help! -spyfalcon

plucki321 · May 14, 2006

yet another victim to the spyfalcon virus

heres the hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 3:01:52 PM, on 5/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
M:\Program Files\Norton\Agent\VProSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
M:\Program Files\Norton\Agent\GhostTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\YPCSER~1.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Norton AntiVirus\NAVW32.EXE
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\matt plecki\Desktop\HijackThis_v1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=68.253.191.139:44003;gopher=68.253.191.139:44003;http=68.253.191.139:44003;https=68.253.191.139:44003;socks=68.253.191.139:6881
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp322E.tmp
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [YPC] C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [spcfepqv] C:\WINDOWS\spcfepqv.exe
O4 - HKLM\..\Run: [ktagtn] C:\WINDOWS\System32\ktagtn.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Norton Ghost 10.0] "M:\Program Files\Norton\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [StarSkin] C:\PROGRAM FILES\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm124YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra button: Purple Lounge Poker - {701FD202-200A-4bd1-9380-BC8A722B43A5} - C:\Program Files\PurpleloungeMPP\MPPoker.exe
O9 - Extra button: PokerTime Poker - {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79} - C:\Program Files\PokerTimeMPP\MPPoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Dream Poker - {D45D9D5F-B491-4c95-8B05-FA6B6C69CA82} - C:\Program Files\dreampokerMPP\MPPoker.exe
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'ypclsp.dll' missing
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.5.5.29/blackjack/blackjack-en_US.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.com/applet-6.5.5.29/pool2/pool-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.5.5.29/lottso/lottso-en_US.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.5.5.29/mahjong/mahjong-en_US.cab
O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.5.5.29/penguins/penguins-en_US.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.5.5.29/waterwheel/waterwheel-en_US.cab
O16 - DPF: QWERTY by pogo - http://game1.pogo.com/applet-6.5.5.29/squares/squares-en_US.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.5.5.29/spider/spider-en_US.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.5.5.29/squelchies/squelchies-en_US.cab
O16 - DPF: Stellar Sweeper by pogo - http://game1.pogo.com/applet-6.5.5.29/sweeper/sweeper-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.5.5.29/peaks/peaks-en_US.cab
O16 - DPF: Turbo 21 TM by pogo - http://game1.pogo.com/applet-6.5.5.29/turbo21/turbo21-en_US.cab
O16 - DPF: Wonderland Memories by pogo - http://game1.pogo.com/applet-6.5.5.29/memories/memories-en_US.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.5.5.29/wordwhomp2/whomp2-en_US.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.5.5.29/whackdown/whackdown-en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101147589406
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/ea/needforspeed/install.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wingdm32 - C:\WINDOWS\SYSTEM32\wingdm32.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - M:\Program Files\Norton\Agent\VProSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

and then the smitfraudfix log

SmitFraudFix v2.44

Scan done at 15:26:20.29, Sun 05/14/2006
Run from C:\Documents and Settings\matt plecki\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\appmagr.dll FOUND !
C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\matt plecki\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MATTPL~1\FAVORI~1

C:\DOCUME~1\MATTPL~1\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\SpyFalcon\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:/DOCUME~1/MATTPL~1/LOCALS~1/Temp/msohtml1/02/clip_image002.gif"
"SubscribedURL"="file:///C:/DOCUME~1/MATTPL~1/LOCALS~1/Temp/msohtml1/02/clip_image002.gif"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{64ba30a2-811a-4597-b0af-d551128be340}"="AppManager"

[HKEY_CLASSES_ROOT\CLSID\{64ba30a2-811a-4597-b0af-d551128be340}\InProcServer32]
@="C:\WINDOWS\system32\appmagr.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{64ba30a2-811a-4597-b0af-d551128be340}\InProcServer32]
@="C:\WINDOWS\system32\appmagr.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

JaPK · May 14, 2006

Ok, you got some infections....

Cleaning instructions:

Move HijackThis into its own folder C:\HJT

Download and install Ewido, UPDATE it, but do NOT run a scan yet. -> http://www.ewido.net/en/download
We'll use it later.

Go to Control Panel -> Add/Remove programs -> Remove PartyPoker, MyWebSearch if found

Fix the following entries with HijackThis (run HijackThis, press "Do a system scan only", close all other windows, checkmark entries and press Fix checked):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/...
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll (file missing)
O4 - HKLM\..\Run: [spcfepqv] C:\WINDOWS\spcfepqv.exe
O4 - HKLM\..\Run: [ktagtn] C:\WINDOWS\System32\ktagtn.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm124YYUS
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/ea/needforspeed/insta...
O20 - Winlogon Notify: wingdm32 - C:\WINDOWS\SYSTEM32\wingdm32.dll

Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

Delete these folders (if found):
C:\Program Files\MyWebSearch
C:\Program Files\PartyGaming

Delete these files (if found):
C:\WINDOWS\spcfepqv.exe
C:\WINDOWS\System32\ktagtn.exe
C:\WINDOWS\SYSTEM32\wingdm32.dll

When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.

You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.

The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".

The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.
Tha log is saved to your local diskdrive, usually C:\rapport.txt.

Warning : Running option 2 in a clean computer will delete your desktop wallpaper.

Scan and clean your computer with Ewido and save the log file.

Make your hidden files invisible again.

Post the following logs to here:
-> a fresh HijackThis log
-> Ewido's log
-> contents of C:\rapport.txt

plucki321 · May 15, 2006

SmitFraudFix v2.44

Scan done at 15:18:19.04, Mon 05/15/2006
Run from C:\Documents and Settings\matt plecki\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\atmclk.exe Deleted
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp????.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\MATTPL~1\FAVORI~1\Antivirus Test Online.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of HijackThis v1.99.1
Scan saved at 3:38:26 PM, on 5/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
M:\Program Files\Norton\Agent\VProSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
M:\Program Files\Norton\Agent\GhostTray.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\YPCSER~1.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackTHis\HijackThis_v1.99.1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=68.253.191.139:44003;gopher=68.253.191.139:44003;http=68.253.191.139:44003;https=68.253.191.139:44003;socks=68.253.191.139:6881
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpE1A.tmp (file missing)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [YPC] C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Norton Ghost 10.0] "M:\Program Files\Norton\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [StarSkin] C:\PROGRAM FILES\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra button: Purple Lounge Poker - {701FD202-200A-4bd1-9380-BC8A722B43A5} - C:\Program Files\PurpleloungeMPP\MPPoker.exe
O9 - Extra button: PokerTime Poker - {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79} - C:\Program Files\PokerTimeMPP\MPPoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Dream Poker - {D45D9D5F-B491-4c95-8B05-FA6B6C69CA82} - C:\Program Files\dreampokerMPP\MPPoker.exe
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'ypclsp.dll' missing
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.5.5.29/blackjack/blackjack-en_US.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.com/applet-6.5.5.29/pool2/pool-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.5.5.29/lottso/lottso-en_US.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.5.5.29/mahjong/mahjong-en_US.cab
O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.5.5.29/penguins/penguins-en_US.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.5.5.29/waterwheel/waterwheel-en_US.cab
O16 - DPF: QWERTY by pogo - http://game1.pogo.com/applet-6.5.5.29/squares/squares-en_US.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.5.5.29/spider/spider-en_US.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.5.5.29/squelchies/squelchies-en_US.cab
O16 - DPF: Stellar Sweeper by pogo - http://game1.pogo.com/applet-6.5.5.29/sweeper/sweeper-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.5.5.29/peaks/peaks-en_US.cab
O16 - DPF: Turbo 21 TM by pogo - http://game1.pogo.com/applet-6.5.5.29/turbo21/turbo21-en_US.cab
O16 - DPF: Wonderland Memories by pogo - http://game1.pogo.com/applet-6.5.5.29/memories/memories-en_US.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.5.5.29/wordwhomp2/whomp2-en_US.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.5.5.29/whackdown/whackdown-en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101147589406
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - M:\Program Files\Norton\Agent\VProSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:57:41 PM, 5/15/2006
+ Report-Checksum: 4E6A8D02

+ Scan result:

HKLM\SOFTWARE\Classes\WinStatX.Installer -> Adware.WinTaskAd : Cleaned with backup
HKLM\SOFTWARE\Classes\WinStatX.Installer\CLSID -> Adware.WinTaskAd : Cleaned with backup
HKLM\SOFTWARE\SearchRelevancy -> Adware.SearchRelevancy : Cleaned with backup
HKLM\SOFTWARE\SearchRelevancy\Update -> Adware.SearchRelevancy : Cleaned with backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@217.73.66[2].txt -> TrackingCookie.217.73.66.16 : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@247realmedia[2].txt -> TrackingCookie.247realmedia : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@2o7[2].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@adtech[2].txt -> TrackingCookie.Adtech : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@advertising[1].txt -> TrackingCookie.Advertising : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@bfast[2].txt -> TrackingCookie.Bfast : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@burstnet[3].txt -> TrackingCookie.Burstnet : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@burstnet[4].txt -> TrackingCookie.Burstnet : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@burstnet[5].txt -> TrackingCookie.Burstnet : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@burstnet[6].txt -> TrackingCookie.Burstnet : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@burstnet[7].txt -> TrackingCookie.Burstnet : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@burstnet[8].txt -> TrackingCookie.Burstnet : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@burstnet[9].txt -> TrackingCookie.Burstnet : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@c5.zedo[2].txt -> TrackingCookie.Zedo : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@com[2].txt -> TrackingCookie.Com : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@e-2dj6wfl4endpgdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@e-2dj6wgmiaid5iep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@e-2dj6wjliegd5egq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@e-2dj6wjnyuoc5glp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ehg-bestbuy.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ehg-deltadentalofwi.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ehg-foxsports.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ehg-idg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ehg-linksys.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ehg-newegg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ehg-osiris.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ehg-proflowers.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ehg-sonycomputer.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ehg-tigerdirect2.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@hotlog[2].txt -> TrackingCookie.Hotlog : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@hypertracker[2].txt -> TrackingCookie.Hypertracker : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@news.com[1].txt -> TrackingCookie.Com : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@overture[1].txt -> TrackingCookie.Overture : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@powellsbooks.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@pro-market[1].txt -> TrackingCookie.Pro-market : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@revenue[2].txt -> TrackingCookie.Revenue : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@sel.as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@servedby.advertising[1].txt -> TrackingCookie.Advertising : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@spylog[1].txt -> TrackingCookie.Spylog : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@starware[2].txt -> TrackingCookie.Starware : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@z1.adserver[2].txt -> TrackingCookie.Adserver : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@zedo[1].txt -> TrackingCookie.Zedo : Cleaned without backup

::Report End---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:57:41 PM, 5/15/2006
+ Report-Checksum: 4E6A8D02

+ Scan result:

HKLM\SOFTWARE\Classes\WinStatX.Installer -> Adware.WinTaskAd : Cleaned with backup
HKLM\SOFTWARE\Classes\WinStatX.Installer\CLSID -> Adware.WinTaskAd : Cleaned with backup
HKLM\SOFTWARE\SearchRelevancy -> Adware.SearchRelevancy : Cleaned with backup
HKLM\SOFTWARE\SearchRelevancy\Update -> Adware.SearchRelevancy : Cleaned with backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@217.73.66[2].txt -> TrackingCookie.217.73.66.16 : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@247realmedia[2].txt -> TrackingCookie.247realmedia : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@2o7[2].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@adtech[2].txt -> TrackingCookie.Adtech : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@advertising[1].txt -> TrackingCookie.Advertising : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@bfast[2].txt -> TrackingCookie.Bfast : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@burstnet[3].txt -> TrackingCookie.Burstnet : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@burstnet[4].txt -> TrackingCookie.Burstnet : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@burstnet[5].txt -> TrackingCookie.Burstnet : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@burstnet[6].txt -> TrackingCookie.Burstnet : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@burstnet[7].txt -> TrackingCookie.Burstnet : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@burstnet[8].txt -> TrackingCookie.Burstnet : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@burstnet[9].txt -> TrackingCookie.Burstnet : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@c5.zedo[2].txt -> TrackingCookie.Zedo : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@com[2].txt -> TrackingCookie.Com : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@e-2dj6wfl4endpgdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@e-2dj6wgmiaid5iep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@e-2dj6wjliegd5egq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@e-2dj6wjnyuoc5glp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ehg-bestbuy.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ehg-deltadentalofwi.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ehg-foxsports.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ehg-idg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ehg-linksys.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ehg-newegg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ehg-osiris.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ehg-proflowers.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ehg-sonycomputer.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@ehg-tigerdirect2.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@hotlog[2].txt -> TrackingCookie.Hotlog : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@hypertracker[2].txt -> TrackingCookie.Hypertracker : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@news.com[1].txt -> TrackingCookie.Com : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@overture[1].txt -> TrackingCookie.Overture : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@powellsbooks.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@pro-market[1].txt -> TrackingCookie.Pro-market : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@revenue[2].txt -> TrackingCookie.Revenue : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@sel.as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@servedby.advertising[1].txt -> TrackingCookie.Advertising : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@spylog[1].txt -> TrackingCookie.Spylog : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@starware[2].txt -> TrackingCookie.Starware : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@z1.adserver[2].txt -> TrackingCookie.Adserver : Cleaned without backup
C:\Documents and Settings\matt plecki\Cookies\matt plecki@zedo[1].txt -> TrackingCookie.Zedo : Cleaned without backup

::Report End

thanks for everything

JaPK · May 15, 2006

Ok almost clean, just fix this entry with HijackThis:

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpE1A.tmp (file missing)

Post a one more HjT log.

You should update your Java (old version has many vulnerabilities)
1. Click Start-> Control panel and double-click Java icon (coffee cup)
2. Move to Update tab and update Java by clicking "Update Now". After that do a restart.
3. If you can't make automatic update, get new version manually from here -> http://www.java.com/en/download/manual.jsp
4. If the old Java (J2SE Runtime Environment 5.0 Update 4 )still exists in the Control Panel -> Add/Remove Programs after the update, delete it.

plucki321 · May 16, 2006

Logfile of HijackThis v1.99.1
Scan saved at 3:02:46 PM, on 5/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
M:\Program Files\Norton\Agent\VProSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
M:\Program Files\Norton\Agent\GhostTray.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\YPCSER~1.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackTHis\HijackThis_v1.99.1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=68.253.191.139:44003;gopher=68.253.191.139:44003;http=68.253.191.139:44003;https=68.253.191.139:44003;socks=68.253.191.139:6881
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpE1A.tmp (file missing)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [YPC] C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Norton Ghost 10.0] "M:\Program Files\Norton\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [StarSkin] C:\PROGRAM FILES\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra button: Purple Lounge Poker - {701FD202-200A-4bd1-9380-BC8A722B43A5} - C:\Program Files\PurpleloungeMPP\MPPoker.exe
O9 - Extra button: PokerTime Poker - {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79} - C:\Program Files\PokerTimeMPP\MPPoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Dream Poker - {D45D9D5F-B491-4c95-8B05-FA6B6C69CA82} - C:\Program Files\dreampokerMPP\MPPoker.exe
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'ypclsp.dll' missing
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.5.5.29/blackjack/blackjack-en_US.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.com/applet-6.5.5.29/pool2/pool-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.5.5.29/lottso/lottso-en_US.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.5.5.29/mahjong/mahjong-en_US.cab
O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.5.5.29/penguins/penguins-en_US.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.5.5.29/waterwheel/waterwheel-en_US.cab
O16 - DPF: QWERTY by pogo - http://game1.pogo.com/applet-6.5.5.29/squares/squares-en_US.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.5.5.29/spider/spider-en_US.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.5.5.29/squelchies/squelchies-en_US.cab
O16 - DPF: Stellar Sweeper by pogo - http://game1.pogo.com/applet-6.5.5.29/sweeper/sweeper-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.5.5.29/peaks/peaks-en_US.cab
O16 - DPF: Turbo 21 TM by pogo - http://game1.pogo.com/applet-6.5.5.29/turbo21/turbo21-en_US.cab
O16 - DPF: Wonderland Memories by pogo - http://game1.pogo.com/applet-6.5.5.29/memories/memories-en_US.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.5.5.29/wordwhomp2/whomp2-en_US.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.5.5.29/whackdown/whackdown-en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101147589406
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - M:\Program Files\Norton\Agent\VProSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

thank you very much

JaPK · May 16, 2006

Ok, it is a tight one....

Hmm, please post a new smitfraudfix log to here:

Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

Post the contents of this textfile to here.

Log in or Sign up

help! -spyfalcon

plucki321 Member

JaPK Regular member

plucki321 Member

JaPK Regular member

plucki321 Member

JaPK Regular member

Share This Page

Log in or Sign up

help! -spyfalcon

plucki321 Member

JaPK Regular member

plucki321 Member

JaPK Regular member

plucki321 Member

JaPK Regular member

Share This Page

Useful Searches