Please help me look smart :)

Question

mongoloido 0 Newbie Poster

19 Years Ago

I made the mistake of opening my big mouth about getting bad things off my computer (thanks a lot for telling me how to do that), and now a friend is convinced I can work magic on his office computers. I have no idea how they've managed to get this stuff on here, but these computers are a mess. I ran adaware and grabbed a couple hundred items. Ran spybot and grabbed a couple hundred more. There VShield seems to have kept some stuff away as Panda ActiveScan didn't turn up anything. CWShredder and Stinger also came up empty-handed. This thing has toolbars and redirects galore though. Worse still, I know even less about Windows 2000 than I do about WindowsXP (which the marsupial mod will attest is next to nothing). Help would be greatly appreciated. I can spot a few things in the HJT log that definitely need fixing, but others look either critical to the system or evil. Seems like something I shouldn't guess on if I want my friend to dogsit for me in a month :). Here's the log. Thanks for all the help in the past and hopefully in the future.

Logfile of HijackThis v1.98.2
Scan saved at 1:48:58 PM, on 9/24/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SxgTkBar.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
c:\progra~1\intern~1\iexplore.exe
C:\winnt\180solutions\saap.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\fchohqz.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
C:\HJT\hijackthis1982.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nsymdzydllscvrdhmt.com/2sM8F1tW5RaHT6OOlQ9xl/I99kI45qXaQ1hCTEyRTDI.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.xmjmhkljyajrbmywg.uk/2sM8F1tW5RZlnlh5okDJ093i/GUsMzoc_ar_VHcO6YY6CMOoEeaobYPwslFqalXg.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINNT\questmod-1.dll
O2 - BHO: (no name) - {8B2FB2AC-4186-F301-AC98-BA1C64EEDE4E} - C:\PROGRA~1\TIMEIN~1\SeekSupport.exe
O2 - BHO: (no name) - {ADEA1E6D-5D80-D80F-A870-0070D2224802} - C:\PROGRA~1\TIMEIN~1\SeekSupport.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iso wma] C:\PROGRA~1\BOLDDE~1\meta regs chin.exe
O4 - HKLM\..\Run: [kind bold link rect] C:\Documents and Settings\All Users\Application Data\readme2kindbold\dumbboob.exe
O4 - HKLM\..\Run: [Corn view dumb start] C:\Documents and Settings\All Users\Application Data\BIN GREY CORN VIEW\spam software.exe
O4 - HKLM\..\Run: [saap] c:\winnt\180solutions\saap.exe
O4 - HKLM\..\Run: [fchohqz] C:\WINNT\fchohqz.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted Zone: http://www.1040.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

windows-virus

2 Contributors
1 Reply
103 Views
18 Hours Discussion Span
Latest Post 19 Years Ago Latest Post by crunchie

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 1 · 2004-09-25T12:42:23+00:00

First of all could you click Start>Settings>Control Panel>Add or Remove Programs and uninstall 'Window Search', 'Window Searching', 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done. If not listed there, run this uninstaller:
http://members.rogers.com/rjmac/new_uninstall.exe

Reboot into safe mode following the instructions here & close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nsymdzydllscvrdhmt.com/2...1hCTEyRTDI.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.xmjmhkljyajrbmywg.uk/2sM...PwslFqalXg.html

O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINNT\questmod-1.dll
O2 - BHO: (no name) - {8B2FB2AC-4186-F301-AC98-BA1C64EEDE4E} - C:\PROGRA~1\TIMEIN~1\SeekSupport.exe
O2 - BHO: (no name) - {ADEA1E6D-5D80-D80F-A870-0070D2224802} - C:\PROGRA~1\TIMEIN~1\SeekSupport.exe

O4 - HKLM\..\Run: [iso wma] C:\PROGRA~1\BOLDDE~1\meta regs chin.exe
O4 - HKLM\..\Run: [kind bold link rect] C:\Documents and Settings\All Users\Application Data\readme2kindbold\dumbboob.exe
O4 - HKLM\..\Run: [Corn view dumb start] C:\Documents and Settings\All Users\Application Data\BIN GREY CORN VIEW\spam software.exe
O4 - HKLM\..\Run: [saap] c:\winnt\180solutions\saap.exe
O4 - HKLM\..\Run: [fchohqz] C:\WINNT\fchohqz.exe

Find & delete the following manually:

C:\PROGRA~1\TIMEIN~1-folder
C:\PROGRA~1\BOLDDE~1-folder
C:\Documents and Settings\All Users\Application Data\readme2kindbold-folder
C:\Documents and Settings\All Users\Application Data\BIN GREY CORN VIEW-folder
c:\winnt\180solutions-folder

C:\WINNT\fchohqz.exe-file

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Reboot normally after doing the above then post a fresh log please.