Results 1 to 10 of 12

Thread: Problem with possible spyware

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Junior Member
    Join Date
    Dec 2006
    Posts
    6

    Default Problem with possible spyware

    Hi, I would like some help with the below matter. I believe there is some sort of spyware or malware in my computer. Symptoms are unknown instances of IE running with some 3rd party webpage (takes up 200mb of ram) and also there are some possible viruses that were detected using Panda Activescan. It seems like the antivirus scanner picked up alot more stuff than the spybot as well.

    Would appreciate any help and input to clean the computer.

    Attached are the hijackthis and activescan reports

    Logfile of HijackThis v1.99.1
    Scan saved at 6:42:57 PM, on 12/6/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\o2flash.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
    C:\Program Files\Softex\OmniPass\scureapp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Fujitsu\updnavi\updnavi.exe
    C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
    C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
    C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
    C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    D:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    D:\PROGRA~1\MICROS~1\rapimgr.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\WISPTIS.EXE
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    D:\Program Files\Microsoft ActiveSync\WCESMgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\hijackthis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
    O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe
    O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
    O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
    O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
    O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Bluetooth Manager.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\WINDOWS\system32\o2flash.exe
    O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe


    I will attach the antivirus scan report in the next post.

  2. #2
    Junior Member
    Join Date
    Dec 2006
    Posts
    6

    Default Antivirus report follow up

    As attached. Thanks

    Incident Status Location

    Spyware:Cookie/2o7
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@112.2o7[2].txt
    Spyware:Cookie/Atlas DMT
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@atdmt[2].txt
    Spyware:Cookie/Serving-sys
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@bs.serving-sys[1].txt
    Spyware:Cookie/Doubleclick
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@doubleclick[1].txt
    Spyware:Cookie/Hitbox
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@ehg-dig.hitbox[1].txt
    Spyware:Cookie/FastClick
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@fastclick[2].txt
    Spyware:Cookie/Go
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@go[1].txt
    Spyware:Cookie/Hitbox
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@hitbox[1].txt
    Spyware:Cookie/HotLog
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@hotlog[2].txt
    Spyware:Cookie/Mysearch
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@mysearch[2].txt
    Spyware:Cookie/Serving-sys
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@serving-sys[2].txt
    Spyware:Cookie/onestat.com
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@stat.onestat[1].txt
    Spyware:Cookie/Tribalfusion
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@tribalfusion[1].txt
    Spyware:Cookie/Tucows
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@tucows[1].txt
    Spyware:Cookie/Xiti
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@xiti[1].txt
    Spyware:Cookie/Xmts
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@xmts[1].txt
    Spyware:Cookie/Yadro
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@yadro[1].txt
    Possible Virus.
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Local Settings\Temp\c8.exe.exe
    Possible Virus.
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Local Settings\Temp\ck3.exe.exe
    Possible Virus.
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Local Settings\Temp\Rar$EX05.671\crack.exe
    Possible Virus.
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Local Settings\Temp\Rar$EX06.140\crack.exe
    Possible Virus.
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Local Settings\Temp\shua.exe.exe
    Adware:Adware/Maxifiles
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Local Settings\Temporary Internet Files\Content.IE5\54CRD541\wlzip32[1].exe
    Adware:Adware/Yazzle
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Local Settings\Temporary Internet Files\Content.IE5\GH67KPEN\mulbin32[1].exe
    Adware:Adware/SuperSpider
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Local Settings\Temporary Internet Files\Content.IE5\I9B01KVY\antzom[1].exe
    Adware:Adware/SecurityError
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Local Settings\Temporary Internet Files\Content.IE5\UFM3EDYF\l11[1].exe
    Possible Virus.
    Not disinfected
    C:\Program Files\Internet Explorer\IEXPLORE.Bak
    Possible Virus.
    Not disinfected
    C:\Program Files\Internet Explorer\IEXPLORE.bbs
    Possible Virus.
    Not disinfected
    C:\Program Files\Internet Explorer\IEXPLORE.Dat
    Possible Virus.
    Not disinfected
    C:\Program Files\Internet Explorer\IEXPLORE.ime
    Possible Virus.
    Not disinfected
    C:\Program Files\Internet Explorer\IEXPLORE.jmp
    Possible Virus.
    Not disinfected
    C:\Program Files\Internet Explorer\IEXPLORE.New
    Possible Virus.
    Not disinfected
    C:\Program Files\Internet Explorer\IEXPLORE.Sys
    Possible Virus.
    Not disinfected
    C:\Program Files\Internet Explorer\IEXPLORE.Tmp
    Possible Virus.
    Not disinfected
    C:\Program Files\Internet Explorer\IEXPLORE.win
    Adware:Adware/DriveCleaner
    Not disinfected
    C:\WINDOWS\Temp\mst1F.tmp
    Adware:Adware/Maxifiles
    Not disinfected
    C:\WINDOWS\Temp\win1B.tmp.exe
    Adware:Adware/Yazzle
    Not disinfected
    C:\WINDOWS\Temp\win20.tmp.exe
    Adware:Adware/SecurityError
    Not disinfected
    C:\WINDOWS\Temp\win23.tmp.exe

  3. #3
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Welcome cool_ting

    Why dont we see an antivirus program running on your PC ?

    What version of SpyBot Search & Destroy is it you have ?
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  4. #4
    Junior Member
    Join Date
    Dec 2006
    Posts
    6

    Default

    Hi Lonny,

    Thanks for the reply,

    I am running spybot 1.4. As for the antivirus, it used to be "PC Cillin" installed in the computer. However, just recently, I noticed it was disabled, together with my firewall, that was when I suspected I may have been infected with a spyware or virus. I couldnt get the antivirus to work again so I uninstalled it, as it just couldnt scan anymore.

    The same thing with my firewall, but after running spybot, it manages to run again. Therefore my seeking help on this forum to see if there is anything else I could do to remove the other spyware stuck in this computer, as evident from the activescan from panda software.

    Hope to hear your comments!!

  5. #5
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Download Pocket Killbox to the desktop
    http://www.downloads.subratam.org/KillBox.exe
    Start Killbox place a tick next to [x]Delete on reboot Press the ALL Files button
    Copy this whole list into the windows clipboard, all the Bolded below.

    C:\Program Files\Internet Explorer\IEXPLORE.Bak
    C:\Program Files\Internet Explorer\IEXPLORE.bbs
    C:\Program Files\Internet Explorer\IEXPLORE.Dat
    C:\Program Files\Internet Explorer\IEXPLORE.ime
    C:\Program Files\Internet Explorer\IEXPLORE.jmp
    C:\Program Files\Internet Explorer\IEXPLORE.New
    C:\Program Files\Internet Explorer\IEXPLORE.Sys
    C:\Program Files\Internet Explorer\IEXPLORE.Tmp
    C:\Program Files\Internet Explorer\IEXPLORE.win
    C:\WINDOWS\Temp\mst1F.tmp
    C:\WINDOWS\Temp\win1B.tmp.exe
    C:\WINDOWS\Temp\win20.tmp.exe
    C:\WINDOWS\Temp\win23.tmp.exe

    Back in Killbox go > file > paste from clipboard,
    Click the red highlighted X button and say yes to the prompt to restart the pc.


    Download and run Silentrunners.Vbs post the log it creates please
    http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
    Wait until there is a All Done message !!, Then open and post the log next to it.
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  6. #6
    Junior Member
    Join Date
    Dec 2006
    Posts
    6

    Default

    Done killbox, here is the silent runner log with supp search. Thanks

    "Silent Runners.vbs", revision 49, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:
    ---------------------------------

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
    "MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
    "LogitechSoftwareUpdate" = ""C:\Program Files\Logitech\Video\ManifestEngine.exe" boot" ["Logitech Inc."]
    "H/PC Connection Agent" = ""D:\Program Files\Microsoft ActiveSync\wcescomm.exe"" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
    "RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
    "Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
    "AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
    "ATSwpNav" = ""C:\Program Files\Fingerprint Sensor\ATSwpNav" -run" ["AuthenTec, Inc."]
    "OmniPass" = "C:\Program Files\Softex\OmniPass\scureapp.exe" [null data]
    "igfxhkcmd" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
    "igfxpers" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
    "FJUPDNV_Chitose" = "C:\Program Files\Fujitsu\updnavi\updnavi.exe" ["FUJITSU LIMITED"]
    "LoadFUJ02E3" = "C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe" ["FUJITSU LIMITED"]
    "IndicatorUtility" = "C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" ["FUJITSU LIMITED"]
    "LoadFujitsuQuickTouch" = "C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe" ["FUJITSU LIMITED"]
    "LoadBtnHnd" = "C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe" ["FUJITSU LIMITED"]
    "IntelZeroConfig" = ""C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"" ["Intel Corporation"]
    "IntelWireless" = ""C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless" ["Intel Corporation"]
    "EOUApp" = ""C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"" ["Intel Corporation"]
    "HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" ["HP"]
    "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"" ["Sun Microsystems, Inc."]
    "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
    "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
    "LVCOMSX" = "C:\WINDOWS\system32\LVCOMSX.EXE" ["Logitech Inc."]
    "LogitechVideoRepair" = "C:\Program Files\Logitech\Video\ISStart.exe " ["Logitech Inc."]
    "LogitechVideoTray" = "C:\Program Files\Logitech\Video\LogiTray.exe" ["Logitech Inc."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "AcroIEHlprObj Class"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
    {31FF080D-12A3-439A-A2EF-4BA95A3148E8}\(Default) = "*Z*Zī*L*" (unwritable string)
    -> {HKLM...CLSID} = "bho2gr Class"
    \InProcServer32\(Default) = "C:\Program Files\GetRight\xx2gr.dll" ["Headlight Software, Inc."]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "SSVHelper Class"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
    -> {HKLM...CLSID} = "Display Panning CPL Extension"
    \InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
    -> {HKLM...CLSID} = "Portable Media Devices Menu"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
    "{D0CE97A0-415B-42E9-B251-34393AF2D5F6}" = "OmniPass Shell Extension"
    -> {HKLM...CLSID} = "Softex OmniPass Encrypted File"
    \InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opfolderext.dll" ["Softex Inc."]
    "{D5B1944E-DB4E-482E-B3F1-DB05827F0978}" = "OmniPass ShellNameSpace Extension"
    -> {HKLM...CLSID} = "Softex OmniPass Encrypted Folder"
    \InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opfolderext.dll" ["Softex Inc."]
    "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
    -> {HKLM...CLSID} = "Microsoft Office Outlook"
    \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
    "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
    -> {HKLM...CLSID} = "Outlook File Icon Extension"
    \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    "{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
    -> {HKLM...CLSID} = "My Sharing Folders"
    \InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
    "{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
    -> {HKLM...CLSID} = "My Logitech Pictures"
    \InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Logitech Inc."]
    "{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
    -> {HKLM...CLSID} = "Mobile Device"
    \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Wcesview.dll" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    <<!>> "{6E44887F-5214-41F2-AB46-4728735C4CC6}" = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Internet Explorer\PLUGINS\system18.sys" [file not found]
    <<!>> "{99F1D023-7CEB-4586-80F7-BB1A98DB7602}" = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Internet Explorer\IEXPLORE.Sys" [file not found]
    <<!>> "{FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}" = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Internet Explorer\IEXPLORE.Dat" [file not found]
    <<!>> "{923509F1-45CB-4EC0-BDE0-1DED35B8FD60}" = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Internet Explorer\IEXPLORE.win" [file not found]

    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
    <<!>> "load" = "C:\WINDOWS\rundl132.exe" [empty string]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    <<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]
    <<!>> OPXPGina\DLLName = "C:\Program Files\Softex\OmniPass\opxpgina.dll" [null data]

    HKLM\Software\Classes\PROTOCOLS\Filter\
    <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    MorpheusShellExt\(Default) = "{7DBF2913-1F89-4104-B1F4-932A29945C13}"
    -> {HKLM...CLSID} = "ExplorerMenu Class"
    \InProcServer32\(Default) = "C:\Program Files\Morpheus\MorphShellExt.dll" ["TODO: <Company name>"]
    OPShellExt\(Default) = "{D0CE97A0-415B-42E9-B251-34393AF2D5F6}"
    -> {HKLM...CLSID} = "Softex OmniPass Encrypted File"
    \InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opfolderext.dll" ["Softex Inc."]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    OPShellExt\(Default) = "{D0CE97A0-415B-42E9-B251-34393AF2D5F6}"
    -> {HKLM...CLSID} = "Softex OmniPass Encrypted File"
    \InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opfolderext.dll" ["Softex Inc."]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    MorpheusShellExt\(Default) = "{7DBF2913-1F89-4104-B1F4-932A29945C13}"
    -> {HKLM...CLSID} = "ExplorerMenu Class"
    \InProcServer32\(Default) = "C:\Program Files\Morpheus\MorphShellExt.dll" ["TODO: <Company name>"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


    Group Policies {GPedit.msc branch and setting}:
    -----------------------------------------------

    Note: detected settings may not have any effect.

    HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

    "HomePage" = (REG_DWORD) hex:0x00000031
    {User Configuration|Administrative Templates|Windows Components|Internet Explorer|
    Disable changing home page settings}

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Shutdown: Allow system to be shut down without having to log on}

    "undockwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Devices: Allow undock without having to log on}


    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop may be disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


    Enabled Screen Saver:
    ---------------------

    HKCU\Control Panel\Desktop\
    "SCRNSAVE.EXE" = "C:\WINDOWS\system32\FJSaver.scr" ["FUJITSU LIMITED"]


    Startup items in "nicholas.tan" & "All Users" startup folders:
    --------------------------------------------------------------

    C:\Documents and Settings\nicholas.tan\Start Menu\Programs\Startup
    "Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    "Bluetooth Manager" -> shortcut to: "C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe" [null data]


    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 22
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Explorer Bars

    HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

    HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
    Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
    InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"
    -> {HKCU...CLSID} = "Java Plug-in 1.5.0_09"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
    -> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]

    {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
    "ButtonText" = "Create Mobile Favorite"
    "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
    -> {HKLM...CLSID} = "Create Mobile Favorite"
    \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\INetRepl.dll" [MS]

    {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
    "MenuText" = "Create Mobile Favorite..."
    "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
    -> {HKLM...CLSID} = "Create Mobile Favorite"
    \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\INetRepl.dll" [MS]

    {92780B25-18CC-41C8-B9BE-3C9C571A8263}\
    "ButtonText" = "Research"

    {E2E2DD38-D088-4134-82B7-F2BA38496583}\
    "MenuText" = "@xpsp3res.dll,-20001"
    "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

    {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
    "ButtonText" = "Yahoo! Messenger"
    "MenuText" = "Yahoo! Messenger"
    "Exec" = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" ["Yahoo! Inc."]

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------

    Intel(R) PROSet/Wireless Event Log, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
    Intel(R) PROSet/Wireless Registry Service, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
    Intel(R) PROSet/Wireless Service, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
    O2Micro Flash Memory, O2Flash, "C:\WINDOWS\system32\o2flash.exe" ["O2Micro International"]
    Softex OmniPass Service, omniserv, "C:\Program Files\Softex\OmniPass\Omniserv.exe" ["Softex Inc."]
    Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


    Print Monitors:
    ---------------

    HKLM\System\CurrentControlSet\Control\Print\Monitors\
    HP Standard TCP/IP Port\Driver = "hptcpmon.dll" ["Hewlett Packard"]
    hpzlnt12\Driver = "hpzlnt12.dll" ["HP"]
    Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
    PDFCreator\Driver = "pdfcmnnt.dll" [null data]
    Toshiba Bluetooth Monitor\Driver = "tbtmon.dll" ["Toshiba America Business Solutions, Inc."]


    ----------
    <<!>>: Suspicious data at a malware launch point.

    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + The search for DESKTOP.INI DLL launch points on all local fixed drives
    took 94 seconds.
    ---------- (total run time: 123 seconds)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •