The Forum is currently experiencing technical issues which the team are working to resolve. Thank you for your patience.

idcfw.exe

2

Comments

  • The_Grandmaster
    The_Grandmaster Posts: 1,424 Forumite
    Part of the Furniture Combo Breaker
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 14:19:06, on 26/05/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\COMODO\Firewall\cmdagent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\TALKTA~1\backweb\81720\Program\SERVIC~ 1.EXE
    C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.ex e
    C:\Program Files\TalkTalk Online Security\backweb\81720\program\fsbwsys.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\TalkTalk Online
    Security\backweb\81720\Program\fspex.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\System32\vssvc.exe
    C:\WINDOWS\system32\wltrysvc.exe
    C:\WINDOWS\system32\bcmwltry.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\TalkTalk\bin\sprtcmd.exe
    C:\WINDOWS\etMon.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\WLAN\Common\RaUI.exe
    C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA CE.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA CE.EXE
    C:\Program Files\DNA\btdna.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Carambis\Driver Updater\dupdater.exe
    C:\Program Files\USB CAMERA\DRIVER\emSwapAp2.exe
    C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Windows Live\Toolbar\wltuser.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?
    FORM=TOOLBR
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program
    Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Freeze.com Helper - {D6A99B1F-FAB9-4FA5-9C9D-D0D0CF846C05} - C:\Program Files\YourScreen\Freeze.DesktopManager.BrowserHelp er.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper -{DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!
    \Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKLM\..\Run: [QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [etMonitor] C:\WINDOWS\etMon.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [WLan Utility] C:\Program Files\WLAN\Common\RaUI.exe -s
    O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA CE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB002" /M "Stylus DX3800"
    O4 - HKLM\..\Run: [EPSON Stylus DX3800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA CE.EXE /P35 "EPSON Stylus DX3800 Series (Copy 1)" /O6 "USB002" /M "Stylus DX3800"
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
    O4 - HKCU\..\Run: [Driver Updater] C:\Program Files\Carambis\Driver Updater\dupdater.exe /minimized
    O4 - HKCU\..\Run: [BrowserChoice] "C:\WINDOWS\system32\browserchoice.exe" /run
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
    O4 - Startup: Seagate 2GHJ0PJM Product Registration.lnk = C:\Documents and Settings\User\Application Data\Leadertech\PowerRegister\Seagate 2GHJ0PJM Product Registration.exe
    O4 - Global Startup: TalkTalk Online Security.lnk = C:\Program Files\TalkTalk Online Security\backweb\81720\Program\fspex.exe
    O4 - Global Startup: emSwapAP2.EXE.lnk = ?
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\TalkTalk Online Security\Anti-Spyware\ieshield.dll
    O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\TalkTalk Online Security\Anti-Spyware\ieshield.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
    Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.download.com
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122341995927
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1273842822705
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
    O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - [URL]file:///D:/SuperCD/IntraLaunch.CAB[/URL]
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
    O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-29-0.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/sh
    ockwave/cabs/flash/swflash.cab
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
    O23 - Service: TalkTalk Online Security (BackWeb Plug-in - 81720) - BackWeb Technologies Inc. - C:\PROGRA~1\TALKTA~1\backweb\81720\Program\SERVIC~ 1.EXE
    O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.ex e
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
    O23 - Service: fsbwsys - F-Secure Corp. -
    C:\Program Files\TalkTalk Online Security\backweb\81720\program\fsbwsys.exe
    O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\system32\wltrysvc.exe
    O24 - Desktop Component 0: (no name) -
    O24 - Desktop Component 1: (no name) -
    --
    End of file - 12225 bytes
  • The_Grandmaster
    The_Grandmaster Posts: 1,424 Forumite
    Part of the Furniture Combo Breaker
    edited 27 May 2010 at 11:14AM
    Above is the actual hijack this log from K. Please can this be analysed? He seems to have tried to run the recovery discs but that seemed to show an error message.

    Is Talk Talk Online Security good? Should a different antivirus be used?
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    I wouldnt use TALK TALKs security myself (Fsecure itself is good, but anything tied to an ISP is not)

    Uninstall the YAHOO toolbar
    Id uninstall BITORRENT (If you must use one, use UTORRENT instead)

    TICK and FIX these ~
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
    O4 - Startup: Seagate 2GHJ0PJM Product Registration.lnk = C:\Documents and Settings\User\Application Data\Leadertech\PowerRegister\Seagate 2GHJ0PJM Product Registration.exe
    O15 - Trusted Zone: *.download.com
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab

    Comodo comes with its own av program attached these days. If its on then you really need to switch it off (Or id recommend removing ALL security and putting something half decent on like Avira)
    :idea:
  • The_Grandmaster
    The_Grandmaster Posts: 1,424 Forumite
    Part of the Furniture Combo Breaker
    What do you think the idcfw.exe is?
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    The_Grandmaster wrote: »
    What do you think the idcfw.exe is?

    Im going to guess its a trojan
    :idea:
  • The_Grandmaster
    The_Grandmaster Posts: 1,424 Forumite
    Part of the Furniture Combo Breaker
    Is the idcfw.exe still trying to download?
  • fiddiwebb
    fiddiwebb Posts: 1,806 Forumite
    edited 27 May 2010 at 11:16PM
    Odd isn't it, can't find anything about idcfw.exe?

    Only info I can find about idcfw is idcfw.com and .net which are both Chinese sites.
  • The_Grandmaster
    The_Grandmaster Posts: 1,424 Forumite
    Part of the Furniture Combo Breaker
    I've noticed that too. I expected the antivirus companies would have known a bit more about it... We may get a false negative result... But are the programmes sophisticated enough to flag up something they haven't seen before?
  • The_Grandmaster
    The_Grandmaster Posts: 1,424 Forumite
    Part of the Furniture Combo Breaker
    Message from K:

    Great stuff. All is working and running fast..the recovery disc still wont work as i was going to set it back to original state but maybe best left alone as its going good..

    Thank you


    Is that all he needs to do then?
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Well if it IS a trojan, id be running combofix personally

    (Dont post that log though, let them upload it to rapidshare as a full log and post THAT link instead)
    :idea:
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 350K Banking & Borrowing
  • 252.7K Reduce Debt & Boost Income
  • 453.1K Spending & Discounts
  • 242.9K Work, Benefits & Business
  • 619.8K Mortgages, Homes & Bills
  • 176.4K Life & Family
  • 255.9K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture