PDA

View Full Version : spysheriff victim and mcafee virus



HOLSMAN
2006-06-05, 22:35
First time on a forum. Have BB router between cpmtr & surfboard. Had Mcafee virus turned off (idiot!) Accidentally loaded spysherrif (twice the fool). Uninstalled Mcafee thru ad/remove. Loaded and ran updated spybot. Cleaned all. Reinstalled Mcafee virus thru IE (got "boom" and mess. that disappears before IE runs - use Firefox for everything except Webex). Got spybot messages like "registery changed" (from lower to upper case, etc) , "change denied", etc. and IE (I use Firefox for most browsing). Got dos removal tool from Mcafee and ran it twice. Installed Mcafee virus again (clean??) Ran spybot again and cleaned. Still getting repeats of 3 new spybot messages re registry changes that won't go away. Help!

HOLSMAN
2006-06-05, 23:06
After rebooting, the spybot reports stopped and every thing seems OK, except that when I open IE I get the boom chord and "cannot find 'file ///c/:/secure32.html" but then IE without my google search bar, and then I tried resetting my web settings, but nothing changed _ I prefer Firefox anywaybut am curious why the message.

Should I follow Calamity Janes's advice to clear out system restore points? (I have XP pro with SP2)

Thanks for being our online angels.

tashi
2006-06-05, 23:11
Merged two topics.

Hello,

I do not see CalamityJane assisting you; both of your posts are in this thread.

Please follow the instructions here to post a HJT log.
BEFORE you post a log, and who will advise you. Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)

Copy paste the log into this topic and a helper will assist you as soon as available. :)

HOLSMAN
2006-06-07, 23:38
MY COMPUTER IS NOW IN YOUR HANDS, O WISE ONE, PLEASE GIVE ME YOUR WISOM AND ADVICE AND I WILL FOLLOW YOUR COUNSEL. COMCAST HAS NOW BLOCK ALL MY OUTGOING EMAIL TO THE WORLD (DON'T BLAME THEM - ALTHOUGH IT DID ALL HAPPEN AFTER INSTALLING AND THEN INADVERTANTLY DISABLING "VIRUS")

HERE IS MY PANDA LOG FOLLOWED BY MY HYJACKTHIS LOG. THANK YOU FOR BEING THERE FOR US!

PANDA:

Incident Status Location

Adware:Adware/Secure32 Not disinfected C:\Program Files\nbak.exe
Adware:adware/secure32 Not disinfected Windows Registry
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.atdmt.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.go.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.advertising.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.2o7.net/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.adrevolver.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.atwola.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.centrport.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.com.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.microsofteup.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.microsoftwga.112.2o7.net/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.realmedia.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.revenue.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.statcounter.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.xiti.com/]
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.xmts.net/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Enhance Not disinfected

HOLSMAN
2006-06-07, 23:44
C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[c.enhance.com/]
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[c.goclick.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[hc2.humanclick.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[hc2.humanclick.com/hc/51325817]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[server.iad.liveperson.net/hc/41409448]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[server.iad.liveperson.net/hc/42435556]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[server.iad.liveperson.net/hc/LPservicemagic]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.2o7.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.adtech.de/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.atwola.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.centrport.net/]
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.ct.360i.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.did-it.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.go.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.rn11.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.target.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[c.enhance.com/]
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[c.goclick.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[server.iad.liveperson.net/hc/11501984]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[server.iad.liveperson.net/hc/4268343]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[server.iad.liveperson.net/hc/78893611]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[server.iad.liveperson.net/hc/LPservicemagic]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/BurstBeacon Not disinfected

HOLSMAN
2006-06-07, 23:45
C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[www.web-stat.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@ad.yieldmanager[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@ads.pointroll[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@atwola[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@centrport[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@go[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@questionmarket[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@searchportal.information[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@tradedoubler[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@tribalfusion[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@xiti[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@zedo[1].txt
Virus:Trj/Killwin.M Disinfected C:\Documents and Settings\J.Peter Holsman\Desktop\VSCleanupTool.exe
Virus:Trj/Killwin.M Disinfected C:\Documents and Settings\J.Peter Holsman\Local Settings\Temp\GLF100.EXE
Virus:Trj/Killwin.M Disinfected C:\Documents and Settings\J.Peter Holsman\Local Settings\Temp\GLF7.EXE
Virus:Trj/Killwin.M Disinfected C:\Documents and Settings\J.Peter Holsman\Local Settings\Temp\GLFF.EXE
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Techsupport\Cookies\techsupport@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Techsupport\Cookies\techsupport@doubleclick[1].txt
Virus:Trj/Goldun.IR Disinfected C:\jjyvrdl.exe
Spyware:Cookie/Atlas DMT Not disinfected F:\Documents and Settings\Techsupport\Cookies\techsupport@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected F:\Documents and Settings\Techsupport\Cookies\techsupport@doubleclick[1].txt
Spyware:Cookie/Bfast Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\ad@bfast[2].txt
Spyware:Cookie/RealMedia Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\ad@realmedia[1].txt
Spyware:Cookie/Bfast Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\administrator@bfast[2].txt
Spyware:Cookie/CentrPort Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\administrator@centrport[1].txt
Spyware:Cookie/Doubleclick Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\administrator@hitbox[1].txt
Spyware:Cookie/Mediaplex Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt
Spyware:Cookie/RealMedia Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\administrator@realmedia[1].txt
Spyware:Cookie/2o7 Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@2o7[2].txt
Spyware:Cookie/PointRoll Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@ads.pointroll[2].txt
Spyware:Cookie/Adtech Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@adtech[1].txt
Spyware:Cookie/Atlas DMT Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@doubleclick[2].txt
Spyware:Cookie/Hitbox Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@ehg-ati.hitbox[2].txt
Spyware:Cookie/Hitbox Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@hitbox[2].txt
Spyware:Cookie/HotLog Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@hotlog[1].txt
Spyware:Cookie/QuestionMarket Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@questionmarket[1].txt

HOLSMAN
2006-06-07, 23:46
HIJACKTHIS LOG:
Logfile of HijackThis v1.99.1
Scan saved at 3:08:44 PM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINNT\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\McAfee.com\VSO\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\nbak.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SecCopy\SecCopy.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\NEW DOWNLOADS\Spybot and Panda\safer\HijackThis.exe
C:\WINNT\system32\cidaemon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SysTray] C:\Program Files\nbak.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://construction.webex.com/client/v_mywebex-t20/training/ieatgpc.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: se500mdm - C:\WINNT\SYSTEM32\se500mdm.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINNT\system32\jclcmkhp.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\PROGRA~1\McAfee.com\VSO\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

HOLSMAN
2006-06-07, 23:48
I Await Your Help. You Are My Last Hope. Thanks For Being There.

HOLSMAN
2006-06-08, 00:01
While following your directions (and before) I got the following error messages along the way:

" ACSTART16.EXE failed, OXcoooooo5" (not sure of zero count) - twice, with a low chime/boom sound!

"NT AUTHORITY SYSTMEM SHUTDOWN" followed by freeze up and had to cold boot.

and was still gettiing Spybot messages with a registry change noted in an identical filename with "mc...(something).exe" in caps then in lower case, followed by yellow dialog popup saying "registry change denied"

tashi
2006-06-08, 03:02
Hello.

I merged another of your new topics into your original; please click Post Reply, not Start New Topic. Thanks. ;)

A helper will assist you as soon as available and we have this topic if it became necessary:

If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)

Cheers. :)

LonnyRJones
2006-06-08, 06:00
Hello

Please disable SpybotSD TeaTimer for now
To disable SpybotSD TeaTimer:
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon and Uncheck the box next to Teatimer.
"resident tea timer"protection of all-over system settings) active"
Close SpyBot.
We will remind you to turn it on later

Download and run Look2Me-Destroyer: http://www.atribune.org/content/view/28/
After your pc has been restarted a log will open post it along with a fresh hijackthis log.

HOLSMAN
2006-06-08, 06:41
I got this while following your prior directions for Panda and Spybot logs:

Spybot- Search & Destroy has detected an important registery entry that has been changed.
“Category: System Startup global entry
Change: Value Changed
Entry: MCUpdateExe
Old Data: C:\PROGRA*1\mcafee.com\agent\McUpdate.exe
New Data: c:\PROGRA*1\mcafee.com\agent\mcupdate.exe”

Then yellow popup window @ lower right = "20.02 registry change denied"


Then while awaiting your recent reply, I Ran spybot again, got more (fewer but similar) red items, fixed them again, ran spybot again and while waiting for second search, got the following:
“Category: Browser page
Change: Value changed
Entry: Local Page
(Oops. Hit Popup and got "22.05 registry change denied" before could transcribe Old and New data.), so,
Old Data: ??
New Data: ??”

Then when search #2 ended, got just one item left (which was before every time): “CoolWWWsearch.WCADW”
When I right clicked and started to “save to file”, a new spybot message showed up:
“Category: System Startup global entry
Change: Value Deleted
Entry: Sys Tray
Old Data: C:\program files\nbak.exe
New Data: (dimmed and empty)”

Then McAfee reported:
“Trojan found and Cleaned:
The file C:\program files\nbak.exe was infected by the StartPage –IH Trojan and has been deleted to complete the Clean process.”

Then “22:27 registry change denied”

fixed that and got:
Category: Browser page
Change: Value changed
Entry: Local Page
Old Data: C:\secure32.
New Data: about blank

Then “22:34 registry change denied”
Then the same again except for “Entry: default_Page_URL” etc
And “22:35 registry changed denied”

Then the same again except for “Entry: Local Page”
And then “22:37 registry change denied”

Then same again except for “Entry: Default_Page_URL again but this time “New Data: about blank:

Then 22:39 registry change denied”

Then no more.

Should I have waited before running spybot again?
SHould I have left McAfee active virus protection running?

"arrrrrgh!"

HOLSMAN
2006-06-08, 07:17
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 6/7/2006 11:05:14 PM
Attempting to delete infected files...
Making registry repairs.
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded

Logfile of HijackThis v1.99.1
Scan saved at 11:16:11 PM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINNT\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\McAfee.com\VSO\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SecCopy\SecCopy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\NEW DOWNLOADS\Spybot and Panda\safer\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\nbak.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://construction.webex.com/client/v_mywebex-t20/training/ieatgpc.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: se500mdm - C:\WINNT\SYSTEM32\se500mdm.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINNT\system32\jclcmkhp.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\PROGRA~1\McAfee.com\VSO\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

HOLSMAN
2006-06-08, 07:20
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 6/7/2006 11:05:14 PM
Attempting to delete infected files...
Making registry repairs.
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded

Logfile of HijackThis v1.99.1
Scan saved at 11:16:11 PM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINNT\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\McAfee.com\VSO\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SecCopy\SecCopy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\NEW DOWNLOADS\Spybot and Panda\safer\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\nbak.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://construction.webex.com/client/v_mywebex-t20/training/ieatgpc.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: se500mdm - C:\WINNT\SYSTEM32\se500mdm.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINNT\system32\jclcmkhp.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\PROGRA~1\McAfee.com\VSO\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

LonnyRJones
2006-06-08, 07:27
Post a report from this tool if any FILES show
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them YET.....legitimate files can be listed.

Also:
Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
IMPORTANT: Do NOT run any other options until you are asked to do so!

HOLSMAN
2006-06-08, 08:41
blacklight log

06/08/06 00:18:56 [Info]: BlackLight Engine 1.0.37 initialized
06/08/06 00:18:56 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/08/06 00:18:56 [Note]: 7019 4
06/08/06 00:18:56 [Note]: 7005 0
06/08/06 00:19:24 [Note]: 7006 0
06/08/06 00:19:24 [Note]: 7011 1804
06/08/06 00:19:24 [Note]: 7026 0
06/08/06 00:19:24 [Note]: 7026 0
06/08/06 00:19:36 [Note]: FSRAW library version 1.7.1015
06/08/06 00:21:23 [Info]: Hidden file: c:\WINNT\system32\se500mdm.dll
06/08/06 00:21:23 [Note]: 10002 1
06/08/06 00:21:24 [Info]: Hidden file: c:\WINNT\system32\se500mdmd.sys
06/08/06 00:21:24 [Note]: 10002 1
06/08/06 00:32:57 [Note]: 7007 0

HOLSMAN
2006-06-08, 09:01
I UNZIPPED THE FILE INTO MY RECEIVED FILES AND THEN CUT AND PASTED IT ONTO THE DESKTOP AND THEN RAN THE CMD FILE WHICH PUT THE RAPPORT.TXT FILE IN THE DESKTOP FOLDER. HERE IT IS.

SmitFraudFix v2.55

Scan done at 0:52:16.39, Thu 06/08/2006
Run from C:\Documents and Settings\J.Peter Holsman\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

C:\uniq FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\J.Peter Holsman\Application Data

C:\Documents and Settings\J.Peter Holsman\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\J67DB~1.PET\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

LonnyRJones
2006-06-08, 09:23
Thanks

Run blacklite again scan then have it rename those two files
let blacklite restart your pc

After that restart
Open a command prompt (start run type cmd press enter) type
sc delete "se500mdmd"
press enter, type exit and press enter to exit the command prompt
Did yiu see a succeed message ?

Run smithfraudfix again and choose option 2 fix, (no need for safe mode )

Post a fresh hijackthis log

HOLSMAN
2006-06-08, 09:54
I AM GOING TO BED IT'S 1:45 AM IN CHICAGO AND WILL CONTINUE IN THE MORNING
WILL " sc delete "se500mdmd"" DELETE THE FILE AFTER IT IS RENAMED?
ALSO, SHOULD'T I BE DELETING THE OTHER ONE TOO?

SEE YOU IN THE MORNING, MY MORNING, THAT IS!

THANKS FOR YOUR HELP SO FAR. IT IS VERY COMFORTING THE WAY YOU GUYS HANDLE THINGS - VERY CLEAR AND THOROUGH !

HOLSMAN
2006-06-08, 17:50
Last night, before a cold shutdown, I deleted Autodesk's Composer, which had expired, and made the stupid mistake of downloading a new bundle that included it and two other app (one of which said it couldn't install so I aborted and only installed the new instance of Composer-1 of the 3 -which works fine), but..............
This morning, upon cold booting, I ran into a rash of problems:
1. NT AUTHORITY SYSTEM warnings (twice) #1073741819 for WINNT\SYSTEM\32 SERVICES
2. OUTLOOK SERIOUS ADD-IN ERROR, C:\PROGRAMS\GOOGLE\GOOGLEDESKTOP SEARCH\GOOGLE DESKTOP OFFICE.DLL after which Outlook would not run at all -to review your last instruction.
3. So tried Outlook in safe mode, but would not update mail from net.
4. Then got 2 more ACSTART16.3XE FAILED messages #0xc0000005 and cleared them, but
5. windows then froze & would not even open control panel or close thru start, so cold re-booted
6. Then got SERVICES AND CONTROLLER APP - PROGRAM CLOSING
7, froze again so
8. rebooted cold to Safe Mode and did System Restore to point just before the Autodesk Composer changes listed above

So, now I see that all the logs that I sent you last night (blacklite and smithfraud) are still in my C folders but the smitfraud zip and unzip folders are NO LONGER on my desktop, so

Should I go back and re-do any or all of the blacklite, smitfraud and/or Look2me stuff again and send new logs that might show what happened last night, BEFORE following your last instructions for renaming and re-doing ? or should I just proceed where we left off anyway? (i.e. are the logs I sent current enough or did my overnight screw up change things for your plan for saving my b-tt ?)
Please advise. I am downloading and unzipping look2me to my desktop again and awaiting your advice before re-running anything, or continuing.

thanks so much for putting up with my mess!

HOLSMAN
2006-06-08, 17:56
My mistake, my smithfraud unzip and folder with the prior rapport.txt WAS still on my desktop - just moved by the restore!
Prior question still stands: Re-do prior steps before this morning's rash of errors, boot problems and system restore, BEFORE the cmd and redo ? or just keep going.? (sorry)

LonnyRJones
2006-06-08, 18:13
Go ahead and repeat the steps in my last post
Post a hijackthis log afterwards

HOLSMAN
2006-06-08, 19:02
I keep getting McAfee trojan cleaned messages followed by recommendations to run McAfee Virus scan.
Will this interfere with your procedure for cleaning me of the aftermath of Spy Sherrif, or should I go ahead and scan before we are done?

HOLSMAN
2006-06-08, 19:13
I assume you mean repeat your post BEFORE the last one (noted below), with the black lite, smithfraud and hyjackthis instructions, again, WITHOUT changing anything! as per your post. and THEN wait for you to have me do the cmd thing after you view the logs (??)

Yes or no will do.

"Old Yesterday, 23:27 #15
LonnyRJones
Member of Team Spybot
LonnyRJones's Avatar"

LonnyRJones
2006-06-08, 19:28
Lets try it this way

Disconnect from the internet, turn off mcafees' resident protection, that will be in the programs options.

Run blacklite again scan then have it rename those two files (if they are still there)
let blacklite restart your pc

After that restart
Open a command prompt (start run type cmd press enter) type
sc delete "se500mdmd"
press enter, type exit and press enter to exit the command prompt
Did yiu see a succeed message ?

Run smithfraudfix again and choose option 2 fix, (no need for safe mode )

Do a full scan with mcafee let it deal with anything found, then turn on its resident (active) protection

Post a fresh hijackthis log

HOLSMAN
2006-06-08, 20:44
OK.

I am just pulling the desktop's plug from my broadband router but since my wireless router is still connected to my broadband modem, when I am done with your routine and my desktop still offline, I can pick up your emails and visit your site using my wireless laptop (which has McAfee but seems to be working.

Thanks for your patience.

your patient patient,

Holsman.

HOLSMAN
2006-06-09, 01:08
After disconnecting from internet and turning off Mcafee resident, I ran Blacklite twice (log files below) and had it rename each of two files and let it restart. Then I ran sc delete “se500mdmd” and got “success” with message “registry cleaning, system received file services error” but windows started to run disk cleanup at the same time so I canceled it and got “cannot access file used by another DF4FC3 and then a blue screen, memory dump. So I ran blacklite again, stopped disk cleanup and then it said registry cleaned.

Then I ran smithfraudfix with option 2 (no safe mode) and got Mcafee “suspicious script”, which I allowed, after which smithfraud said “ JoeDanger NOT involved etc…” and then log, which I saved (having to cancel disk cleanup while smithfraud was still going, each time, bothered me a little) Then I did a full Mcafee scan and it came up with three items:
1. “smithfraudfix.zip” PUP (which I quarantined)
2. “smithfraudfix\process.exe” PUP (which I deleted) , and
3. “WINNT\system32\se500mdmd.sys.ren” Trojan (which I quarantined)
I think I may have entered sc delete “sc500mdmd” instead or se500, because otherwise Mcafee would not have found it as a .ren file, but I think it’s gone either way. RIGHT ??

So below are the last blacklilte log, the last smithfraudfix log and the final hijackthis logs.

06/08/06 12:56:06 [Info]: BlackLight Engine 1.0.37 initialized
06/08/06 12:56:06 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/08/06 12:56:06 [Note]: 7019 4
06/08/06 12:56:06 [Note]: 7005 0
06/08/06 12:56:11 [Note]: 7006 0
06/08/06 12:56:11 [Note]: 7011 296
06/08/06 12:56:12 [Note]: 7026 0
06/08/06 12:56:12 [Note]: 7026 0
06/08/06 12:56:25 [Note]: FSRAW library version 1.7.1015
06/08/06 12:58:19 [Info]: Hidden file: c:\WINNT\system32\se500mdm.dll
06/08/06 12:58:19 [Note]: 10002 1
06/08/06 12:58:19 [Info]: Hidden file: c:\WINNT\system32\se500mdmd.sys
06/08/06 12:58:19 [Note]: 10002 1
06/08/06 13:05:59 [Note]: 7007 0

SmitFraudFix v2.55
Scan done at 13:17:25.68, Thu 06/08/2006
Run from C:\Documents and Settings\J.Peter Holsman\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Logfile of HijackThis v1.99.1
Scan saved at 4:43:53 PM, on 6/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINNT\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\McAfee.com\VSO\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINNT\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\SecCopy\SecCopy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINNT\explorer.exe
c:\program files\mcafee.com\vso\mcmnhdlr.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\NEW DOWNLOADS\Spybot and Panda\safer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://construction.webex.com/client/v_mywebex-t20/training/ieatgpc.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: se500mdm - se500mdm.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINNT\system32\jclcmkhp.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\PROGRA~1\McAfee.com\VSO\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

By the way, what’s teatime and do I need it?
And, do I need to tell Comcast to take of the block on my outgoing email or will their system detect that I am clean -assuming I am clean ?

LonnyRJones
2006-06-09, 04:14
Do any files show if you run blackilite now ?

Start Hijackthis and place a check next to these items If there.
O20 - Winlogon Notify: se500mdm - se500mdm.dll (file missing)
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINNT\system32\jclcmkhp.dll (file missing)
Optional fix >
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Tea timer is SpyBots resident or active protection for spyware, we turned it off earlyer in your thread so it would not interfear. leave it off for now.

Update suns java manualy
Sun Java V1.5.0_07 is Available:
http://forums.spybot.info/showthread.php?t=2559

Provided no files show in a blacklite scan You should be safe telling comcast
to unblock your email services
Post another hijackthis log, mention any current problems

HOLSMAN
2006-06-09, 17:21
blacklite shows no hidden files!
Proceeding with next step

HOLSMAN
2006-06-09, 17:28
I found all three of the following files in hyjackhthis, checked them, fixed them and rebooted.

LonnyRJones
2006-06-09, 18:08
Good

Im not sure why there was errors with acstart16.exe, if it happens again you might have to reinstall or repair install autocad

Let us know of any problems over the next few days, in the meantime Another online scan is a good idea

Computer Associates eTrust AV Web Scanner: http://www3.ca.com/virusinfo/virusscan.aspx
select all drives, scan, Try to cure/repair, if it cannot choose delete! If it cannot delete tell us the files names and locations.

HOLSMAN
2006-06-09, 18:17
THE FILES FIXED BY HIJACK WERE THE SAME EXACT ONES YOU LISTED, I.E:
O20 - Winlogon Notify: se500mdm - se500mdm.dll (file missing)
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINNT\system32\jclcmkhp.dll (file missing) Optional fix >
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE

(except that 021 did not say "OPTIONAL FIX" at the end. I assume that was your comment)


THIS MICROSOFT ERROR REPORT POPPED UP AFTER THE LAST RESTART:
BCCode : c2 BCP1 : 00000007 BCP2 : 00000CD4 BCP3 : 852957B0
BCP4 : 86822228 OSVer : 5_1_2600 SP : 2_0 Product : 256_1
WITH THESE DETAILS:
C:\DOCUME~1\J67DB~1.PET\LOCALS~1\Temp\WERb61b.dir00\Mini060906-01.dmp
C:\DOCUME~1\J67DB~1.PET\LOCALS~1\Temp\WERb61b.dir00\sysdata.xml


MCAFEE RESIDENT VIRUS SCAN WAS TURNED OFF (BLACK ICON IN TRAY) SO I TURNED IT ON AND SO FAR IT HAS STAYED ON!.

SHOULD I PUT SPYBOT'S TEATIMER BACK ON ? PLEASE WALK ME BACK THRU IT?

WHAT'S NEXT AFTER THAT ?

I AM STARTING TO FEEL A SIGH OF RELIEF COMMING ON!




HERE'S THE LAST HIJACK LOG

Logfile of HijackThis v1.99.1
Scan saved at 9:56:45 AM, on 6/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINNT\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\McAfee.com\VSO\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\ctfmon.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\SecCopy\SecCopy.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\system32\cidaemon.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\NEW DOWNLOADS\Spybot and Panda\HijackThis scan & logs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://construction.webex.com/client/v_mywebex-t20/training/ieatgpc.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\PROGRA~1\McAfee.com\VSO\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

HOLSMAN
2006-06-09, 18:33
THREE FOLLOW UP QUESTIONS:

1. Do I need to reset, or set a new restore point in XP?

2. Should I use Panda, Look2me, Blacklite, Smithfraudfix or hyjackthis, to scan my internal backup HD on my desktop, my external Firewire drive (redundant backup) and/or my two flash memory sticks (all data only) in case they might also be infected and might re-infect my C drive? If so, how do I do that. I normally backup either using Second Copy or manually cutting and pastingr, but have not backed up any data, since the Spy sheriff incident..

3. Does my wireless router (for my laptop and my grown kids’laptops) that is plugged into one of the four ports on my broadband router (plus computer, and two VOIP units) protect my laptop to any greater extent than is provided by the direct computer connection to the broadband router (dynamic IPs etc, etc) ? If so, perhaps I should either plug my desktop connection into one of the ports on my wireless router, or, get a wireless card for my desktop computer and access the net only through that? Would that help?

4. Should I call Comcast now and get the block removed?

5. HOw long does our thread stay on your site or should I copy it all to a WORD file for later review?

Is is soup yet??

HOLSMAN
2006-06-09, 20:29
I followed your link to administrator, then support and found the following: Should I open all the links, one at a time? Should I delete Java from Control panel/add/delete programs first?

I did a final panda Scan shows "112 detected spyware" Report included below, but they all look like just cookies. This is OK isn't it? Panda just calls cookies spyware, right? Doesn't mean anything bad, right?

(Now I will do a CA scan and send results to you after following you instructions)


Incident Status Location

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.hitbox.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.atdmt.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.zedo.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.go.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.advertising.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.microsofteup.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.2o7.net/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.adrevolver.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.atwola.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.centrport.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.com.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.microsoftwga.112.2o7.net/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.realmedia.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.revenue.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.statcounter.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.xiti.com/]
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.xmts.net/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[c.enhance.com/]
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[c.goclick.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[hc2.humanclick.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[hc2.humanclick.com/hc/51325817]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[server.iad.liveperson.net/hc/41409448]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[server.iad.liveperson.net/hc/42435556]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[server.iad.liveperson.net/hc/LPservicemagic]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.2o7.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.adtech.de/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.atwola.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/BurstNet Not disinfected

HOLSMAN
2006-06-09, 20:36
and more of the final Panda report:

C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.centrport.net/]
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.ct.360i.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.did-it.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.go.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.rn11.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.target.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[c.enhance.com/]
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[c.goclick.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[server.iad.liveperson.net/hc/11501984]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[server.iad.liveperson.net/hc/4268343]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[server.iad.liveperson.net/hc/78893611]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[server.iad.liveperson.net/hc/LPservicemagic]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[www.web-stat.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@ad.yieldmanager[1].txt

HOLSMAN
2006-06-09, 20:37
and the balance of the final panda report :

Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@ads.pointroll[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@atwola[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@centrport[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@go[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@questionmarket[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@searchportal.information[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@tradedoubler[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@tribalfusion[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@xiti[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@zedo[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Techsupport\Cookies\techsupport@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Techsupport\Cookies\techsupport@doubleclick[1].txt
Spyware:Cookie/Atlas DMT Not disinfected F:\Documents and Settings\Techsupport\Cookies\techsupport@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected F:\Documents and Settings\Techsupport\Cookies\techsupport@doubleclick[1].txt
Spyware:Cookie/Bfast Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\ad@bfast[2].txt
Spyware:Cookie/RealMedia Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\ad@realmedia[1].txt
Spyware:Cookie/Bfast Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\administrator@bfast[2].txt
Spyware:Cookie/CentrPort Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\administrator@centrport[1].txt
Spyware:Cookie/Doubleclick Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\administrator@hitbox[1].txt
Spyware:Cookie/Mediaplex Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt
Spyware:Cookie/RealMedia Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\administrator@realmedia[1].txt
Spyware:Cookie/2o7 Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@2o7[2].txt
Spyware:Cookie/PointRoll Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@ads.pointroll[2].txt
Spyware:Cookie/Adtech Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@adtech[1].txt
Spyware:Cookie/Atlas DMT Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@doubleclick[2].txt
Spyware:Cookie/Hitbox Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@ehg-ati.hitbox[2].txt
Spyware:Cookie/Hitbox Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@hitbox[2].txt
Spyware:Cookie/HotLog Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@hotlog[1].txt
Spyware:Cookie/QuestionMarket Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@questionmarket[1].txt

HOLSMAN
2006-06-09, 20:57
While CA AV web scan was running, I tried to change the XP updates, in control panel, from "automatic install, to automatic download but notify me to install" and then this popped up:

"Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience"

Then the web scan was gone. Did I screw up by not waiting or is this something new and important? I am starting the CA web scan again and leaving everything alone until finished.

LonnyRJones
2006-06-09, 21:12
Those are all just cookies, nothing to worry about, but it would be a good idea to clear then via you browsers options.


1. Do I need to reset, or set a new restore point in XP?
Generally once we cleanup and your PC is still stable for a few days we suggest deleting windows restore point's reboot and enable system restore.


2. Should I use Panda, Look2me, Blacklite, Smithfraudfix or hyjackthis, to scan my internal backup HD on my desktop, my external Firewire drive (redundant backup) and/or my two flash memory sticks (all data only) in case they might also be infected and might re-infect my C drive? If so, how do I do that. I normally backup either using Second Copy or manually cutting and pastingr, but have not backed up any data, since the Spy sheriff incident..
Your backups are likely to be infected, id delete them and make new ones.
that is if you have backed up more than just paperwork.


3. Does my wireless router (for my laptop and my grown kids’laptops) that is plugged into one of the four ports on my broadband router (plus computer, and two VOIP units) protect my laptop to any greater extent than is provided by the direct computer connection to the broadband router (dynamic IPs etc, etc) ? If so, perhaps I should either plug my desktop connection into one of the ports on my wireless router, or, get a wireless card for my desktop computer and access the net only through that? Would that help?
By all means plug your pc into the router, thats what it is for.


4. Should I call Comcast now and get the block removed?
I had already suggest that :)


5. HOw long does our thread stay on your site or should I copy it all to a WORD file for later review?

we archive them when solved, we dont delete, it will still be in the forum.


Is is soup yet?? :)


"Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience"
Dont worry about that unless it happens regularly.

HOLSMAN
2006-06-10, 00:06
I have tried running the CA virus program: http://www3.ca.com/virusinfo/virusscan.aspx
thru IE three times, with all my power options set to "never" but when I come back in and hour, my machine is in standby anyway, and etrust is "not responding" and terminates. Is there a particular signature download file on their website that I should download and run from a folder - I read them but I am not comfortable with the choices.

HOLSMAN
2006-06-10, 01:09
Shouldn't I turn Spybot's tea timer back on to block future spyware? I started to do it but as soon as I checked the box that you had me un-check before, I got a Spybot message that was trying to change the case of the mcafee file and then a series of "registry change denied" messages, so I unchecked it before accepting or closing. what does that mean? Is the Mcafee program infected ?????????????
confused !

LonnyRJones
2006-06-10, 04:36
Hi

Well how about checking your pc out every fiveteen minutes or so while you get that online scan ?

Turn off Tea Timer if its on (right-click its icon in the tray area near the windows clock and choose exit) and close SpyBot if open. Download ResetTeaTimer.bat
http://downloads.subratam.org/ResetTeaTimer.bat
To your desktop, run ResetTeaTimer.bat.
Since it will not be needed again delete ResetTeaTimer.bat.
Turn Tea timer back on again via SpyBots tools resident page.

BUT first befire turning it back on you should read SpyBots help file about tea timer and information found here
http://forums.spybot.info/showthread.php?t=281

HOLSMAN
2006-06-10, 18:33
Do I detect a slight loss of interest, or are you just enjoying the weekend? PLease stick with me, as I have pledged to follow thru with you, like the forum rules say "noting worse for you than for us to "bail" near the end").

By the way, Comcast isn't turning off my block, they just keep sending me their original block notification and "since you're still having problems" notices every time I send a direct web mail message telling them you have cleaned me and asking to be unblocked. Oh well, I'll wait til Monday.

Per my prior post, I checked and then immediately unchecked the tea timer box before hitting ok/apply (that's when the spybot message that tried changing mcafee filename case popped up) so I assume Tea Timer was still off from when you first had me uncheck it.
But, since we never ran resetteatimer.bat before, I went ahead and did it just now. Was that OK? (see log below, if you need to. Also I AM reading the spybot 4 level summary but frankly I don't understand enough about references to make a wise choice. I am going to do the Java uninstall, reinstall now, also.)

LOG FROM SAT 06 10 06 10 AM:

@echo off

VER|find "Windows 2000">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows XP">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows 95">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows 98">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows Millennium">NUL
IF NOT ERRORLEVEL 1 GOTO winme

VER|find "Windows 2003">NUL
IF NOT ERRORLEVEL 1 GOTO NT

echo Unsupported Version
goto last

:NT
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\Snapshots\*.*
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\RegKeyWhite.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\RegKeyblack.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\ProcWhite.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\ProcBlack.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\logs\resident.log
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\UpdateDL.sbe

exit
:win

deltree /y %WINDIR%\applic~1\spybot~1\snapshots\*.*
del %WINDIR%\applic~1\spybot~1\logs\resident.log
del %WINDIR%\applic~1\spybot~1\excludes\ProcBlack.sbe
del %WINDIR%\applic~1\spybot~1\excludes\ProcWhite.sbe
del %WINDIR%\applic~1\spybot~1\excludes\RegKeyWhite.sbe

LonnyRJones
2006-06-10, 19:35
Thats the contents of the batch file it did not run
either you didnt save it correctly or assosiations are messed up

Use the INF file mentioned here
Symantec Security Response - Tool to reset shellopencommand registry keys: http://www.symantec.com/avcenter/venc/data/tool.to.reset.shellopencommand.registry.keys.html

then run resetteatimer.bat again

HOLSMAN
2006-06-10, 23:39
So, I did that and then reset Tea Timer in Syybot.

Now I can't remember wher we are, except that CA's web scan does freezes even when I am monitoring it every 10 minutes with no other activity going on.

WOuld Panda be just as good?? or what?

HOLSMAN
2006-06-11, 00:17
So I ran spybot and here is the results log, mostly cookies but including two HKEY entries, should I "fix"all or just the two or what? (remember right after I uninstalled all Java updates from control pane, then re-installed Java Runtime from their web site, and then followed Comcast's last instructions (below) to delete all internet temp files as follows (they said sometimes it doesn't work from the browser menu ??):

"1. Close all Internet Explorer windows you have open
2. Click on Start (If you are using a version of window other than XP, you will need to click on Settings after Start, to see the Control Panel Option.) 3. Select Control Panel 4. Double click on Internet Options 5. On the General Tab click on the Settings Button 6. Click on View Files 7. Select the Edit Option in the toolbar at the top of the page 8. Click on Select All 9. Press the Delete key on your keyboard 10. You will get a box asking if you if you want to delete all the selected files 11. Click on Yes on this box 12. Close the Temporary Internet Files Window you have open 13. Click Ok 14. Close the Control Panel"

So what do you think I should do about the Spybot report and the "final" web scan difficulty?

LonnyRJones
2006-06-11, 06:42
There are lots of places to get free online scans, several are mentioned in our sticky topics.

BY all means fix all items found with SpyBot

I think you can handle whatever pops up from here on out

HOLSMAN
2006-06-11, 16:35
I hope you are right. Sometimes I sound smarter than I am, and then I forget what I did, or find out later that I didn't realize what I did or why and proceeded in a way that made it seem like I understood better than I really did - like, for instance: -, will I really understand what to do in the future ater I study the Spybot tutorials or will it be over my head? My only comfort is knowing that your forum :angel: will always be there for us - I hope.

Anyway, I cannot adaquately express my appreciation for all your effective help, except to say thank you, and with out your dedication and perservenance and patience, I would not be getting back to business at this point. Your fourm is fantastic and your performance on their behalf was outstanding. As soon as I get my new retirement business up and running smoothly, I will come back and make a donation to the cause. :bigthumb:

Please pass this on to your leaders.

Thanks again, I hope you are reaching your goals in life and are having a great time working at them. :crowned:

J. Peter Holsman :D

LonnyRJones
2006-06-15, 10:46
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.