1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HJT log file ... FOR COOKIEGAL

Discussion in 'Virus & Other Malware Removal' started by kimberlydeni, Aug 1, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. kimberlydeni

    kimberlydeni Thread Starter

    Joined:
    Jul 17, 2005
    Messages:
    55
    :confused: many registry items missing.. a couple of startups missing... fake threat notices such as [email protected] virus infecting exe.extensions ; PEST TRAP ( isnt this a spyware itself )is redirecting startup programs ... this comes from the address :www.syssecuritysite.net ... unsure ... but pretty sure he downloaded mal ad ware... also getting system alert ballon (bottom right icons) sayin somethin about OHPE 4.12_23 ... here's the file ... MAN ITS GOOD TO CATCH YOU ONLINE ... THANKS !!!
    we'll have to visit later ... you saved my PC !!!::p
    also i'm not too savy w/ this 2000 pro edition ... its a bit different than my home XP ...
    all help is more than appreciated !!!

    Logfile of HijackThis v1.99.1
    Scan saved at 3:14:21 PM, on 8/1/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\zstatus.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\IntCodec\isamonitor.exe
    C:\Program Files\IntCodec\pmsngr.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\DriveCleaner 2006 Free\UDC2006.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\IntCodec\pmmon.exe
    C:\Program Files\IntCodec\isamini.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\Program Files\PC MightyMax\pcmm.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - C:\Program Files\IntCodec\isaddon.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINNT\system32\hp650.tmp (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll (file missing)
    O3 - Toolbar: (no name) - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Protection Bar - {d1ac752e-883f-4ed8-8828-b618c3a72152} - C:\Program Files\IntCodec\iesplugin.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [DriveCleaner 2006 Free] "C:\Program Files\DriveCleaner 2006 Free\UDC2006.exe" /min
    O4 - HKLM\..\Run: [PCMMRealtime] C:\Program Files\PC MightyMax\pcmm.exe /R
    O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKCU\..\Run: [PestTrap] C:\Program Files\PestTrap\PestTrap.exe
    O4 - HKCU\..\Run: [WinAdBlocker 2005 Trial] C:\Program Files\WinAdBlocker 2005 Trial\winab.exe /min
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
    O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A101} (First American File Control) - http://www.leadstoloans.com/activex/fafile.dll
    O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A201} (First American Print Control) - http://www.leadstoloans.com/activex/faprint.dll
    O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A301} (First American Grid Control) - http://www.leadstoloans.com/activex/fagrid.dll
    O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ctmfunding.local
    O17 - HKLM\System\CCS\Services\Tcpip\..\{776CAF97-2AE0-427B-B1AE-72DE75C79DAF}: NameServer = 192.168.1.50
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ctmfunding.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ctmfunding.local
    O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
    O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
    O21 - SSODL: cholecyst - {ee2975b6-e8d5-405e-8448-8fe9590f6cfb} - C:\WINNT\system32\mzoeut.dll
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,042
    Please download SmitfraudFix (by S!Ri)

    Extract (unzip) the content (a folder named SmitfraudFix) to your Desktop. This is imperative for the tool to function properly. If using a utility such as winzip you will have to direct it there as it will not unzip to the desktop by default. The desination location should look like this (C: being your primary drive): C:\Documents and Settings\User\Desktop\SmitfraudFix

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  3. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,042
    Do you mind if I take this one Mike? She PMd me for help and I told her to post the log. ;)
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Go right ahead!
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,042
    Thanks. ;)
     
  6. kimberlydeni

    kimberlydeni Thread Starter

    Joined:
    Jul 17, 2005
    Messages:
    55
    winzip is asking if i want to add C:\documentsandsettings\cmoore.CTMFUNDING\DESKTOP to my favorite winzip files ... Do I ? also it seems to be an unregistered copy of winzip for evaluation only ... will it work ?
     
  7. kimberlydeni

    kimberlydeni Thread Starter

    Joined:
    Jul 17, 2005
    Messages:
    55
    FYI ... this is the name of his company in the previous directory name ... he is out of town & unreachable so i cannot inquire re: files
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,042
    No do not add it and yes it will work. :)
     
  9. kimberlydeni

    kimberlydeni Thread Starter

    Joined:
    Jul 17, 2005
    Messages:
    55
    SmitFraudFix v2.78

    Scan done at 16:22:21.88, Tue 08/01/2006
    Run from C:\unzipped\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» U:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

    C:\WINNT\system32\ld???.tmp FOUND !
    C:\WINNT\system32\ld????.tmp FOUND !
    C:\WINNT\system32\mzoeut.dll FOUND !
    C:\WINNT\system32\ncompat.tlb FOUND !
    C:\WINNT\system32\ot.ico FOUND !
    C:\WINNT\system32\regperf.exe FOUND !
    C:\WINNT\system32\stdole3.tlb FOUND !
    C:\WINNT\system32\ts.ico FOUND !
    C:\WINNT\system32\1024\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\cmoore.CTMFUNDING\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu

    C:\DOCUME~1\CMOORE~2.CTM\STARTM~1\Programs\PestTrap FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\CMOORE~2.CTM\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop

    C:\DOCUME~1\CMOORE~2.CTM\Desktop\PestTrap.lnk FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

    C:\Program Files\IntCodec\ FOUND !
    C:\Program Files\Media-Codec\ FOUND !
    C:\Program Files\PestTrap\ FOUND !
    C:\Program Files\Security Toolbar\ FOUND !
    C:\Program Files\SpyQuake2.com\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F}"="Security Update"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "cholecyst"="{ee2975b6-e8d5-405e-8448-8fe9590f6cfb}"


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  10. kimberlydeni

    kimberlydeni Thread Starter

    Joined:
    Jul 17, 2005
    Messages:
    55
    oops --- i added it it before ya responded :) actually i tried it without adding it ... and it did some wierd stuff so i backed out and added it . although i just ran into Mikes post saying to run in Safe Mode ... did i do it wrong ???
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,042
    No, Mike was going directly to the next step which we will do now.

    It's not a problem that you added the winzip file to your favourites.

    You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning: running option #2 on a non infected computer will remove your Desktop background.
     
  12. kimberlydeni

    kimberlydeni Thread Starter

    Joined:
    Jul 17, 2005
    Messages:
    55
    OK ... I am in safe mode on that CPU ... am now on another one ( yes .. networked ) ... because ,,, it wont accept any of the users or passwords after CTL/ALT/DEL function for protection of passwords. WHAT NOW ??? :rolleyes:
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,042
    Do you mean you can't boot back into normal mode?
     
  14. kimberlydeni

    kimberlydeni Thread Starter

    Joined:
    Jul 17, 2005
    Messages:
    55
    i havent even done option 2 ... as i cannot sign on ! It will not accept any of the 3 users or passwords who should have access to make these changes.
     
  15. kimberlydeni

    kimberlydeni Thread Starter

    Joined:
    Jul 17, 2005
    Messages:
    55
    would it be prudent to attempt sign on in normal mode ? would the repair process be affected ... or reoccur ... had it not been run in a protected mode ?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/488526

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice