Hijacked Also

Discussion in 'adware, spyware & hijack cleaning' started by bastian, Jun 17, 2004.

Thread Status:
Not open for further replies.
  1. bastian

    bastian Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    4
    Hi All,

    I read the solution to abner request for help https://www.wilderssecurity.com/show...7949#post197949 and i am having the same problem but when i tried to follow the instructions as that that was given to abner i found some of the files are different and some are totally not there at all. Please do help.

    res://dmmqm.dll/index.html#96676

    Below is my Hijack this log

    Logfile of HijackThis v1.97.7
    Scan saved at 4:41:20 PM, on 6/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\pctspk.exe
    C:\Program Files\ASUS\ASUS Probe\AsusProb.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\hpnra.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\appjt.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\asus\Asus Hotkey\Hotkey.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\mswg32.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\All Users\Desktop\Chris Doc\Applications\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dmmqm.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dmmqm.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://dmmqm.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dmmqm.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://dmmqm.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\dmmqm.dll/sp.html#96676
    O2 - BHO: (no name) - {F4E68E8C-A4F7-4FD6-A3E7-A146F9DEFA17} - C:\WINDOWS\system32\msmm.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\ASUS Probe\AsusProb.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [appjt.exe] C:\WINDOWS\system32\appjt.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKLM\..\RunOnce: [mswg32.exe] C:\WINDOWS\system32\mswg32.exe
    O4 - HKLM\..\RunOnce: [winzz.exe] C:\WINDOWS\winzz.exe
    O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINDOWS\inf\unregmp2.exe /FixUps
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ASUS Hotkey.lnk = C:\Program Files\asus\Asus Hotkey\Hotkey.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://gsm.asus.com.tw
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25e7b9e...ip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...nt.cab28177.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/ge...ash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4DB2772E-11A4-46DE-BC75-8305FF9C285C}: NameServer = 202.133.99.12,202.133.99.11
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7ABC496D-7939-43FD-A991-E9385A77013B}: NameServer = 202.133.99.12,202.133.99.11
    O17 - HKLM\System\CS2\Services\Tcpip\..\{4DB2772E-11A4-46DE-BC75-8305FF9C285C}: NameServer = 202.133.99.12,202.133.99.11


    Thanks so much.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi bastian, ;)

    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\system32\appjt.exe
    C:\WINDOWS\system32\mswg32.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dmmqm.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dmmqm.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://dmmqm.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dmmqm.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://dmmqm.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\dmmqm.dll/sp.html#96676
    O2 - BHO: (no name) - {F4E68E8C-A4F7-4FD6-A3E7-A146F9DEFA17} - C:\WINDOWS\system32\msmm.dll

    O4 - HKLM\..\Run: [appjt.exe] C:\WINDOWS\system32\appjt.exe

    O4 - HKLM\..\RunOnce: [mswg32.exe] C:\WINDOWS\system32\mswg32.exe
    O4 - HKLM\..\RunOnce: [winzz.exe] C:\WINDOWS\winzz.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25e7b9e...ip/RdxIE601.cab

    Then reboot into safe mode and delete:
    C:\WINDOWS\dmmqm.dll
    C:\WINDOWS\system32\appjt.exe
    C:\WINDOWS\system32\mswg32.exe
    C:\WINDOWS\system32\msmm.dat

    If you have a copy of C:\WINDOWS\winzz.exe could you zip that up and mail it to pieterATwilderssecurity.org ?

    TIA,

    Pieter
     
  3. bastian

    bastian Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    4
    Hi Pieter,

    Followed your instructions but when i open the task manager.C:\WINDOWS\system32\mswg32.exe was not running
    And after rebooting into safe mode C:\WINDOWS\system32\msmm.dat could not be found.

    Now ie startup has changed to res://cfdfg.dll/index.html#96676

    Below is my log file

    Logfile of HijackThis v1.97.7
    Scan saved at 8:34:24 AM, on 6/18/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\addus32.exe
    C:\WINDOWS\system32\ipue.exe
    C:\WINDOWS\System32\pctspk.exe
    C:\Program Files\ASUS\ASUS Probe\AsusProb.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\hpnra.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\asus\Asus Hotkey\Hotkey.exe
    C:\Documents and Settings\All Users\Desktop\Chris Doc\Applications\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bqakn.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bqakn.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bqakn.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bqakn.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bqakn.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bqakn.dll/sp.html#96676
    O2 - BHO: (no name) - {35E2B57B-1674-3E68-49B5-4429B27E63B9} - C:\WINDOWS\system32\ipue.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\ASUS Probe\AsusProb.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ipue.exe] C:\WINDOWS\system32\ipue.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKLM\..\RunOnce: [addus32.exe] C:\WINDOWS\addus32.exe
    O4 - HKLM\..\RunOnce: [Q828026] "C:\WINDOWS\INF\unregmp2.exe" /UpdateWMP
    O4 - HKLM\..\RunOnce: [winzz.exe] C:\WINDOWS\winzz.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ASUS Hotkey.lnk = C:\Program Files\asus\Asus Hotkey\Hotkey.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://gsm.asus.com.tw
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4DB2772E-11A4-46DE-BC75-8305FF9C285C}: NameServer = 202.133.99.12,202.133.99.11
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7ABC496D-7939-43FD-A991-E9385A77013B}: NameServer = 202.133.99.12,202.133.99.11
    O17 - HKLM\System\CS2\Services\Tcpip\..\{4DB2772E-11A4-46DE-BC75-8305FF9C285C}: NameServer = 202.133.99.12,202.133.99.11


    Thanks and hope you can help.

    p.s. will be sending you the winzz.exe file after this.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi bastian,

    I hope you haven't rebooted since you posted taht or I will need a new log.

    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\addus32.exe
    C:\WINDOWS\system32\ipue.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bqakn.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bqakn.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bqakn.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bqakn.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bqakn.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bqakn.dll/sp.html#96676
    O2 - BHO: (no name) - {35E2B57B-1674-3E68-49B5-4429B27E63B9} - C:\WINDOWS\system32\ipue.dll

    O4 - HKLM\..\Run: [ipue.exe] C:\WINDOWS\system32\ipue.exe

    O4 - HKLM\..\RunOnce: [addus32.exe] C:\WINDOWS\addus32.exe

    O4 - HKLM\..\RunOnce: [winzz.exe] C:\WINDOWS\winzz.exe

    Then reboot into safe mode and delete:
    C:\WINDOWS\addus32.exe
    C:\WINDOWS\system32\ipue.exe
    C:\WINDOWS\bqakn.dll
    C:\WINDOWS\system32\ipue.dat

    Regards,

    Pieter
     
  5. bastian

    bastian Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    4
    Hi Pieter,

    Thank a bunch. I think it is solved.. Oh Great Master. :D

    Wish Holland success in this year's Euro 2004.

    Chris
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
Thread Status:
Not open for further replies.