Hijacked Also

Discussion in 'adware, spyware & hijack cleaning' started by bastian, Jun 17, 2004.

Thread Status:
Not open for further replies.
  1. bastian

    bastian Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    4
    Hi All,

    I read the solution to abner request for help https://www.wilderssecurity.com/show...7949#post197949 and i am having the same problem but when i tried to follow the instructions as that that was given to abner i found some of the files are different and some are totally not there at all. Please do help.

    res://dmmqm.dll/index.html#96676

    Below is my Hijack this log

    Logfile of HijackThis v1.97.7
    Scan saved at 4:41:20 PM, on 6/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\pctspk.exe
    C:\Program Files\ASUS\ASUS Probe\AsusProb.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\hpnra.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\appjt.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\asus\Asus Hotkey\Hotkey.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\mswg32.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\All Users\Desktop\Chris Doc\Applications\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dmmqm.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dmmqm.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://dmmqm.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dmmqm.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://dmmqm.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\dmmqm.dll/sp.html#96676
    O2 - BHO: (no name) - {F4E68E8C-A4F7-4FD6-A3E7-A146F9DEFA17} - C:\WINDOWS\system32\msmm.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\ASUS Probe\AsusProb.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [appjt.exe] C:\WINDOWS\system32\appjt.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKLM\..\RunOnce: [mswg32.exe] C:\WINDOWS\system32\mswg32.exe
    O4 - HKLM\..\RunOnce: [winzz.exe] C:\WINDOWS\winzz.exe
    O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINDOWS\inf\unregmp2.exe /FixUps
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ASUS Hotkey.lnk = C:\Program Files\asus\Asus Hotkey\Hotkey.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://gsm.asus.com.tw
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25e7b9e...ip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...nt.cab28177.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/ge...ash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4DB2772E-11A4-46DE-BC75-8305FF9C285C}: NameServer = 202.133.99.12,202.133.99.11
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7ABC496D-7939-43FD-A991-E9385A77013B}: NameServer = 202.133.99.12,202.133.99.11
    O17 - HKLM\System\CS2\Services\Tcpip\..\{4DB2772E-11A4-46DE-BC75-8305FF9C285C}: NameServer = 202.133.99.12,202.133.99.11


    Thanks so much.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi bastian, ;)

    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\system32\appjt.exe
    C:\WINDOWS\system32\mswg32.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dmmqm.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dmmqm.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://dmmqm.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dmmqm.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://dmmqm.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\dmmqm.dll/sp.html#96676
    O2 - BHO: (no name) - {F4E68E8C-A4F7-4FD6-A3E7-A146F9DEFA17} - C:\WINDOWS\system32\msmm.dll

    O4 - HKLM\..\Run: [appjt.exe] C:\WINDOWS\system32\appjt.exe

    O4 - HKLM\..\RunOnce: [mswg32.exe] C:\WINDOWS\system32\mswg32.exe
    O4 - HKLM\..\RunOnce: [winzz.exe] C:\WINDOWS\winzz.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25e7b9e...ip/RdxIE601.cab

    Then reboot into safe mode and delete:
    C:\WINDOWS\dmmqm.dll
    C:\WINDOWS\system32\appjt.exe
    C:\WINDOWS\system32\mswg32.exe
    C:\WINDOWS\system32\msmm.dat

    If you have a copy of C:\WINDOWS\winzz.exe could you zip that up and mail it to pieterATwilderssecurity.org ?

    TIA,

    Pieter
     
  3. bastian

    bastian Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    4
    Hi Pieter,

    Followed your instructions but when i open the task manager.C:\WINDOWS\system32\mswg32.exe was not running
    And after rebooting into safe mode C:\WINDOWS\system32\msmm.dat could not be found.

    Now ie startup has changed to res://cfdfg.dll/index.html#96676

    Below is my log file

    Logfile of HijackThis v1.97.7
    Scan saved at 8:34:24 AM, on 6/18/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\addus32.exe
    C:\WINDOWS\system32\ipue.exe
    C:\WINDOWS\System32\pctspk.exe
    C:\Program Files\ASUS\ASUS Probe\AsusProb.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\hpnra.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\asus\Asus Hotkey\Hotkey.exe
    C:\Documents and Settings\All Users\Desktop\Chris Doc\Applications\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bqakn.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bqakn.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bqakn.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bqakn.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bqakn.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bqakn.dll/sp.html#96676
    O2 - BHO: (no name) - {35E2B57B-1674-3E68-49B5-4429B27E63B9} - C:\WINDOWS\system32\ipue.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\ASUS Probe\AsusProb.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ipue.exe] C:\WINDOWS\system32\ipue.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKLM\..\RunOnce: [addus32.exe] C:\WINDOWS\addus32.exe
    O4 - HKLM\..\RunOnce: [Q828026] "C:\WINDOWS\INF\unregmp2.exe" /UpdateWMP
    O4 - HKLM\..\RunOnce: [winzz.exe] C:\WINDOWS\winzz.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ASUS Hotkey.lnk = C:\Program Files\asus\Asus Hotkey\Hotkey.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://gsm.asus.com.tw
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4DB2772E-11A4-46DE-BC75-8305FF9C285C}: NameServer = 202.133.99.12,202.133.99.11
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7ABC496D-7939-43FD-A991-E9385A77013B}: NameServer = 202.133.99.12,202.133.99.11
    O17 - HKLM\System\CS2\Services\Tcpip\..\{4DB2772E-11A4-46DE-BC75-8305FF9C285C}: NameServer = 202.133.99.12,202.133.99.11


    Thanks and hope you can help.

    p.s. will be sending you the winzz.exe file after this.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi bastian,

    I hope you haven't rebooted since you posted taht or I will need a new log.

    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\addus32.exe
    C:\WINDOWS\system32\ipue.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bqakn.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bqakn.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bqakn.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bqakn.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bqakn.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bqakn.dll/sp.html#96676
    O2 - BHO: (no name) - {35E2B57B-1674-3E68-49B5-4429B27E63B9} - C:\WINDOWS\system32\ipue.dll

    O4 - HKLM\..\Run: [ipue.exe] C:\WINDOWS\system32\ipue.exe

    O4 - HKLM\..\RunOnce: [addus32.exe] C:\WINDOWS\addus32.exe

    O4 - HKLM\..\RunOnce: [winzz.exe] C:\WINDOWS\winzz.exe

    Then reboot into safe mode and delete:
    C:\WINDOWS\addus32.exe
    C:\WINDOWS\system32\ipue.exe
    C:\WINDOWS\bqakn.dll
    C:\WINDOWS\system32\ipue.dat

    Regards,

    Pieter
     
  5. bastian

    bastian Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    4
    Hi Pieter,

    Thank a bunch. I think it is solved.. Oh Great Master. :D

    Wish Holland success in this year's Euro 2004.

    Chris
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.