?

nicholas.tan - 06-12-17 9:19:10.45 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\nicholas.tan\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Ipwins


((((((((((((((((((((((((((((((( Files Created from 2006-11-17 to 2006-12-17 ))))))))))))))))))))))))))))))))))


2006-12-16 18:19 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-12-16 18:19 87,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-12-16 18:19 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2006-12-16 18:19 666,240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-12-16 18:19 36,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2006-12-16 18:19 24,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-12-16 18:19 16,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2006-12-16 18:19 <DIR> d-------- C:\Program Files\Alwil Software
2006-12-14 11:45 <DIR> d-------- C:\!KillBox
2006-12-12 06:05 51,200 --a------ C:\WINDOWS\Dll.dll
2006-12-12 06:05 43,504 --a------ C:\WINDOWS\rundl132.exe
2006-12-12 06:05 43,504 --a------ C:\WINDOWS\Logo1_.exe
2006-12-09 11:22 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2006-12-09 11:22 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-12-09 11:22 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2006-12-09 11:22 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-12-09 11:22 4,094 --a------ C:\WINDOWS\system32\tmp.reg
2006-12-09 11:22 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-12-09 11:22 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-12-09 03:22 <DIR> dr-h----- C:\Documents and Settings\nicholas.tan\Recent
2006-12-06 18:16 <DIR> d-------- C:\hijackthis
2006-12-04 08:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-04 08:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-03 22:19 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-03 21:53 <DIR> d-------- C:\Program Files\ESET
2006-11-30 07:00 78,848 --a------ C:\WINDOWS\system32\MSBIND.DLL
2006-11-30 07:00 <DIR> d-------- C:\Program Files\Common Files\ADO
2006-11-30 06:59 <DIR> d-------- C:\Program Files\GiftBox
2006-11-30 06:57 <DIR> d-------- C:\Program Files\Paragon Software
2006-11-25 09:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2006-11-25 09:34 <DIR> d-------- C:\Program Files\Trend Micro
2006-11-22 21:49 <DIR> d-------- C:\Program Files\Microsoft
2006-11-18 10:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-18 10:47 <DIR> d-------- C:\f0ed85f02cc510fe33


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-16 17:41 -------- d-------- C:\Program Files\Outlook Express
2006-12-16 17:41 -------- d-------- C:\Program Files\Common Files\System
2006-12-14 12:52 -------- d-------- C:\Documents and Settings\nicholas.tan\Application Data\Skype
2006-12-14 11:47 -------- d-------- C:\Program Files\Internet Explorer
2006-12-14 01:53 10 --ahs---- C:\Program Files\_desktop.ini
2006-12-07 14:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-07 03:22 -------- d-------- C:\Program Files\MSN Messenger
2006-12-07 03:21 -------- d-------- C:\Program Files\Messenger
2006-12-07 03:20 -------- d-------- C:\Program Files\GetRight
2006-12-07 03:20 -------- d-------- C:\Program Files\Fingerprint Sensor
2006-12-06 18:23 -------- d-------- C:\Program Files\WinRAR
2006-12-06 18:21 -------- d-------- C:\Program Files\Morpheus
2006-12-03 19:55 -------- d-------- C:\Program Files\Common Files
2006-12-02 01:08 -------- d---s---- C:\Documents and Settings\nicholas.tan\Application Data\Microsoft
2006-11-30 09:40 -------- d-------- C:\Documents and Settings\nicholas.tan\Application Data\U3
2006-11-30 06:57 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-27 21:22 -------- d-------- C:\Program Files\MorpheusBar
2006-11-27 10:41 -------- d-------- C:\Program Files\WakeupTweak
2006-11-23 14:00 -------- d-------- C:\Documents and Settings\nicholas.tan\Application Data\AdobeUM
2006-11-22 20:59 -------- d--h----- C:\Program Files\Uninstall Information
2006-11-22 20:59 -------- d-------- C:\Program Files\Yahoo!
2006-11-22 20:59 -------- d-------- C:\Program Files\xerox
2006-11-22 20:59 -------- d-------- C:\Program Files\Windows Media Player
2006-11-22 20:59 -------- d-------- C:\Program Files\Warranty
2006-11-22 20:59 -------- d-------- C:\Program Files\Volo View Express
2006-11-22 20:59 -------- d-------- C:\Program Files\Toshiba
2006-11-22 20:59 -------- d-------- C:\Program Files\Synaptics
2006-11-22 20:59 -------- d-------- C:\Program Files\Softex
2006-11-22 20:59 -------- d-------- C:\Program Files\Skype
2006-11-22 20:59 -------- d-------- C:\Program Files\Realtek
2006-11-22 20:59 -------- d-------- C:\Program Files\QuickTime
2006-11-22 20:59 -------- d-------- C:\Program Files\PenPower
2006-11-22 20:59 -------- d-------- C:\Program Files\PDFCreator
2006-11-22 20:59 -------- d-------- C:\Program Files\Online Services
2006-11-22 20:59 -------- d-------- C:\Program Files\O2Micro
2006-11-22 20:59 -------- d-------- C:\Program Files\MSN
2006-11-22 20:58 -------- d-------- C:\Program Files\ltmoh
2006-11-22 20:58 -------- d-------- C:\Program Files\Logitech
2006-11-22 20:58 -------- d-------- C:\Program Files\K-Lite Codec Pack
2006-11-22 20:58 -------- d-------- C:\Program Files\Java
2006-11-22 20:58 -------- d-------- C:\Program Files\IrfanView
2006-11-22 20:58 -------- d-------- C:\Program Files\Intel
2006-11-22 20:58 -------- d-------- C:\Program Files\HP
2006-11-22 20:58 -------- d-------- C:\Program Files\Hewlett-Packard
2006-11-22 20:58 -------- d-------- C:\Program Files\Fujitsu
2006-11-22 20:58 -------- d-------- C:\Program Files\CyberLink
2006-11-22 20:58 -------- d-------- C:\Program Files\Chipset.log
2006-11-22 20:58 -------- d-------- C:\Program Files\AVI MPEG RM WMV Splitter
2006-11-22 20:58 -------- d-------- C:\Program Files\AuthenTec
2006-11-22 20:58 -------- d-------- C:\Program Files\Ahead
2006-11-22 20:58 -------- d-------- C:\Program Files\Adobe
2006-11-21 15:09 -------- d-------- C:\Documents and Settings\nicholas.tan\Application Data\Adobe
2006-11-16 12:46 -------- d-------- C:\Documents and Settings\nicholas.tan\Application Data\VMware
2006-11-10 18:04 -------- d-------- C:\Documents and Settings\nicholas.tan\Application Data\Apple Computer
2006-11-08 13:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 13:45 2508 --a------ C:\Documents and Settings\nicholas.tan\Application Data\$_hpcst$.hpc
2006-11-07 13:43 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-06 00:04 -------- d-------- C:\Program Files\Common Files\FotoWire
2006-11-06 00:04 -------- d-------- C:\Documents and Settings\nicholas.tan\Application Data\FotoWire
2006-11-06 00:02 -------- d-------- C:\Program Files\Common Files\Logitech
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-02 16:45 -------- d-------- C:\Program Files\Common Files\Ahead
2006-10-27 15:09 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-27 15:09 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-27 15:09 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-27 15:09 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-27 15:09 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-27 15:09 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-27 15:09 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-27 10:07 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2006-10-27 02:44 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-27 02:44 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-27 02:44 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-27 02:44 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-27 02:44 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-27 02:44 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-27 02:44 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-27 02:44 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-27 02:44 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-27 02:42 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-22 11:39 -------- d-------- C:\Documents and Settings\nicholas.tan\Application Data\GetRightToGo
2006-10-19 21:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-17 13:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 13:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 13:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 13:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 12:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 12:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 12:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 12:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 12:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-13 20:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 20:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 20:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-09-26 22:23 14 --a------ C:\WINDOWS\system32\systeminfo.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"H/PC Connection Agent"="\"D:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"AGRSMMSG"="AGRSMMSG.exe"
"ATSwpNav"="\"C:\\Program Files\\Fingerprint Sensor\\ATSwpNav\" -run"
"OmniPass"="C:\\Program Files\\Softex\\OmniPass\\scureapp.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"FJUPDNV_Chitose"="C:\\Program Files\\Fujitsu\\updnavi\\updnavi.exe"
"LoadFUJ02E3"="C:\\Program Files\\Fujitsu\\FUJ02E3\\FUJ02E3.exe"
"IndicatorUtility"="C:\\Program Files\\Fujitsu\\Fujitsu Hotkey Utility\\IndicatorUty.exe"
"LoadFujitsuQuickTouch"="C:\\Program Files\\Fujitsu\\Application Panel\\QuickTouch.exe"
"LoadBtnHnd"="C:\\Program Files\\Fujitsu\\BtnHnd\\BtnHnd.exe"
"IntelZeroConfig"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"EOUApp"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\EOUWiz.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb12.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-12-17 9:20:07.39
C:\ComboFix.txt ... 06-12-17 09:20

C:\WINDOWS\rundl132.exe < delete that file at only that location
Submit these here please
C:\WINDOWS\Dll.dll
C:\WINDOWS\Logo1_.exe
http://www.virustotal.com/flash/index_en.html
Let us know the results

Hows that PC running ?

Hi Loony,

These are the results. The other file dll.dll got caught by Avast and was deleted. The system felt fine after the last report, but suddenly went cold yesterday. I was forced to restore back to 17th night, although I remember that I did not make any further cleaning on the 17th as the last was done on the 16th. Do you think this would have any effect? Or is there something I should run to check again?

If it is too much trouble, I am also thinking that a reformat may be a better solution. Please let me know your comments.

Thanks

Antivirus Version Update Result
AntiVir 7.3.0.19 12.19.2006 TR/Crypt.NSPM.Gen
Authentium 4.93.8 12.15.2006 Possibly a new variant of W32/PWStealer.gen1
Avast 4.7.892.0 12.16.2006 no virus found
AVG 386 12.18.2006 Worm/Delf.ZU
BitDefender 7.2 12.19.2006 Win32.Worm.Viking.BM
CAT-QuickHeal 8.00 12.18.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 12.19.2006 no virus found
DrWeb 4.33 12.19.2006 Win32.HLLW.Gavir.54
eSafe 7.0.14.0 12.17.2006 suspicious Trojan/Worm
eTrust-InoculateIT 23.73.89 12.19.2006 Win32/Looked.CG!Dropped!Worm
eTrust-Vet 30.3.3259 12.18.2006 Win32/Looked.CO
Ewido 4.0 12.19.2006 Worm.Viking.ct
Fortinet 2.82.0.0 12.19.2006 W32/Viking.CT
F-Prot 3.16f 12.15.2006 Possibly a new variant of W32/PWStealer.gen1
F-Prot4 4.2.1.29 12.19.2006 W32/PWStealer.gen1
Ikarus T3.1.0.27 12.19.2006 Worm.Win32.Viking.ct
Kaspersky 4.0.2.24 12.19.2006 Worm.Win32.Viking.ct
McAfee 4921 12.18.2006 W32/HLLP.Philis.cl
Microsoft 1.1904 12.19.2006 no virus found
NOD32v2 1927 12.19.2006 Win32/Viking.CH
Norman 5.80.02 12.18.2006 W32/Viking.DQ
Panda 9.0.0.4 12.19.2006 W32/Viking.DN.drp
Prevx1 V2 12.19.2006 Worm.Looked
Sophos 4.12.0 12.18.2006 Mal/Packer
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 6.0.3.134 12.18.2006 W32/Viking.ct
UNA 1.83 12.18.2006 Worm.Win32.Viking.ct
VBA32 3.11.1 12.18.2006 MalwareScope.Worm.Viking.5

Ok, delete C:\WINDOWS\Logo1_.exe

Since you used system restore and went back a few days, probaly to an infected restore point, you can either repeat all we have done so fare in this thread or use system restore to go back to before the trouble started.

Let me know what you decide to do ?

Due to lack of feedback this topic has been archived.

Good luck. :)