spysheriff victim and mcafee virus

H

HOLSMAN

New member
First time on a forum. Have BB router between cpmtr & surfboard. Had Mcafee virus turned off (idiot!) Accidentally loaded spysherrif (twice the fool). Uninstalled Mcafee thru ad/remove. Loaded and ran updated spybot. Cleaned all. Reinstalled Mcafee virus thru IE (got "boom" and mess. that disappears before IE runs - use Firefox for everything except Webex). Got spybot messages like "registery changed" (from lower to upper case, etc) , "change denied", etc. and IE (I use Firefox for most browsing). Got dos removal tool from Mcafee and ran it twice. Installed Mcafee virus again (clean??) Ran spybot again and cleaned. Still getting repeats of 3 new spybot messages re registry changes that won't go away. Help!
 
follow up log & report

After rebooting, the spybot reports stopped and every thing seems OK, except that when I open IE I get the boom chord and "cannot find 'file ///c/:/secure32.html" but then IE without my google search bar, and then I tried resetting my web settings, but nothing changed _ I prefer Firefox anywaybut am curious why the message.

Should I follow Calamity Janes's advice to clear out system restore points? (I have XP pro with SP2)

Thanks for being our online angels.
 
Spy Sherrif got me,

MY COMPUTER IS NOW IN YOUR HANDS, O WISE ONE, PLEASE GIVE ME YOUR WISOM AND ADVICE AND I WILL FOLLOW YOUR COUNSEL. COMCAST HAS NOW BLOCK ALL MY OUTGOING EMAIL TO THE WORLD (DON'T BLAME THEM - ALTHOUGH IT DID ALL HAPPEN AFTER INSTALLING AND THEN INADVERTANTLY DISABLING "VIRUS")

HERE IS MY PANDA LOG FOLLOWED BY MY HYJACKTHIS LOG. THANK YOU FOR BEING THERE FOR US!

PANDA:

Incident Status Location

Adware:Adware/Secure32 Not disinfected C:\Program Files\nbak.exe
Adware:adware/secure32 Not disinfected Windows Registry
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.atdmt.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.go.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.advertising.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.2o7.net/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.adrevolver.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.atwola.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.centrport.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.com.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.microsofteup.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.microsoftwga.112.2o7.net/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.realmedia.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.revenue.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.statcounter.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.xiti.com/]
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.xmts.net/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Enhance Not disinfected
 
Spysheriff Fix Logs 2 Of 4

C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[c.enhance.com/]
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[c.goclick.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[hc2.humanclick.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[hc2.humanclick.com/hc/51325817]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[server.iad.liveperson.net/hc/41409448]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[server.iad.liveperson.net/hc/42435556]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\7lsb9xjd.Default User\cookies.txt[server.iad.liveperson.net/hc/LPservicemagic]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.2o7.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.adtech.de/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.atwola.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.centrport.net/]
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.ct.360i.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.did-it.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.go.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.rn11.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.target.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[c.enhance.com/]
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[c.goclick.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[server.iad.liveperson.net/hc/11501984]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[server.iad.liveperson.net/hc/4268343]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[server.iad.liveperson.net/hc/78893611]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[server.iad.liveperson.net/hc/LPservicemagic]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/BurstBeacon Not disinfected
 
Spysherrif Logs 3 Of 4

C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\J.Peter Holsman\Application Data\Mozilla\Firefox\Profiles\ejmezjvt.default\cookies.txt[www.web-stat.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@ad.yieldmanager[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@ads.pointroll[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@atwola[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@centrport[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@go[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@questionmarket[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@searchportal.information[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@tradedoubler[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@tribalfusion[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@xiti[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\J.Peter Holsman\Cookies\j.peter holsman@zedo[1].txt
Virus:Trj/Killwin.M Disinfected C:\Documents and Settings\J.Peter Holsman\Desktop\VSCleanupTool.exe
Virus:Trj/Killwin.M Disinfected C:\Documents and Settings\J.Peter Holsman\Local Settings\Temp\GLF100.EXE
Virus:Trj/Killwin.M Disinfected C:\Documents and Settings\J.Peter Holsman\Local Settings\Temp\GLF7.EXE
Virus:Trj/Killwin.M Disinfected C:\Documents and Settings\J.Peter Holsman\Local Settings\Temp\GLFF.EXE
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Techsupport\Cookies\techsupport@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Techsupport\Cookies\techsupport@doubleclick[1].txt
Virus:Trj/Goldun.IR Disinfected C:\jjyvrdl.exe
Spyware:Cookie/Atlas DMT Not disinfected F:\Documents and Settings\Techsupport\Cookies\techsupport@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected F:\Documents and Settings\Techsupport\Cookies\techsupport@doubleclick[1].txt
Spyware:Cookie/Bfast Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\ad@bfast[2].txt
Spyware:Cookie/RealMedia Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\ad@realmedia[1].txt
Spyware:Cookie/Bfast Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\administrator@bfast[2].txt
Spyware:Cookie/CentrPort Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\administrator@centrport[1].txt
Spyware:Cookie/Doubleclick Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\administrator@hitbox[1].txt
Spyware:Cookie/Mediaplex Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt
Spyware:Cookie/RealMedia Not disinfected F:\Jph\Documents and Settings\Administrator\Cookies\administrator@realmedia[1].txt
Spyware:Cookie/2o7 Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@2o7[2].txt
Spyware:Cookie/PointRoll Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@ads.pointroll[2].txt
Spyware:Cookie/Adtech Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@adtech[1].txt
Spyware:Cookie/Atlas DMT Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@doubleclick[2].txt
Spyware:Cookie/Hitbox Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@ehg-ati.hitbox[2].txt
Spyware:Cookie/Hitbox Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@hitbox[2].txt
Spyware:Cookie/HotLog Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@hotlog[1].txt
Spyware:Cookie/QuestionMarket Not disinfected F:\Jph\Documents and Settings\J. Peter Holsman\Cookies\jph@questionmarket[1].txt
 
Spysherrif Logs 4 Of 4 (all Of Hijackthis Log)

HIJACKTHIS LOG:
Logfile of HijackThis v1.99.1
Scan saved at 3:08:44 PM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINNT\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\McAfee.com\VSO\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\nbak.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SecCopy\SecCopy.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\NEW DOWNLOADS\Spybot and Panda\safer\HijackThis.exe
C:\WINNT\system32\cidaemon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SysTray] C:\Program Files\nbak.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://construction.webex.com/client/v_mywebex-t20/training/ieatgpc.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: se500mdm - C:\WINNT\SYSTEM32\se500mdm.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINNT\system32\jclcmkhp.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\PROGRA~1\McAfee.com\VSO\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
 
Spysherrif Infection. Requested Logs Completed

I Await Your Help. You Are My Last Hope. Thanks For Being There.
 
spysheriff problem one more thing: some error messages during safemode searchprocess

While following your directions (and before) I got the following error messages along the way:

" ACSTART16.EXE failed, OXcoooooo5" (not sure of zero count) - twice, with a low chime/boom sound!

"NT AUTHORITY SYSTMEM SHUTDOWN" followed by freeze up and had to cold boot.

and was still gettiing Spybot messages with a registry change noted in an identical filename with "mc...(something).exe" in caps then in lower case, followed by yellow dialog popup saying "registry change denied"
 
Hello

Please disable SpybotSD TeaTimer for now
To disable SpybotSD TeaTimer:
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon and Uncheck the box next to Teatimer.
"resident tea timer"protection of all-over system settings) active"
Close SpyBot.
We will remind you to turn it on later

Download and run Look2Me-Destroyer: http://www.atribune.org/content/view/28/
After your pc has been restarted a log will open post it along with a fresh hijackthis log.
 
spysheriff fix addendum events

I got this while following your prior directions for Panda and Spybot logs:

Spybot- Search & Destroy has detected an important registery entry that has been changed.
“Category: System Startup global entry
Change: Value Changed
Entry: MCUpdateExe
Old Data: C:\PROGRA*1\mcafee.com\agent\McUpdate.exe
New Data: c:\PROGRA*1\mcafee.com\agent\mcupdate.exe”

Then yellow popup window @ lower right = "20.02 registry change denied"


Then while awaiting your recent reply, I Ran spybot again, got more (fewer but similar) red items, fixed them again, ran spybot again and while waiting for second search, got the following:
“Category: Browser page
Change: Value changed
Entry: Local Page
(Oops. Hit Popup and got "22.05 registry change denied" before could transcribe Old and New data.), so,
Old Data: ??
New Data: ??”

Then when search #2 ended, got just one item left (which was before every time): “CoolWWWsearch.WCADW”
When I right clicked and started to “save to file”, a new spybot message showed up:
“Category: System Startup global entry
Change: Value Deleted
Entry: Sys Tray
Old Data: C:\program files\nbak.exe
New Data: (dimmed and empty)”

Then McAfee reported:
“Trojan found and Cleaned:
The file C:\program files\nbak.exe was infected by the StartPage –IH Trojan and has been deleted to complete the Clean process.”

Then “22:27 registry change denied”

fixed that and got:
Category: Browser page
Change: Value changed
Entry: Local Page
Old Data: C:\secure32.
New Data: about blank

Then “22:34 registry change denied”
Then the same again except for “Entry: default_Page_URL” etc
And “22:35 registry changed denied”

Then the same again except for “Entry: Local Page”
And then “22:37 registry change denied”

Then same again except for “Entry: Default_Page_URL again but this time “New Data: about blank:

Then 22:39 registry change denied”

Then no more.

Should I have waited before running spybot again?
SHould I have left McAfee active virus protection running?

"arrrrrgh!"
 
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 6/7/2006 11:05:14 PM
Attempting to delete infected files...
Making registry repairs.
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded

Logfile of HijackThis v1.99.1
Scan saved at 11:16:11 PM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINNT\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\McAfee.com\VSO\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SecCopy\SecCopy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\NEW DOWNLOADS\Spybot and Panda\safer\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\nbak.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://construction.webex.com/client/v_mywebex-t20/training/ieatgpc.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: se500mdm - C:\WINNT\SYSTEM32\se500mdm.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINNT\system32\jclcmkhp.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\PROGRA~1\McAfee.com\VSO\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
 
spy sheriff continued. Repeat new look2me and HiJackThis logs (sorry)

Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 6/7/2006 11:05:14 PM
Attempting to delete infected files...
Making registry repairs.
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded

Logfile of HijackThis v1.99.1
Scan saved at 11:16:11 PM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINNT\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\McAfee.com\VSO\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SecCopy\SecCopy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\NEW DOWNLOADS\Spybot and Panda\safer\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\nbak.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://construction.webex.com/client/v_mywebex-t20/training/ieatgpc.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: se500mdm - C:\WINNT\SYSTEM32\se500mdm.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINNT\system32\jclcmkhp.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\PROGRA~1\McAfee.com\VSO\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
 
Post a report from this tool if any FILES show
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them YET.....legitimate files can be listed.

Also:
Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
IMPORTANT: Do NOT run any other options until you are asked to do so!
 
spy sheriff continuing with requested blacklight log

blacklight log

06/08/06 00:18:56 [Info]: BlackLight Engine 1.0.37 initialized
06/08/06 00:18:56 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/08/06 00:18:56 [Note]: 7019 4
06/08/06 00:18:56 [Note]: 7005 0
06/08/06 00:19:24 [Note]: 7006 0
06/08/06 00:19:24 [Note]: 7011 1804
06/08/06 00:19:24 [Note]: 7026 0
06/08/06 00:19:24 [Note]: 7026 0
06/08/06 00:19:36 [Note]: FSRAW library version 1.7.1015
06/08/06 00:21:23 [Info]: Hidden file: c:\WINNT\system32\se500mdm.dll
06/08/06 00:21:23 [Note]: 10002 1
06/08/06 00:21:24 [Info]: Hidden file: c:\WINNT\system32\se500mdmd.sys
06/08/06 00:21:24 [Note]: 10002 1
06/08/06 00:32:57 [Note]: 7007 0
 
spy sheriff continuing with smitfraudfix log

I UNZIPPED THE FILE INTO MY RECEIVED FILES AND THEN CUT AND PASTED IT ONTO THE DESKTOP AND THEN RAN THE CMD FILE WHICH PUT THE RAPPORT.TXT FILE IN THE DESKTOP FOLDER. HERE IT IS.

SmitFraudFix v2.55

Scan done at 0:52:16.39, Thu 06/08/2006
Run from C:\Documents and Settings\J.Peter Holsman\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

C:\uniq FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\J.Peter Holsman\Application Data

C:\Documents and Settings\J.Peter Holsman\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\J67DB~1.PET\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
 
Thanks

Run blacklite again scan then have it rename those two files
let blacklite restart your pc

After that restart
Open a command prompt (start run type cmd press enter) type
sc delete "se500mdmd"
press enter, type exit and press enter to exit the command prompt
Did yiu see a succeed message ?

Run smithfraudfix again and choose option 2 fix, (no need for safe mode )

Post a fresh hijackthis log
 
Spysheriff Fix Continued

I AM GOING TO BED IT'S 1:45 AM IN CHICAGO AND WILL CONTINUE IN THE MORNING
WILL " sc delete "se500mdmd"" DELETE THE FILE AFTER IT IS RENAMED?
ALSO, SHOULD'T I BE DELETING THE OTHER ONE TOO?

SEE YOU IN THE MORNING, MY MORNING, THAT IS!

THANKS FOR YOUR HELP SO FAR. IT IS VERY COMFORTING THE WAY YOU GUYS HANDLE THINGS - VERY CLEAR AND THOROUGH !
 
spysheriff continuing with re-run of last measures- but first..

Last night, before a cold shutdown, I deleted Autodesk's Composer, which had expired, and made the stupid mistake of downloading a new bundle that included it and two other app (one of which said it couldn't install so I aborted and only installed the new instance of Composer-1 of the 3 -which works fine), but..............
This morning, upon cold booting, I ran into a rash of problems:
1. NT AUTHORITY SYSTEM warnings (twice) #1073741819 for WINNT\SYSTEM\32 SERVICES
2. OUTLOOK SERIOUS ADD-IN ERROR, C:\PROGRAMS\GOOGLE\GOOGLEDESKTOP SEARCH\GOOGLE DESKTOP OFFICE.DLL after which Outlook would not run at all -to review your last instruction.
3. So tried Outlook in safe mode, but would not update mail from net.
4. Then got 2 more ACSTART16.3XE FAILED messages #0xc0000005 and cleared them, but
5. windows then froze & would not even open control panel or close thru start, so cold re-booted
6. Then got SERVICES AND CONTROLLER APP - PROGRAM CLOSING
7, froze again so
8. rebooted cold to Safe Mode and did System Restore to point just before the Autodesk Composer changes listed above

So, now I see that all the logs that I sent you last night (blacklite and smithfraud) are still in my C folders but the smitfraud zip and unzip folders are NO LONGER on my desktop, so

Should I go back and re-do any or all of the blacklite, smitfraud and/or Look2me stuff again and send new logs that might show what happened last night, BEFORE following your last instructions for renaming and re-doing ? or should I just proceed where we left off anyway? (i.e. are the logs I sent current enough or did my overnight screw up change things for your plan for saving my b-tt ?)
Please advise. I am downloading and unzipping look2me to my desktop again and awaiting your advice before re-running anything, or continuing.

thanks so much for putting up with my mess!
 
You must log in or register to reply here.
Back
Top