Solved: Slapped down by SpySherrif and paytime

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

TBird23

Thread Starter
Joined
Dec 28, 2005
Messages
17
Hello and thanks for hosting this forum.

I just got redirected into something that put spysheriff and paytime on my PC. I have not restarted or rebooted, so symptoms are minor at this point. I had the little red X in the sys tray that kept prompting me that I had spyware, but avoided it knowing it was bogus. I killed paytime.exe in the task manager once I saw that. My only other symptom is that McAfee scan will not run.

I have downloaded Hijack This and killbox, but have not scan or run anything yet. I am grateful for your guidance and stand at the ready.

Thanks,

Patrick
 

TBird23

Thread Starter
Joined
Dec 28, 2005
Messages
17
Went ahead and ran HJT . . . here's the initial log:

Logfile of HijackThis v1.99.1
Scan saved at 1:34:30 PM, on 12/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
c:\program files\mcafee.com\vso\mcmnhdlr.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=search&LC=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=search&LC=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = picis.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = picis.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Welcome to TSG :)

* Click here to download smitRem.exe.
  • Save the file to your desktop.
  • It is a self extracting file.
  • Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
  • Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.

* Download the trial version of Ewido Security Suite here.
  • Install ewido.
  • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido
  • It will prompt you to update click the OK button and it will go to the main screen
  • On the left side of the main screen click update
  • Click on Start and let it update.
  • DO NOT run a scan yet. You will do that later in safe mode.


* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


* Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.


* Restart back into Windows normally now.


* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJack This log along with the results from ActiveScan and the Ewido scan and post the contents of the smitfiles.txt.
 

TBird23

Thread Starter
Joined
Dec 28, 2005
Messages
17
Thanks, Cheeseballs - and love the Family Guy quote.

Here is the Active Scan log:
No viruses or other malicious software have been found!
Scan finished
249153 Files scanned D:\Recycled\desktop.ini
Scan report
To disinfect all threats, buy or try a recommended security product.
ActiveScan gives you a deep second opinion analysis of the security level of your PC.
Detected
Virus 0
Spyware 0
Hacking Tools 0
Dialers 0
Security Risks 0
Suspicious files 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here is the ewido log report:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:38:39 PM, 12/28/2005
+ Report-Checksum: 2AB50C92

+ Scan result:

C:\WINDOWS\SYSTEM32\paytime.exe -> Hijacker.StartPage.agq : Cleaned with backup
C:\WINDOWS\soft.exe -> Not-A-Virus.Hoax.Win32.Renos.aj : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][3].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickagents : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][3].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][3].txt -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][3].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Sexlist : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.X10 : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickagents : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Sexlist : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][3].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][3].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][3].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Directnetadvertising : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][3].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][3].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][3].txt -> Spyware.Cookie.Sexlist : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][3].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][3].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][4].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Pro-market : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][4].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][5].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][3].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][6].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][5].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][4].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Stephanie\Local Settings\Temporary Internet Files\Content.IE5\MVEXOZKL\0,184,145163-229194,00[2].html -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Stephanie\Local Settings\Temporary Internet Files\Content.IE5\MVEXOZKL\0,4-00,Orange+Rolls,FF[2].html -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Stephanie\Local Settings\Temporary Internet Files\Content.IE5\MVEXOZKL\0,194,151176-233192,00[2].html -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Stephanie\Local Settings\Temporary Internet Files\Content.IE5\MVEXOZKL\0,184,144163-229194,00[2].html -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Stephanie\Local Settings\Temporary Internet Files\Content.IE5\KP6RO9YR\0,174,145184-241201,00[2].html -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Stephanie\Local Settings\Temporary Internet Files\Content.IE5\KP6RO9YR\0,4-11,Orange+Rolls,FF[2].html -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Stephanie\Local Settings\Temporary Internet Files\Content.IE5\SDAFOXYZ\0,184,145162-230195,00[2].html -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Stephanie\Local Settings\Temporary Internet Files\Content.IE5\SDAFOXYZ\0,184,145162-229194,00[2].html -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Stephanie\Local Settings\Temporary Internet Files\Content.IE5\SDAFOXYZ\0,184,145163-228194,00[2].html -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Stephanie\Local Settings\Temporary Internet Files\Content.IE5\SDAFOXYZ\0,194,155188-231197,00[2].html -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Stephanie\Local Settings\Temporary Internet Files\Content.IE5\SDAFOXYZ\0,174,147184-240204,00[2].html -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][1].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][1].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][1].txt -> Spyware.Cookie.Directnetadvertising : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][1].txt -> Spyware.Cookie.Gator : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][3].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][2].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][4].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Stephanie\Cookies\[email protected][3].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\System Volume Information\_restore{8DB09F60-D6F3-4D52-9C78-B116C9C14EC5}\RP226\A0025635.exe -> Not-A-Virus.Hoax.Win32.Renos.aj : Cleaned with backup

::Report End
~~~~~~~~~~~~~~~~~~~~~
Here is the Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 9:07:58 AM, on 12/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = picis.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = picis.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~

And here is smitfiles.txt

smitRem © log file
version 2.8
by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 12/28/2005
The current time is: 15:15:08.07

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

SpySheriff


~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~

shopping


~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

winstall.exe

~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 732 'explorer.exe'
Killing PID 732 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)


~~~~~~~~~~~~~~~~~~~~~~~~~~~
At this point, I don't see any of the symptoms I had before - my systray has expected icons, no funky backgrounds or error messages and McAfee virus scan is working again. Sounds like I'm clean, but I appreciate your insight and confirmation. Thanks so much for the help and TSG donation on its way!
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Just a bit more to do. :)

Download KillBox here: http://www.downloads.subratam.org/KillBox.zip
Save it to your desktop.
DO NOT run it yet.

Rescan with Hijack This.
Close all browser windows except Hijack This.
Put a check mark beside these entries and click "Fix Checked".

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)


Boot into Safe Mode.

Double-click on Killbox.exe to run it.
Now put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

c:\secure32.html

Note: It is possible that Killbox will tell you that one or more files do not exist.
If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the KillBox.

Also in Safe Mode navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box.
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

It's normal if some files don't delete!

Finally go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.

Empty the Recycle Bin.

Reboot, post a new log.
 

TBird23

Thread Starter
Joined
Dec 28, 2005
Messages
17
Done. Here is the HJT log. By the by, my wife's laptop got infected with SpySheriff very badly at work today. I'm in the midst of some of the earlier instructions (panda is running now and detected several problems). I'll post her stuff in a separate thread.Thanks again!

Logfile of HijackThis v1.99.1
Scan saved at 6:43:29 PM, on 12/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = picis.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = picis.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
You're welcome :) This one is clean.

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

You can mark your thread "Solved" from the Thread Tools drop down menu.
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Since this problem has been solved, I'm closing this thread. If you need it re-opened please PM me or one of the other Mods.

Anyone else with a similar problem please start a "New Thread".
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top