Problem with possible spyware
Hi, I would like some help with the below matter. I believe there is some sort of spyware or malware in my computer. Symptoms are unknown instances of IE running with some 3rd party webpage (takes up 200mb of ram) and also there are some possible viruses that were detected using Panda Activescan. It seems like the antivirus scanner picked up alot more stuff than the spybot as well.
Would appreciate any help and input to clean the computer.
Attached are the hijackthis and activescan reports
Logfile of HijackThis v1.99.1
Scan saved at 6:42:57 PM, on 12/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Fujitsu\updnavi\updnavi.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
D:\PROGRA~1\MICROS~1\rapimgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
D:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
I will attach the antivirus scan report in the next post.
Antivirus report follow up
As attached. Thanks
Incident Status Location
Spyware:Cookie/2o7
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@112.2o7[2].txt
Spyware:Cookie/Atlas DMT
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@atdmt[2].txt
Spyware:Cookie/Serving-sys
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@bs.serving-sys[1].txt
Spyware:Cookie/Doubleclick
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@doubleclick[1].txt
Spyware:Cookie/Hitbox
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@ehg-dig.hitbox[1].txt
Spyware:Cookie/FastClick
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@fastclick[2].txt
Spyware:Cookie/Go
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@go[1].txt
Spyware:Cookie/Hitbox
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@hitbox[1].txt
Spyware:Cookie/HotLog
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@hotlog[2].txt
Spyware:Cookie/Mysearch
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@mysearch[2].txt
Spyware:Cookie/Serving-sys
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@serving-sys[2].txt
Spyware:Cookie/onestat.com
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@stat.onestat[1].txt
Spyware:Cookie/Tribalfusion
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@tribalfusion[1].txt
Spyware:Cookie/Tucows
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@tucows[1].txt
Spyware:Cookie/Xiti
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@xiti[1].txt
Spyware:Cookie/Xmts
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@xmts[1].txt
Spyware:Cookie/Yadro
Not disinfected
C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@yadro[1].txt
Possible Virus.
Not disinfected
C:\Documents and Settings\nicholas.tan\Local Settings\Temp\c8.exe.exe
Possible Virus.
Not disinfected
C:\Documents and Settings\nicholas.tan\Local Settings\Temp\ck3.exe.exe
Possible Virus.
Not disinfected
C:\Documents and Settings\nicholas.tan\Local Settings\Temp\Rar$EX05.671\crack.exe
Possible Virus.
Not disinfected
C:\Documents and Settings\nicholas.tan\Local Settings\Temp\Rar$EX06.140\crack.exe
Possible Virus.
Not disinfected
C:\Documents and Settings\nicholas.tan\Local Settings\Temp\shua.exe.exe
Adware:Adware/Maxifiles
Not disinfected
C:\Documents and Settings\nicholas.tan\Local Settings\Temporary Internet Files\Content.IE5\54CRD541\wlzip32[1].exe
Adware:Adware/Yazzle
Not disinfected
C:\Documents and Settings\nicholas.tan\Local Settings\Temporary Internet Files\Content.IE5\GH67KPEN\mulbin32[1].exe
Adware:Adware/SuperSpider
Not disinfected
C:\Documents and Settings\nicholas.tan\Local Settings\Temporary Internet Files\Content.IE5\I9B01KVY\antzom[1].exe
Adware:Adware/SecurityError
Not disinfected
C:\Documents and Settings\nicholas.tan\Local Settings\Temporary Internet Files\Content.IE5\UFM3EDYF\l11[1].exe
Possible Virus.
Not disinfected
C:\Program Files\Internet Explorer\IEXPLORE.Bak
Possible Virus.
Not disinfected
C:\Program Files\Internet Explorer\IEXPLORE.bbs
Possible Virus.
Not disinfected
C:\Program Files\Internet Explorer\IEXPLORE.Dat
Possible Virus.
Not disinfected
C:\Program Files\Internet Explorer\IEXPLORE.ime
Possible Virus.
Not disinfected
C:\Program Files\Internet Explorer\IEXPLORE.jmp
Possible Virus.
Not disinfected
C:\Program Files\Internet Explorer\IEXPLORE.New
Possible Virus.
Not disinfected
C:\Program Files\Internet Explorer\IEXPLORE.Sys
Possible Virus.
Not disinfected
C:\Program Files\Internet Explorer\IEXPLORE.Tmp
Possible Virus.
Not disinfected
C:\Program Files\Internet Explorer\IEXPLORE.win
Adware:Adware/DriveCleaner
Not disinfected
C:\WINDOWS\Temp\mst1F.tmp
Adware:Adware/Maxifiles
Not disinfected
C:\WINDOWS\Temp\win1B.tmp.exe
Adware:Adware/Yazzle
Not disinfected
C:\WINDOWS\Temp\win20.tmp.exe
Adware:Adware/SecurityError
Not disinfected
C:\WINDOWS\Temp\win23.tmp.exe