Please help me look smart :)

Reply

Join Date: Sep 2004
Posts: 5
Reputation: mongoloido is an unknown quantity at this point 
Solved Threads: 0
mongoloido mongoloido is offline Offline
Newbie Poster

Please help me look smart :)

 
0
  #1
Sep 24th, 2004
I made the mistake of opening my big mouth about getting bad things off my computer (thanks a lot for telling me how to do that), and now a friend is convinced I can work magic on his office computers. I have no idea how they've managed to get this stuff on here, but these computers are a mess. I ran adaware and grabbed a couple hundred items. Ran spybot and grabbed a couple hundred more. There VShield seems to have kept some stuff away as Panda ActiveScan didn't turn up anything. CWShredder and Stinger also came up empty-handed. This thing has toolbars and redirects galore though. Worse still, I know even less about Windows 2000 than I do about WindowsXP (which the marsupial mod will attest is next to nothing). Help would be greatly appreciated. I can spot a few things in the HJT log that definitely need fixing, but others look either critical to the system or evil. Seems like something I shouldn't guess on if I want my friend to dogsit for me in a month . Here's the log. Thanks for all the help in the past and hopefully in the future.

Logfile of HijackThis v1.98.2
Scan saved at 1:48:58 PM, on 9/24/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SxgTkBar.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
c:\progra~1\intern~1\iexplore.exe
C:\winnt\180solutions\saap.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\fchohqz.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
C:\HJT\hijackthis1982.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nsymdzydllscvrdhmt.com/2s...hCTEyRTDI.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.xmjmhkljyajrbmywg.uk/2sM8...wslFqalXg.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINNT\questmod-1.dll
O2 - BHO: (no name) - {8B2FB2AC-4186-F301-AC98-BA1C64EEDE4E} - C:\PROGRA~1\TIMEIN~1\SeekSupport.exe
O2 - BHO: (no name) - {ADEA1E6D-5D80-D80F-A870-0070D2224802} - C:\PROGRA~1\TIMEIN~1\SeekSupport.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iso wma] C:\PROGRA~1\BOLDDE~1\meta regs chin.exe
O4 - HKLM\..\Run: [kind bold link rect] C:\Documents and Settings\All Users\Application Data\readme2kindbold\dumbboob.exe
O4 - HKLM\..\Run: [Corn view dumb start] C:\Documents and Settings\All Users\Application Data\BIN GREY CORN VIEW\spam software.exe
O4 - HKLM\..\Run: [saap] c:\winnt\180solutions\saap.exe
O4 - HKLM\..\Run: [fchohqz] C:\WINNT\fchohqz.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted Zone: http://www.1040.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
Reply With Quote Quick reply to this message  
Join Date: Feb 2004
Posts: 10,112
Reputation: crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold 
Solved Threads: 769
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: Please help me look smart :)

 
0
  #2
Sep 25th, 2004
First of all could you click Start>Settings>Control Panel>Add or Remove Programs and uninstall 'Window Search', 'Window Searching', 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done. If not listed there, run this uninstaller:
http://members.rogers.com/rjmac/new_uninstall.exe

Reboot into safe mode following the instructions here & close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nsymdzydllscvrdhmt.com/2...1hCTEyRTDI.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.xmjmhkljyajrbmywg.uk/2sM...PwslFqalXg.html

O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINNT\questmod-1.dll
O2 - BHO: (no name) - {8B2FB2AC-4186-F301-AC98-BA1C64EEDE4E} - C:\PROGRA~1\TIMEIN~1\SeekSupport.exe
O2 - BHO: (no name) - {ADEA1E6D-5D80-D80F-A870-0070D2224802} - C:\PROGRA~1\TIMEIN~1\SeekSupport.exe

O4 - HKLM\..\Run: [iso wma] C:\PROGRA~1\BOLDDE~1\meta regs chin.exe
O4 - HKLM\..\Run: [kind bold link rect] C:\Documents and Settings\All Users\Application Data\readme2kindbold\dumbboob.exe
O4 - HKLM\..\Run: [Corn view dumb start] C:\Documents and Settings\All Users\Application Data\BIN GREY CORN VIEW\spam software.exe
O4 - HKLM\..\Run: [saap] c:\winnt\180solutions\saap.exe
O4 - HKLM\..\Run: [fchohqz] C:\WINNT\fchohqz.exe

Find & delete the following manually:

C:\PROGRA~1\TIMEIN~1-folder
C:\PROGRA~1\BOLDDE~1-folder
C:\Documents and Settings\All Users\Application Data\readme2kindbold-folder
C:\Documents and Settings\All Users\Application Data\BIN GREY CORN VIEW-folder
c:\winnt\180solutions-folder

C:\WINNT\fchohqz.exe-file

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Reboot normally after doing the above then post a fresh log please.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Reply With Quote Quick reply to this message  
Reply

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Similar Threads
Other Threads in the Viruses, Spyware and other Nasties Forum


Views: 1700 | Replies: 1
Thread Tools Search this Thread



Tag cloud for Viruses, Spyware and other Nasties
acrobat adobe adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial conficker connect control cyber cybercrime cyberwarfare ddos education email europe exam exploit fake fancheckvirus firefox gaming gtaiv halloween herss.exe hijack hosting internet iphone kaspersky legal malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile parents patch pc pdf phishing police policeprovirusmba-mblockedinternetaccess president pro redirect report research rogueantivirus rootkit samhain sans search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen threat translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista volume vulnerability war warning windows worm yahoo zero-day zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC