Solved: WhoooHoooo WHAT FUN

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

SacsTC

Thread Starter
Joined
Dec 30, 2003
Messages
1,647
Logfile of HijackThis v1.99.1
Scan saved at 5:18:17 PM, on 7/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\rundll32.exe
c:\windows\system32\kqonwph.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qslig.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qslig.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {00000000-0000-432B-98CC-D7E4C143886C} - C:\Program Files\l0th0xiw\l0th0xiw.dll (file missing)
O2 - BHO: (no name) - {55ADBD91-CDE2-EACB-AB9C-740E22B33F39} - C:\WINDOWS\appwa.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ePrint 3.0 Service] C:\PROGRA~1\LEADTE~1\LEADTO~1.0\bin\EPRINT3.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [mfcoa.exe] C:\WINDOWS\system32\mfcoa.exe
O4 - HKLM\..\Run: [bzeyrkf] c:\windows\system32\kqonwph.exe r
O4 - HKLM\..\Run: [ykhhja] c:\windows\system32\hbcvzr.exe r
O4 - HKLM\..\Run: [mscin] C:\WINDOWS\system32\m190309.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\RunOnce: [msyj.exe] C:\WINDOWS\msyj.exe
O4 - HKLM\..\RunOnce: [winbr.exe] C:\WINDOWS\winbr.exe
O4 - HKLM\..\RunOnce: [ipgz32.exe] C:\WINDOWS\system32\ipgz32.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ?
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {04678E6D-2BE8-7D0E-0103-23E418F30FFD} - http://209.8.161.54/1/gdnUS1022.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/fad18de6/enter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {440F52CF-A71D-3B01-48A9-36D3547B8B47} - http://209.8.161.54/1/gdnUS1022.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{10060B44-BED1-435A-85DE-49B95CCB8D94}: NameServer = 207.69.188.187 207.69.188.186
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\LOPNM13N.dll
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\afddz.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\msyj.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: EPrint III Service - Unknown owner - C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\Administrator\Desktop\SFUninstaller.exe" service (file missing)
 

SacsTC

Thread Starter
Joined
Dec 30, 2003
Messages
1,647
No clue, not my machine, but he must be having fun or at least he thinks he is!!!
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
Lol, ok, I can't help, but I've seen you around and wanted to harrass you :D

There is quite a collection there though :)


Hopefully one of the log gurus will check in shortly. They get really worried when I post to a security thread :D
 

SacsTC

Thread Starter
Joined
Dec 30, 2003
Messages
1,647
Did you have a great time off???

Going to reboot now as I just loaded ewido. brb
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
Yes, I did, thank you. See my thread in the random section, funny signs and poorly translated signs :D It's a hoot :D
 

SacsTC

Thread Starter
Joined
Dec 30, 2003
Messages
1,647
Logfile of HijackThis v1.99.1
Scan saved at 7:02:02 PM, on 7/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
c:\windows\system32\bgswvd.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qslig.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qslig.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {00000000-0000-432B-98CC-D7E4C143886C} - C:\Program Files\l0th0xiw\l0th0xiw.dll (file missing)
O2 - BHO: (no name) - {55ADBD91-CDE2-EACB-AB9C-740E22B33F39} - C:\WINDOWS\appwa.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ePrint 3.0 Service] C:\PROGRA~1\LEADTE~1\LEADTO~1.0\bin\EPRINT3.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [mfcoa.exe] C:\WINDOWS\system32\mfcoa.exe
O4 - HKLM\..\Run: [mscin] C:\WINDOWS\system32\m190309.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [doaomu] c:\windows\system32\bgswvd.exe r
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ?
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {04678E6D-2BE8-7D0E-0103-23E418F30FFD} - http://209.8.161.54/1/gdnUS1022.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/fad18de6/enter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {440F52CF-A71D-3B01-48A9-36D3547B8B47} - http://209.8.161.54/1/gdnUS1022.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{10060B44-BED1-435A-85DE-49B95CCB8D94}: NameServer = 207.69.188.187 207.69.188.186
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\LOPNM13N.dll
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\afddz.dll (file missing)
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\msyj.exe (file missing)
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: EPrint III Service - Unknown owner - C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\Administrator\Desktop\SFUninstaller.exe" service (file missing)
 

SacsTC

Thread Starter
Joined
Dec 30, 2003
Messages
1,647
What??????????? I can't believe no-one wants this one......... LOL
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
You have to have patience in this forum. There are too many logs and too little experts :)

Let me see who I can beckon for you.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
first Use the uninstaller from the scummy website that makes most of this stuff,

http://www.mypctuneup.com/evaluate.php

then reboot into safe mode and run ewido again while in safe mode then post a fresh HJT log

there will still be a lot more to do but the amount of problems s/he had needs dealing with in order
 

SacsTC

Thread Starter
Joined
Dec 30, 2003
Messages
1,647
THanks for reply, but I just told him we were going to wipe it clean and re-load. With 33000+ infected files, probably would have had to anyway. After it blew Ewido out of the water while disinfecting and then would not run again, (even after uninstalling and re-installing), I gave up.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Probably a sensible thing to do with over 33,000 infected files
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top