[cosmiqeddie]

this is the 3rd times spyfalcon coming back, after following some of the methods posted
http://www.geekstogo...58&hl=spyfalcon
my pc seems to b fine after the removal, but not for long, few days later the spyfalcon still came back.

heres my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 8:04:57 PM, on 3/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Documents and Settings\cosmic\Desktop\w3hph.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Program Files\SpyFalcon\SpyFalcon.exe
C:\Program Files\SpyFalcon\SpyFalcon.exe
C:\Documents and Settings\cosmic\Desktop\W3XMapHack12002.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\cosmic\My Documents\anti-spywares\HijackThis.exe

O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp3E38.tmp
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpyFalcon] C:\Program Files\SpyFalcon\SpyFalcon.exe /h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: ㄏノ FlashGet 更 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 全部使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 场ㄏノ FlashGet 更 - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1141571361171
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.....cab?refid=1123
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F39E970A-EB63-490A-85F1-FAA903DFAAD0}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winjty32 - C:\WINDOWS\SYSTEM32\winjty32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

[Advertisements]

Hello Cosmic and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have quite a mixture of malware and Trojans that need to be eradicated including what appears to be Puper and a VX2 infection. Let’s see what we can do with the first sweep designed to kill VX2.

Is this your ISP or PC supplier?: TMNET IP Administrators Level 25 (South), Menara Telekom, Jalan Pantai Baru, 50672 Kuala Lumpur. MY

Firstly could you please disable Microsoft Antispyware/ Windows Defender from running during the fix, it may just hinder our attempts to change anything. Right click on the icon (looks like an archery target) in the task bar and click on Security Agents Status (Enabled) then click on Disable Real-time Protection. To re enable it, you follow the same steps but click on Enable Real-time Protection.

Also please disable Spy Sweeper from running for the same reason.

When your PC has been declared clean, please only enable one of those two programmes to run in real-time. All others should be used as “on demand” scanners. Having more than one antispyware programme running in real-time will cause slowness and even conflicts.

Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a checkmark or tick next to Run this programme as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX

[Crustyoldbloke]

Hello Cosmic and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have quite a mixture of malware and Trojans that need to be eradicated including what appears to be Puper and a VX2 infection. Let’s see what we can do with the first sweep designed to kill VX2.

Is this your ISP or PC supplier?: TMNET IP Administrators Level 25 (South), Menara Telekom, Jalan Pantai Baru, 50672 Kuala Lumpur. MY

Firstly could you please disable Microsoft Antispyware/ Windows Defender from running during the fix, it may just hinder our attempts to change anything. Right click on the icon (looks like an archery target) in the task bar and click on Security Agents Status (Enabled) then click on Disable Real-time Protection. To re enable it, you follow the same steps but click on Enable Real-time Protection.

Also please disable Spy Sweeper from running for the same reason.

When your PC has been declared clean, please only enable one of those two programmes to run in real-time. All others should be used as “on demand” scanners. Having more than one antispyware programme running in real-time will cause slowness and even conflicts.

Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a checkmark or tick next to Run this programme as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX

[cosmiqeddie]

sorry for the late reply, heres my hijackthis log n look look 2 me destroyer log

Logfile of HijackThis v1.99.1
Scan saved at 12:03:22 PM, on 3/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\cosmic\My Documents\anti-spywares\HijackThis.exe

O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hpE985.tmp
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: ㄏノ FlashGet 更 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 全部使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 场ㄏノ FlashGet 更 - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1141571361171
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.....cab?refid=1123
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winjty32 - winjty32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe




Look2Me-Destroyer V1.0.11

Scanning for infected files.....
Scan started at 3/23/2006 11:57:53 AM


Attempting to delete infected files...

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded


the spyfalcon is now gone, but i wonder will it comes back again, lik wat it happened last few times, using smitren

[Crustyoldbloke]

Hello again

Spyfalcon is still alive and well on your PC, but I haven't tried to remove it yet. The VX2 infection is now dead, confirmed by your HJT log. In this fix I will get rid of Spyfalcon.

Download FixSF.reg to your desktop by right clicking on the following link and then selecting Save Link As or Save File as, depending on your browser.

FixSF.reg Download Link We will run it shortly.

Download smitRem.exe ©noahdfear, and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).

Please download the trial version of ewido anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:

O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hpE985.tmp
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.....cab?refid=1123
O20 - Winlogon Notify: winjty32 - winjty32.dll (file missing)

Close HiJackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Go to your desktop and double click on the FixSF.reg file that you downloaded earlier. When it asks if you would like to merge the information, press the Yes button and then the OK button.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• While the scan is in progress you will be prompted to clean files, click OK
• When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop.

Close ewido anti-malware.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.

• Once you are on the Panda site click the Scan your PC button.
• A new window will open...click the Check Now button.
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When the download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist.

It could be possible, after reboot that the system is using the windows classic theme again.
To restore this and set it back to XP-theme, rightclick on your desktop > properties > tab Appearances and choose Windows XP style again under windows and buttons.
Click apply and OK.

If your background is abnormal go to Start>Control Panel>Display>Desktop>Customize Desktop>Web and remove the file in the Web Pages list, then OK out of display.

[cosmiqeddie]

heres my log

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:33:35 PM, 3/23/2006
+ Report-Checksum: 6AFAE933

+ Scan result:

HKU\S-1-5-21-1844237615-884357618-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22} -> Adware.Generic : Cleaned with backup
:mozilla.17:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.18:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.21:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.25:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.26:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.27:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.28:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.29:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.30:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.31:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.32:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.35:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.69:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.70:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.71:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.72:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.151:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.152:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.153:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.154:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.155:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.156:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.157:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.158:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.159:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.160:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.166:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.167:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.168:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.227:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Porntrack : Cleaned with backup
:mozilla.254:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.255:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.256:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.257:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.258:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.259:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.266:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.267:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.285:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.286:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.293:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.294:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.295:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.296:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.300:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned with backup
:mozilla.321:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.322:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.323:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.324:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.325:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.326:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.340:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.341:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.348:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.353:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.354:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.355:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.356:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.357:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.358:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.359:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.360:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.361:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.362:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Komtrack : Cleaned with backup
:mozilla.363:C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\cookies.txt -> TrackingCookie.Komtrack : Cleaned with backup
C:\Documents and Settings\cosmic\Application Data\аssembly\javaw.exe -> Downloader.PurityScan.by : Cleaned with backup
C:\Documents and Settings\cosmic\Cookies\cosmic@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\cosmic\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\cosmic\My Documents\anti-spywares\backups\backup-20060323-214130-150.dll -> Adware.MediaTickets : Cleaned with backup
C:\Program Files\Common Files\Тasks\mshta.exe -> Downloader.PurityScan.w : Cleaned with backup
C:\WINDOWS\system32\AdCache -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_446000.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_1_0_448600.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_0_814200.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_0_815600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_0_815900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\ginuerep.dll -> Not-A-Virus.Hoax.Win32.Renos.bz : Cleaned with backup
C:\WINDOWS\system32\Μicrosoft\mmc.exe -> Downloader.PurityScan.by : Cleaned with backup
C:\WINDOWS\YAXUninst.exe -> Adware.MediaTickets : Cleaned with backup


::Report End



Incident Status Location

Potentially unwanted tool:Application/SpyFalcon Not disinfected C:\!KillBox\SpyFalcon\SpyFalcon.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\cosmic\Application Data\Mozilla\Firefox\Profiles\5m8oy3oi.default\Cache\3EFBEAA3d01[Process.exe]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\cosmic\Cookies\cosmic@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\cosmic\Cookies\[email protected][2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\cosmic\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\cosmic\Desktop\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\cosmic\My Documents\anti-spywares\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\cosmic\My Documents\anti-spywares\smitRem.exe[Process.exe]
Adware:Adware/EMediaCodec Not disinfected C:\WINDOWS\system32\dfrgsrv.exe


Logfile of HijackThis v1.99.1
Scan saved at 7:28:55 AM, on 3/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\cosmic\My Documents\anti-spywares\HijackThis.exe

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: ㄏノ FlashGet 更 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 全部使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 场ㄏノ FlashGet 更 - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1141571361171
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F39E970A-EB63-490A-85F1-FAA903DFAAD0}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


smitRem ?log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: 03/23/2006 Thu
The current time is: 21:41:48.67

Running from
C:\Documents and Settings\cosmic\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

1024 dir
ld****.tmp
ncompat.tlb
nvctrl.exe


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 888 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN!

[Trevuren]

A. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


B. A. Please download the Killbox by Option^Explicit.

Note:In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
  
• Please double-click Killbox.exe to run it.
  
• Select
  • "Delete on Reboot
  • Then click on the "All Files" button if there are more than 1 file to delete.
• Please copy the file path(s) below to the clipboard by highlighting ALL of them and pressing CTRL + C
  
  C:\WINDOWS\system32\dfrgsrv.exe
  
  
  
• Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  
• Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.


C. Your log looks good. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures and recommendations.

Trevuren

[cosmiqeddie]

OK. everything looks just fine to me. Hopefully tat thing wont come back again n again, like it did before.

By the way, thanks for helping me till this far. So wats the final step?

[Crustyoldbloke]

Congratulations! your new log is clean. Just a little bit more to do to prevent further infection.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
MICROSOFT ANTISPYWARE - With daily updates and scans, this programme offers good security against malware.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS FREE EDITION - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one (Windows XP has a built-in firewall).

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one antispyware programmes for “on demand” scanning, having two or more antivirus systems is not recommended as they may well cause conflicts and slowness.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep your Windows, antispyware and antivirus updated.

It just remains for me to wish you happy safe surfing in the future and to thank Trevuren for stepping in at short notice whilst I was not well.

[cosmiqeddie]

Thank you for helping me this far. My problem seems to be solved, maybe system restore is the main culprit of the returning of spyfalcon, caz during the last few clean up, i din even touch system restore.

so far so good, really appreciate ur help. thanks

[Crustyoldbloke]

You are very welcome.

I will leave this thread open for a few days in case of misfortune.

[Crustyoldbloke]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.