Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Problem with possible spyware

  1. #1
    Junior Member
    Join Date
    Dec 2006
    Posts
    6

    Default Problem with possible spyware

    Hi, I would like some help with the below matter. I believe there is some sort of spyware or malware in my computer. Symptoms are unknown instances of IE running with some 3rd party webpage (takes up 200mb of ram) and also there are some possible viruses that were detected using Panda Activescan. It seems like the antivirus scanner picked up alot more stuff than the spybot as well.

    Would appreciate any help and input to clean the computer.

    Attached are the hijackthis and activescan reports

    Logfile of HijackThis v1.99.1
    Scan saved at 6:42:57 PM, on 12/6/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\o2flash.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
    C:\Program Files\Softex\OmniPass\scureapp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Fujitsu\updnavi\updnavi.exe
    C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
    C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
    C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
    C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    D:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    D:\PROGRA~1\MICROS~1\rapimgr.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\WISPTIS.EXE
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    D:\Program Files\Microsoft ActiveSync\WCESMgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\hijackthis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
    O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe
    O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
    O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
    O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
    O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Bluetooth Manager.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\WINDOWS\system32\o2flash.exe
    O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe


    I will attach the antivirus scan report in the next post.

  2. #2
    Junior Member
    Join Date
    Dec 2006
    Posts
    6

    Default Antivirus report follow up

    As attached. Thanks

    Incident Status Location

    Spyware:Cookie/2o7
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@112.2o7[2].txt
    Spyware:Cookie/Atlas DMT
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@atdmt[2].txt
    Spyware:Cookie/Serving-sys
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@bs.serving-sys[1].txt
    Spyware:Cookie/Doubleclick
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@doubleclick[1].txt
    Spyware:Cookie/Hitbox
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@ehg-dig.hitbox[1].txt
    Spyware:Cookie/FastClick
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@fastclick[2].txt
    Spyware:Cookie/Go
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@go[1].txt
    Spyware:Cookie/Hitbox
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@hitbox[1].txt
    Spyware:Cookie/HotLog
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@hotlog[2].txt
    Spyware:Cookie/Mysearch
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@mysearch[2].txt
    Spyware:Cookie/Serving-sys
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@serving-sys[2].txt
    Spyware:Cookie/onestat.com
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@stat.onestat[1].txt
    Spyware:Cookie/Tribalfusion
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@tribalfusion[1].txt
    Spyware:Cookie/Tucows
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@tucows[1].txt
    Spyware:Cookie/Xiti
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@xiti[1].txt
    Spyware:Cookie/Xmts
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@xmts[1].txt
    Spyware:Cookie/Yadro
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Cookies\nicholas.tan@yadro[1].txt
    Possible Virus.
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Local Settings\Temp\c8.exe.exe
    Possible Virus.
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Local Settings\Temp\ck3.exe.exe
    Possible Virus.
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Local Settings\Temp\Rar$EX05.671\crack.exe
    Possible Virus.
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Local Settings\Temp\Rar$EX06.140\crack.exe
    Possible Virus.
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Local Settings\Temp\shua.exe.exe
    Adware:Adware/Maxifiles
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Local Settings\Temporary Internet Files\Content.IE5\54CRD541\wlzip32[1].exe
    Adware:Adware/Yazzle
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Local Settings\Temporary Internet Files\Content.IE5\GH67KPEN\mulbin32[1].exe
    Adware:Adware/SuperSpider
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Local Settings\Temporary Internet Files\Content.IE5\I9B01KVY\antzom[1].exe
    Adware:Adware/SecurityError
    Not disinfected
    C:\Documents and Settings\nicholas.tan\Local Settings\Temporary Internet Files\Content.IE5\UFM3EDYF\l11[1].exe
    Possible Virus.
    Not disinfected
    C:\Program Files\Internet Explorer\IEXPLORE.Bak
    Possible Virus.
    Not disinfected
    C:\Program Files\Internet Explorer\IEXPLORE.bbs
    Possible Virus.
    Not disinfected
    C:\Program Files\Internet Explorer\IEXPLORE.Dat
    Possible Virus.
    Not disinfected
    C:\Program Files\Internet Explorer\IEXPLORE.ime
    Possible Virus.
    Not disinfected
    C:\Program Files\Internet Explorer\IEXPLORE.jmp
    Possible Virus.
    Not disinfected
    C:\Program Files\Internet Explorer\IEXPLORE.New
    Possible Virus.
    Not disinfected
    C:\Program Files\Internet Explorer\IEXPLORE.Sys
    Possible Virus.
    Not disinfected
    C:\Program Files\Internet Explorer\IEXPLORE.Tmp
    Possible Virus.
    Not disinfected
    C:\Program Files\Internet Explorer\IEXPLORE.win
    Adware:Adware/DriveCleaner
    Not disinfected
    C:\WINDOWS\Temp\mst1F.tmp
    Adware:Adware/Maxifiles
    Not disinfected
    C:\WINDOWS\Temp\win1B.tmp.exe
    Adware:Adware/Yazzle
    Not disinfected
    C:\WINDOWS\Temp\win20.tmp.exe
    Adware:Adware/SecurityError
    Not disinfected
    C:\WINDOWS\Temp\win23.tmp.exe

  3. #3
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Welcome cool_ting

    Why dont we see an antivirus program running on your PC ?

    What version of SpyBot Search & Destroy is it you have ?
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  4. #4
    Junior Member
    Join Date
    Dec 2006
    Posts
    6

    Default

    Hi Lonny,

    Thanks for the reply,

    I am running spybot 1.4. As for the antivirus, it used to be "PC Cillin" installed in the computer. However, just recently, I noticed it was disabled, together with my firewall, that was when I suspected I may have been infected with a spyware or virus. I couldnt get the antivirus to work again so I uninstalled it, as it just couldnt scan anymore.

    The same thing with my firewall, but after running spybot, it manages to run again. Therefore my seeking help on this forum to see if there is anything else I could do to remove the other spyware stuck in this computer, as evident from the activescan from panda software.

    Hope to hear your comments!!

  5. #5
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Download Pocket Killbox to the desktop
    http://www.downloads.subratam.org/KillBox.exe
    Start Killbox place a tick next to [x]Delete on reboot Press the ALL Files button
    Copy this whole list into the windows clipboard, all the Bolded below.

    C:\Program Files\Internet Explorer\IEXPLORE.Bak
    C:\Program Files\Internet Explorer\IEXPLORE.bbs
    C:\Program Files\Internet Explorer\IEXPLORE.Dat
    C:\Program Files\Internet Explorer\IEXPLORE.ime
    C:\Program Files\Internet Explorer\IEXPLORE.jmp
    C:\Program Files\Internet Explorer\IEXPLORE.New
    C:\Program Files\Internet Explorer\IEXPLORE.Sys
    C:\Program Files\Internet Explorer\IEXPLORE.Tmp
    C:\Program Files\Internet Explorer\IEXPLORE.win
    C:\WINDOWS\Temp\mst1F.tmp
    C:\WINDOWS\Temp\win1B.tmp.exe
    C:\WINDOWS\Temp\win20.tmp.exe
    C:\WINDOWS\Temp\win23.tmp.exe

    Back in Killbox go > file > paste from clipboard,
    Click the red highlighted X button and say yes to the prompt to restart the pc.


    Download and run Silentrunners.Vbs post the log it creates please
    http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
    Wait until there is a All Done message !!, Then open and post the log next to it.
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  6. #6
    Junior Member
    Join Date
    Dec 2006
    Posts
    6

    Default

    Done killbox, here is the silent runner log with supp search. Thanks

    "Silent Runners.vbs", revision 49, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:
    ---------------------------------

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
    "MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
    "LogitechSoftwareUpdate" = ""C:\Program Files\Logitech\Video\ManifestEngine.exe" boot" ["Logitech Inc."]
    "H/PC Connection Agent" = ""D:\Program Files\Microsoft ActiveSync\wcescomm.exe"" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
    "RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
    "Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
    "AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
    "ATSwpNav" = ""C:\Program Files\Fingerprint Sensor\ATSwpNav" -run" ["AuthenTec, Inc."]
    "OmniPass" = "C:\Program Files\Softex\OmniPass\scureapp.exe" [null data]
    "igfxhkcmd" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
    "igfxpers" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
    "FJUPDNV_Chitose" = "C:\Program Files\Fujitsu\updnavi\updnavi.exe" ["FUJITSU LIMITED"]
    "LoadFUJ02E3" = "C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe" ["FUJITSU LIMITED"]
    "IndicatorUtility" = "C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" ["FUJITSU LIMITED"]
    "LoadFujitsuQuickTouch" = "C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe" ["FUJITSU LIMITED"]
    "LoadBtnHnd" = "C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe" ["FUJITSU LIMITED"]
    "IntelZeroConfig" = ""C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"" ["Intel Corporation"]
    "IntelWireless" = ""C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless" ["Intel Corporation"]
    "EOUApp" = ""C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"" ["Intel Corporation"]
    "HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" ["HP"]
    "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"" ["Sun Microsystems, Inc."]
    "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
    "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
    "LVCOMSX" = "C:\WINDOWS\system32\LVCOMSX.EXE" ["Logitech Inc."]
    "LogitechVideoRepair" = "C:\Program Files\Logitech\Video\ISStart.exe " ["Logitech Inc."]
    "LogitechVideoTray" = "C:\Program Files\Logitech\Video\LogiTray.exe" ["Logitech Inc."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "AcroIEHlprObj Class"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
    {31FF080D-12A3-439A-A2EF-4BA95A3148E8}\(Default) = "*Z*Zī*L*" (unwritable string)
    -> {HKLM...CLSID} = "bho2gr Class"
    \InProcServer32\(Default) = "C:\Program Files\GetRight\xx2gr.dll" ["Headlight Software, Inc."]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "SSVHelper Class"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
    -> {HKLM...CLSID} = "Display Panning CPL Extension"
    \InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
    -> {HKLM...CLSID} = "Portable Media Devices Menu"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
    "{D0CE97A0-415B-42E9-B251-34393AF2D5F6}" = "OmniPass Shell Extension"
    -> {HKLM...CLSID} = "Softex OmniPass Encrypted File"
    \InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opfolderext.dll" ["Softex Inc."]
    "{D5B1944E-DB4E-482E-B3F1-DB05827F0978}" = "OmniPass ShellNameSpace Extension"
    -> {HKLM...CLSID} = "Softex OmniPass Encrypted Folder"
    \InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opfolderext.dll" ["Softex Inc."]
    "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
    -> {HKLM...CLSID} = "Microsoft Office Outlook"
    \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
    "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
    -> {HKLM...CLSID} = "Outlook File Icon Extension"
    \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    "{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
    -> {HKLM...CLSID} = "My Sharing Folders"
    \InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
    "{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
    -> {HKLM...CLSID} = "My Logitech Pictures"
    \InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Logitech Inc."]
    "{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
    -> {HKLM...CLSID} = "Mobile Device"
    \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Wcesview.dll" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    <<!>> "{6E44887F-5214-41F2-AB46-4728735C4CC6}" = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Internet Explorer\PLUGINS\system18.sys" [file not found]
    <<!>> "{99F1D023-7CEB-4586-80F7-BB1A98DB7602}" = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Internet Explorer\IEXPLORE.Sys" [file not found]
    <<!>> "{FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}" = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Internet Explorer\IEXPLORE.Dat" [file not found]
    <<!>> "{923509F1-45CB-4EC0-BDE0-1DED35B8FD60}" = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Internet Explorer\IEXPLORE.win" [file not found]

    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
    <<!>> "load" = "C:\WINDOWS\rundl132.exe" [empty string]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    <<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]
    <<!>> OPXPGina\DLLName = "C:\Program Files\Softex\OmniPass\opxpgina.dll" [null data]

    HKLM\Software\Classes\PROTOCOLS\Filter\
    <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    MorpheusShellExt\(Default) = "{7DBF2913-1F89-4104-B1F4-932A29945C13}"
    -> {HKLM...CLSID} = "ExplorerMenu Class"
    \InProcServer32\(Default) = "C:\Program Files\Morpheus\MorphShellExt.dll" ["TODO: <Company name>"]
    OPShellExt\(Default) = "{D0CE97A0-415B-42E9-B251-34393AF2D5F6}"
    -> {HKLM...CLSID} = "Softex OmniPass Encrypted File"
    \InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opfolderext.dll" ["Softex Inc."]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    OPShellExt\(Default) = "{D0CE97A0-415B-42E9-B251-34393AF2D5F6}"
    -> {HKLM...CLSID} = "Softex OmniPass Encrypted File"
    \InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opfolderext.dll" ["Softex Inc."]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    MorpheusShellExt\(Default) = "{7DBF2913-1F89-4104-B1F4-932A29945C13}"
    -> {HKLM...CLSID} = "ExplorerMenu Class"
    \InProcServer32\(Default) = "C:\Program Files\Morpheus\MorphShellExt.dll" ["TODO: <Company name>"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


    Group Policies {GPedit.msc branch and setting}:
    -----------------------------------------------

    Note: detected settings may not have any effect.

    HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

    "HomePage" = (REG_DWORD) hex:0x00000031
    {User Configuration|Administrative Templates|Windows Components|Internet Explorer|
    Disable changing home page settings}

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Shutdown: Allow system to be shut down without having to log on}

    "undockwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Devices: Allow undock without having to log on}


    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop may be disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


    Enabled Screen Saver:
    ---------------------

    HKCU\Control Panel\Desktop\
    "SCRNSAVE.EXE" = "C:\WINDOWS\system32\FJSaver.scr" ["FUJITSU LIMITED"]


    Startup items in "nicholas.tan" & "All Users" startup folders:
    --------------------------------------------------------------

    C:\Documents and Settings\nicholas.tan\Start Menu\Programs\Startup
    "Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    "Bluetooth Manager" -> shortcut to: "C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe" [null data]


    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 22
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Explorer Bars

    HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

    HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
    Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
    InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"
    -> {HKCU...CLSID} = "Java Plug-in 1.5.0_09"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
    -> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]

    {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
    "ButtonText" = "Create Mobile Favorite"
    "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
    -> {HKLM...CLSID} = "Create Mobile Favorite"
    \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\INetRepl.dll" [MS]

    {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
    "MenuText" = "Create Mobile Favorite..."
    "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
    -> {HKLM...CLSID} = "Create Mobile Favorite"
    \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\INetRepl.dll" [MS]

    {92780B25-18CC-41C8-B9BE-3C9C571A8263}\
    "ButtonText" = "Research"

    {E2E2DD38-D088-4134-82B7-F2BA38496583}\
    "MenuText" = "@xpsp3res.dll,-20001"
    "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

    {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
    "ButtonText" = "Yahoo! Messenger"
    "MenuText" = "Yahoo! Messenger"
    "Exec" = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" ["Yahoo! Inc."]

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------

    Intel(R) PROSet/Wireless Event Log, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
    Intel(R) PROSet/Wireless Registry Service, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
    Intel(R) PROSet/Wireless Service, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
    O2Micro Flash Memory, O2Flash, "C:\WINDOWS\system32\o2flash.exe" ["O2Micro International"]
    Softex OmniPass Service, omniserv, "C:\Program Files\Softex\OmniPass\Omniserv.exe" ["Softex Inc."]
    Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


    Print Monitors:
    ---------------

    HKLM\System\CurrentControlSet\Control\Print\Monitors\
    HP Standard TCP/IP Port\Driver = "hptcpmon.dll" ["Hewlett Packard"]
    hpzlnt12\Driver = "hpzlnt12.dll" ["HP"]
    Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
    PDFCreator\Driver = "pdfcmnnt.dll" [null data]
    Toshiba Bluetooth Monitor\Driver = "tbtmon.dll" ["Toshiba America Business Solutions, Inc."]


    ----------
    <<!>>: Suspicious data at a malware launch point.

    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + The search for DESKTOP.INI DLL launch points on all local fixed drives
    took 94 seconds.
    ---------- (total run time: 123 seconds)

  7. #7
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Thanks

    Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
    Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.
    Code:
    Windows Registry Editor Version 5.00
    ;
    [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    "load"=-
    "load"=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{6E44887F-5214-41F2-AB46-4728735C4CC6}"=-
    "{99F1D023-7CEB-4586-80F7-BB1A98DB7602}"=-
    "{FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}"=-
    "{923509F1-45CB-4EC0-BDE0-1DED35B8FD60}"=-
    ;
    Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.
    Restart your PC.

    Install your antivirus and firewall programs again, update and do a full system scan.
    If your interested there are several free programs mentioned here
    http://forums.spybot.info/showthread.php?t=279
    Only install one antivirus and firewall


    Post a combofix log
    1. Download this file - combofix.exe
    http://download.bleepingcomputer.com/sUBs/combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
    If the log is large You might need to post half in one reply half in another.
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  8. #8
    Junior Member
    Join Date
    Dec 2006
    Posts
    6

    Default

    Hi Lonny, both done. fixme.reg as well as combo fix, and also installed the Avst scanner too.

    Thanks.

    Any further actions to take?

    nicholas.tan - 06-12-17 9:19:10.45 Service Pack 2
    ComboFix 06.11.27W - Running from: "C:\Documents and Settings\nicholas.tan\Desktop"

    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Program Files\Ipwins


    ((((((((((((((((((((((((((((((( Files Created from 2006-11-17 to 2006-12-17 ))))))))))))))))))))))))))))))))))


    2006-12-16 18:19 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
    2006-12-16 18:19 87,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
    2006-12-16 18:19 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
    2006-12-16 18:19 666,240 --a------ C:\WINDOWS\system32\aswBoot.exe
    2006-12-16 18:19 36,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
    2006-12-16 18:19 24,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
    2006-12-16 18:19 16,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
    2006-12-16 18:19 <DIR> d-------- C:\Program Files\Alwil Software
    2006-12-14 11:45 <DIR> d-------- C:\!KillBox
    2006-12-12 06:05 51,200 --a------ C:\WINDOWS\Dll.dll
    2006-12-12 06:05 43,504 --a------ C:\WINDOWS\rundl132.exe
    2006-12-12 06:05 43,504 --a------ C:\WINDOWS\Logo1_.exe
    2006-12-09 11:22 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
    2006-12-09 11:22 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2006-12-09 11:22 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2006-12-09 11:22 40,960 --a------ C:\WINDOWS\system32\swsc.exe
    2006-12-09 11:22 4,094 --a------ C:\WINDOWS\system32\tmp.reg
    2006-12-09 11:22 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2006-12-09 11:22 135,168 --a------ C:\WINDOWS\system32\swreg.exe
    2006-12-09 03:22 <DIR> dr-h----- C:\Documents and Settings\nicholas.tan\Recent
    2006-12-06 18:16 <DIR> d-------- C:\hijackthis
    2006-12-04 08:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2006-12-04 08:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2006-12-03 22:19 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
    2006-12-03 21:53 <DIR> d-------- C:\Program Files\ESET
    2006-11-30 07:00 78,848 --a------ C:\WINDOWS\system32\MSBIND.DLL
    2006-11-30 07:00 <DIR> d-------- C:\Program Files\Common Files\ADO
    2006-11-30 06:59 <DIR> d-------- C:\Program Files\GiftBox
    2006-11-30 06:57 <DIR> d-------- C:\Program Files\Paragon Software
    2006-11-25 09:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
    2006-11-25 09:34 <DIR> d-------- C:\Program Files\Trend Micro
    2006-11-22 21:49 <DIR> d-------- C:\Program Files\Microsoft
    2006-11-18 10:47 <DIR> d-------- C:\Program Files\MSXML 4.0
    2006-11-18 10:47 <DIR> d-------- C:\f0ed85f02cc510fe33


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2006-12-16 17:41 -------- d-------- C:\Program Files\Outlook Express
    2006-12-16 17:41 -------- d-------- C:\Program Files\Common Files\System
    2006-12-14 12:52 -------- d-------- C:\Documents and Settings\nicholas.tan\Application Data\Skype
    2006-12-14 11:47 -------- d-------- C:\Program Files\Internet Explorer
    2006-12-14 01:53 10 --ahs---- C:\Program Files\_desktop.ini
    2006-12-07 14:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
    2006-12-07 03:22 -------- d-------- C:\Program Files\MSN Messenger
    2006-12-07 03:21 -------- d-------- C:\Program Files\Messenger
    2006-12-07 03:20 -------- d-------- C:\Program Files\GetRight
    2006-12-07 03:20 -------- d-------- C:\Program Files\Fingerprint Sensor
    2006-12-06 18:23 -------- d-------- C:\Program Files\WinRAR
    2006-12-06 18:21 -------- d-------- C:\Program Files\Morpheus
    2006-12-03 19:55 -------- d-------- C:\Program Files\Common Files
    2006-12-02 01:08 -------- d---s---- C:\Documents and Settings\nicholas.tan\Application Data\Microsoft
    2006-11-30 09:40 -------- d-------- C:\Documents and Settings\nicholas.tan\Application Data\U3
    2006-11-30 06:57 -------- d--h----- C:\Program Files\InstallShield Installation Information
    2006-11-27 21:22 -------- d-------- C:\Program Files\MorpheusBar
    2006-11-27 10:41 -------- d-------- C:\Program Files\WakeupTweak
    2006-11-23 14:00 -------- d-------- C:\Documents and Settings\nicholas.tan\Application Data\AdobeUM
    2006-11-22 20:59 -------- d--h----- C:\Program Files\Uninstall Information
    2006-11-22 20:59 -------- d-------- C:\Program Files\Yahoo!
    2006-11-22 20:59 -------- d-------- C:\Program Files\xerox
    2006-11-22 20:59 -------- d-------- C:\Program Files\Windows Media Player
    2006-11-22 20:59 -------- d-------- C:\Program Files\Warranty
    2006-11-22 20:59 -------- d-------- C:\Program Files\Volo View Express
    2006-11-22 20:59 -------- d-------- C:\Program Files\Toshiba
    2006-11-22 20:59 -------- d-------- C:\Program Files\Synaptics
    2006-11-22 20:59 -------- d-------- C:\Program Files\Softex
    2006-11-22 20:59 -------- d-------- C:\Program Files\Skype
    2006-11-22 20:59 -------- d-------- C:\Program Files\Realtek
    2006-11-22 20:59 -------- d-------- C:\Program Files\QuickTime
    2006-11-22 20:59 -------- d-------- C:\Program Files\PenPower
    2006-11-22 20:59 -------- d-------- C:\Program Files\PDFCreator
    2006-11-22 20:59 -------- d-------- C:\Program Files\Online Services
    2006-11-22 20:59 -------- d-------- C:\Program Files\O2Micro
    2006-11-22 20:59 -------- d-------- C:\Program Files\MSN
    2006-11-22 20:58 -------- d-------- C:\Program Files\ltmoh
    2006-11-22 20:58 -------- d-------- C:\Program Files\Logitech
    2006-11-22 20:58 -------- d-------- C:\Program Files\K-Lite Codec Pack
    2006-11-22 20:58 -------- d-------- C:\Program Files\Java
    2006-11-22 20:58 -------- d-------- C:\Program Files\IrfanView
    2006-11-22 20:58 -------- d-------- C:\Program Files\Intel
    2006-11-22 20:58 -------- d-------- C:\Program Files\HP
    2006-11-22 20:58 -------- d-------- C:\Program Files\Hewlett-Packard
    2006-11-22 20:58 -------- d-------- C:\Program Files\Fujitsu
    2006-11-22 20:58 -------- d-------- C:\Program Files\CyberLink
    2006-11-22 20:58 -------- d-------- C:\Program Files\Chipset.log
    2006-11-22 20:58 -------- d-------- C:\Program Files\AVI MPEG RM WMV Splitter
    2006-11-22 20:58 -------- d-------- C:\Program Files\AuthenTec
    2006-11-22 20:58 -------- d-------- C:\Program Files\Ahead
    2006-11-22 20:58 -------- d-------- C:\Program Files\Adobe
    2006-11-21 15:09 -------- d-------- C:\Documents and Settings\nicholas.tan\Application Data\Adobe
    2006-11-16 12:46 -------- d-------- C:\Documents and Settings\nicholas.tan\Application Data\VMware
    2006-11-10 18:04 -------- d-------- C:\Documents and Settings\nicholas.tan\Application Data\Apple Computer
    2006-11-08 13:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
    2006-11-07 13:45 2508 --a------ C:\Documents and Settings\nicholas.tan\Application Data\$_hpcst$.hpc
    2006-11-07 13:43 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
    2006-11-06 00:04 -------- d-------- C:\Program Files\Common Files\FotoWire
    2006-11-06 00:04 -------- d-------- C:\Documents and Settings\nicholas.tan\Application Data\FotoWire
    2006-11-06 00:02 -------- d-------- C:\Program Files\Common Files\Logitech
    2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
    2006-11-02 16:45 -------- d-------- C:\Program Files\Common Files\Ahead
    2006-10-27 15:09 6049280 --------- C:\WINDOWS\system32\ieframe.dll
    2006-10-27 15:09 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
    2006-10-27 15:09 458752 --------- C:\WINDOWS\system32\msfeeds.dll
    2006-10-27 15:09 413696 --a------ C:\WINDOWS\system32\vbscript.dll
    2006-10-27 15:09 231424 --a------ C:\WINDOWS\system32\webcheck.dll
    2006-10-27 15:09 180736 --------- C:\WINDOWS\system32\ieui.dll
    2006-10-27 15:09 156160 --a------ C:\WINDOWS\system32\msls31.dll
    2006-10-27 10:07 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
    2006-10-27 02:44 71680 --a------ C:\WINDOWS\system32\admparse.dll
    2006-10-27 02:44 55296 --a------ C:\WINDOWS\system32\iesetup.dll
    2006-10-27 02:44 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
    2006-10-27 02:44 43008 --a------ C:\WINDOWS\system32\iernonce.dll
    2006-10-27 02:44 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
    2006-10-27 02:44 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
    2006-10-27 02:44 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
    2006-10-27 02:44 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
    2006-10-27 02:44 123904 --a------ C:\WINDOWS\system32\advpack.dll
    2006-10-27 02:42 161792 --a------ C:\WINDOWS\system32\ieakui.dll
    2006-10-22 11:39 -------- d-------- C:\Documents and Settings\nicholas.tan\Application Data\GetRightToGo
    2006-10-19 21:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
    2006-10-17 13:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
    2006-10-17 13:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
    2006-10-17 13:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
    2006-10-17 13:05 105984 --a------ C:\WINDOWS\system32\url.dll
    2006-10-17 13:04 101376 --a------ C:\WINDOWS\system32\occache.dll
    2006-10-17 13:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
    2006-10-17 12:58 61952 --------- C:\WINDOWS\system32\icardie.dll
    2006-10-17 12:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
    2006-10-17 12:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
    2006-10-17 12:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
    2006-10-17 12:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
    2006-10-17 12:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
    2006-10-17 12:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
    2006-10-13 20:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
    2006-10-13 20:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
    2006-10-13 20:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
    2006-09-26 22:23 14 --a------ C:\WINDOWS\system32\systeminfo.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
    "LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
    "H/PC Connection Agent"="\"D:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
    "RTHDCPL"="RTHDCPL.EXE"
    "Alcmtr"="ALCMTR.EXE"
    "AGRSMMSG"="AGRSMMSG.exe"
    "ATSwpNav"="\"C:\\Program Files\\Fingerprint Sensor\\ATSwpNav\" -run"
    "OmniPass"="C:\\Program Files\\Softex\\OmniPass\\scureapp.exe"
    "igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
    "igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
    "FJUPDNV_Chitose"="C:\\Program Files\\Fujitsu\\updnavi\\updnavi.exe"
    "LoadFUJ02E3"="C:\\Program Files\\Fujitsu\\FUJ02E3\\FUJ02E3.exe"
    "IndicatorUtility"="C:\\Program Files\\Fujitsu\\Fujitsu Hotkey Utility\\IndicatorUty.exe"
    "LoadFujitsuQuickTouch"="C:\\Program Files\\Fujitsu\\Application Panel\\QuickTouch.exe"
    "LoadBtnHnd"="C:\\Program Files\\Fujitsu\\BtnHnd\\BtnHnd.exe"
    "IntelZeroConfig"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
    "IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
    "EOUApp"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\EOUWiz.exe\""
    "HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb12.exe"
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
    "LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
    "LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
    "LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
    "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
    "DeskHtmlVersion"=dword:00000110
    "DeskHtmlMinorVersion"=dword:00000005
    "Settings"=dword:00000001
    "GeneralFlags"=dword:00000001

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"
    "Flags"=dword:00000002
    "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
    00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState"=hex:04,00,00,40
    "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
    ff,ff,04,00,00,00
    "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
    00,00,01,00,00,00

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "dontdisplaylastusername"=dword:00000000
    "legalnoticecaption"=""
    "legalnoticetext"=""
    "shutdownwithoutlogon"=dword:00000001
    "undockwithoutlogon"=dword:00000001

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
    "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
    "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
    "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

    Completion time: 06-12-17 9:20:07.39
    C:\ComboFix.txt ... 06-12-17 09:20

  9. #9
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    C:\WINDOWS\rundl132.exe < delete that file at only that location
    Submit these here please
    C:\WINDOWS\Dll.dll
    C:\WINDOWS\Logo1_.exe
    http://www.virustotal.com/flash/index_en.html
    Let us know the results

    Hows that PC running ?
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  10. #10
    Junior Member
    Join Date
    Dec 2006
    Posts
    6

    Default

    Hi Loony,

    These are the results. The other file dll.dll got caught by Avast and was deleted. The system felt fine after the last report, but suddenly went cold yesterday. I was forced to restore back to 17th night, although I remember that I did not make any further cleaning on the 17th as the last was done on the 16th. Do you think this would have any effect? Or is there something I should run to check again?

    If it is too much trouble, I am also thinking that a reformat may be a better solution. Please let me know your comments.

    Thanks

    Antivirus Version Update Result
    AntiVir 7.3.0.19 12.19.2006 TR/Crypt.NSPM.Gen
    Authentium 4.93.8 12.15.2006 Possibly a new variant of W32/PWStealer.gen1
    Avast 4.7.892.0 12.16.2006 no virus found
    AVG 386 12.18.2006 Worm/Delf.ZU
    BitDefender 7.2 12.19.2006 Win32.Worm.Viking.BM
    CAT-QuickHeal 8.00 12.18.2006 (Suspicious) - DNAScan
    ClamAV devel-20060426 12.19.2006 no virus found
    DrWeb 4.33 12.19.2006 Win32.HLLW.Gavir.54
    eSafe 7.0.14.0 12.17.2006 suspicious Trojan/Worm
    eTrust-InoculateIT 23.73.89 12.19.2006 Win32/Looked.CG!Dropped!Worm
    eTrust-Vet 30.3.3259 12.18.2006 Win32/Looked.CO
    Ewido 4.0 12.19.2006 Worm.Viking.ct
    Fortinet 2.82.0.0 12.19.2006 W32/Viking.CT
    F-Prot 3.16f 12.15.2006 Possibly a new variant of W32/PWStealer.gen1
    F-Prot4 4.2.1.29 12.19.2006 W32/PWStealer.gen1
    Ikarus T3.1.0.27 12.19.2006 Worm.Win32.Viking.ct
    Kaspersky 4.0.2.24 12.19.2006 Worm.Win32.Viking.ct
    McAfee 4921 12.18.2006 W32/HLLP.Philis.cl
    Microsoft 1.1904 12.19.2006 no virus found
    NOD32v2 1927 12.19.2006 Win32/Viking.CH
    Norman 5.80.02 12.18.2006 W32/Viking.DQ
    Panda 9.0.0.4 12.19.2006 W32/Viking.DN.drp
    Prevx1 V2 12.19.2006 Worm.Looked
    Sophos 4.12.0 12.18.2006 Mal/Packer
    Sunbelt 2.2.907.0 12.18.2006 no virus found
    TheHacker 6.0.3.134 12.18.2006 W32/Viking.ct
    UNA 1.83 12.18.2006 Worm.Win32.Viking.ct
    VBA32 3.11.1 12.18.2006 MalwareScope.Worm.Viking.5

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •