Please help me look smart :)

Expand Post »

I made the mistake of opening my big mouth about getting bad things off my computer (thanks a lot for telling me how to do that), and now a friend is convinced I can work magic on his office computers. I have no idea how they've managed to get this stuff on here, but these computers are a mess. I ran adaware and grabbed a couple hundred items. Ran spybot and grabbed a couple hundred more. There VShield seems to have kept some stuff away as Panda ActiveScan didn't turn up anything. CWShredder and Stinger also came up empty-handed. This thing has toolbars and redirects galore though. Worse still, I know even less about Windows 2000 than I do about WindowsXP (which the marsupial mod will attest is next to nothing). Help would be greatly appreciated. I can spot a few things in the HJT log that definitely need fixing, but others look either critical to the system or evil. Seems like something I shouldn't guess on if I want my friend to dogsit for me in a month

. Here's the log. Thanks for all the help in the past and hopefully in the future.

Logfile of HijackThis v1.98.2
Scan saved at 1:48:58 PM, on 9/24/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SxgTkBar.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
c:\progra~1\intern~1\iexplore.exe
C:\winnt\180solutions\saap.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\fchohqz.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
C:\HJT\hijackthis1982.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nsymdzydllscvrdhmt.com/2s...hCTEyRTDI.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.xmjmhkljyajrbmywg.uk/2sM8...wslFqalXg.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINNT\questmod-1.dll
O2 - BHO: (no name) - {8B2FB2AC-4186-F301-AC98-BA1C64EEDE4E} - C:\PROGRA~1\TIMEIN~1\SeekSupport.exe
O2 - BHO: (no name) - {ADEA1E6D-5D80-D80F-A870-0070D2224802} - C:\PROGRA~1\TIMEIN~1\SeekSupport.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iso wma] C:\PROGRA~1\BOLDDE~1\meta regs chin.exe
O4 - HKLM\..\Run: [kind bold link rect] C:\Documents and Settings\All Users\Application Data\readme2kindbold\dumbboob.exe
O4 - HKLM\..\Run: [Corn view dumb start] C:\Documents and Settings\All Users\Application Data\BIN GREY CORN VIEW\spam software.exe
O4 - HKLM\..\Run: [saap] c:\winnt\180solutions\saap.exe
O4 - HKLM\..\Run: [fchohqz] C:\WINNT\fchohqz.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted Zone: http://www.1040.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

Similar Threads

"Smart" Meters Could Help Itron in IT Professionals' Lounge
Smart CD-Menu Creator in Geeks' Lounge
HELP - AFTERMATH of "Smart Security Problem"! in Web Browsers
Possible to create a Winamp media library smart view for genres? in Windows Software
Desktop Hijacked by "Smart Security" in Viruses, Spyware and other Nasties

mongoloido

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

5 posts
since Sep 2004

Permalink

Sep 25th, 2004

Re: Please help me look smart :)

First of all could you click Start>Settings>Control Panel>Add or Remove Programs and uninstall 'Window Search', 'Window Searching', 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done. If not listed there, run this uninstaller:
http://members.rogers.com/rjmac/new_uninstall.exe

Reboot into safe mode following the instructions here & close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nsymdzydllscvrdhmt.com/2...1hCTEyRTDI.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.xmjmhkljyajrbmywg.uk/2sM...PwslFqalXg.html

O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINNT\questmod-1.dll
O2 - BHO: (no name) - {8B2FB2AC-4186-F301-AC98-BA1C64EEDE4E} - C:\PROGRA~1\TIMEIN~1\SeekSupport.exe
O2 - BHO: (no name) - {ADEA1E6D-5D80-D80F-A870-0070D2224802} - C:\PROGRA~1\TIMEIN~1\SeekSupport.exe

O4 - HKLM\..\Run: [iso wma] C:\PROGRA~1\BOLDDE~1\meta regs chin.exe
O4 - HKLM\..\Run: [kind bold link rect] C:\Documents and Settings\All Users\Application Data\readme2kindbold\dumbboob.exe
O4 - HKLM\..\Run: [Corn view dumb start] C:\Documents and Settings\All Users\Application Data\BIN GREY CORN VIEW\spam software.exe
O4 - HKLM\..\Run: [saap] c:\winnt\180solutions\saap.exe
O4 - HKLM\..\Run: [fchohqz] C:\WINNT\fchohqz.exe

Find & delete the following manually:

C:\PROGRA~1\TIMEIN~1-folder
C:\PROGRA~1\BOLDDE~1-folder
C:\Documents and Settings\All Users\Application Data\readme2kindbold-folder
C:\Documents and Settings\All Users\Application Data\BIN GREY CORN VIEW-folder
c:\winnt\180solutions-folder

C:\WINNT\fchohqz.exe-file

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Reboot normally after doing the above then post a fresh log please.

crunchie

Moderator

Featured Poster

Reputation Points: 1142

Solved Threads: 982

Most Valuable Poster

Offline

12,165 posts
since Feb 2004

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: wdm.dll backdoor.trojan

Next Thread in Viruses, Spyware and other Nasties Forum Timeline: Trouble with link in post

DaniWeb Message

Cancel Changes

User Name
Password