Jump to content


Photo

please check my log


  • Please log in to reply
14 replies to this topic

#1 avidvr6

avidvr6

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 03 July 2004 - 05:21 PM

I have fixed the obvious ones but it keeps coming back. Could someone please let me know what to do?
Thanks!!!
Logfile of HijackThis v1.98.0
Scan saved at 6:19:39 PM, on 7/3/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\msrexe.exe
C:\WINDOWS\msxl32.exe
C:\WINDOWS\System32\lqwzzx.exe
C:\Documents and Settings\User1\Application Data\nurh.exe
C:\WINDOWS\System32\hjqgcbi.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\appih32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\User1\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wqtgb.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wqtgb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wqtgb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wqtgb.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wqtgb.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wqtgb.dll/index.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {99078794-6831-1765-763B-9566D3697899} - C:\WINDOWS\ntul.dll
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [msxl32.exe] C:\WINDOWS\msxl32.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [mveqaadhz] C:\WINDOWS\System32\lqwzzx.exe
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKLM\..\RunOnce: [appih32.exe] C:\WINDOWS\system32\appih32.exe
O4 - HKLM\..\RunOnce: [iesc32.exe] C:\WINDOWS\system32\iesc32.exe
O4 - HKLM\..\RunOnce: [winet32.exe] C:\WINDOWS\winet32.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - HKCU\..\Run: [Ahrt] C:\Documents and Settings\User1\Application Data\nurh.exe
O4 - HKCU\..\Run: [Iib] C:\WINDOWS\System32\hjqgcbi.exe
O4 - Startup: Wireless Desktop.lnk = C:\Program Files\Wireless Desktop\MagicKey.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flings...TInc/bridge.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

#2 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 03 July 2004 - 05:23 PM

Hello please download About:Buster and unzip it to your desktop. Start it, hit Ok, Start, And Ok to start the scan. It will generate a log. Post that log along with a new Hijack this log here.


Ducky
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#3 avidvr6

avidvr6

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 03 July 2004 - 05:29 PM

Is this right?
About:Buster Version 1.24
Removed! : C:\WINDOWS\fudfck.dat
Removed! : C:\WINDOWS\gxnbxr.dat
Removed! : C:\WINDOWS\hqbdz.dat
Removed! : C:\WINDOWS\lcyzik.dat
Removed! : C:\WINDOWS\msxl32.dll
Removed! : C:\WINDOWS\msxl32.exe
Removed! : C:\WINDOWS\mvetsn.dat
Error Removing! : C:\WINDOWS\ntul.dll
Removed! : C:\WINDOWS\nywpft.dat
Removed! : C:\WINDOWS\szodvd.dat
Removed! : C:\WINDOWS\winet32.exe
Removed! : C:\WINDOWS\wqtgb.dll
Removed! : C:\WINDOWS\System32\appih32.exe
Removed! : C:\WINDOWS\System32\iesc32.exe
Removed! : C:\WINDOWS\System32\ijgyk.dat
Removed! : C:\WINDOWS\System32\jtlau.dll
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed __NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

#4 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 03 July 2004 - 05:30 PM

Thats it :). Try deleting C:\WINDOWS\ntul.dll manually. It shouldnt be hidden. When thats done. Run About:Buster just in case one more time.

Then post a new Hijack This log.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#5 avidvr6

avidvr6

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 03 July 2004 - 05:31 PM

OK here is the new H.T. log:
Logfile of HijackThis v1.98.0
Scan saved at 6:31:20 PM, on 7/3/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\msrexe.exe
C:\WINDOWS\System32\lqwzzx.exe
C:\Documents and Settings\User1\Application Data\nurh.exe
C:\WINDOWS\System32\hjqgcbi.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\User1\Desktop\AboutBuster.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\d3cn32.exe
C:\Documents and Settings\User1\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wqtgb.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wqtgb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wqtgb.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wqtgb.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wqtgb.dll/index.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {99078794-6831-1765-763B-9566D3697899} - C:\WINDOWS\ntul.dll
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [mveqaadhz] C:\WINDOWS\System32\lqwzzx.exe
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - HKLM\..\RunOnce: [d3cn32.exe] C:\WINDOWS\d3cn32.exe
O4 - HKCU\..\Run: [Ahrt] C:\Documents and Settings\User1\Application Data\nurh.exe
O4 - HKCU\..\Run: [Iib] C:\WINDOWS\System32\hjqgcbi.exe
O4 - Startup: Wireless Desktop.lnk = C:\Program Files\Wireless Desktop\MagicKey.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flings...TInc/bridge.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

#6 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 03 July 2004 - 05:32 PM

Hmmm :(. Yeah run About:Buster again. Make sure All windows are closed when running About:Buster.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#7 avidvr6

avidvr6

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 03 July 2004 - 05:38 PM

ok here are the latest logs:

About:Buster Version 1.24
Removed! : C:\WINDOWS\d3cn32.exe
Removed! : C:\WINDOWS\ntul.dll
Removed! : C:\WINDOWS\wqtgb.dll
Removed! : C:\WINDOWS\wuotug.dat
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

and the ht:
Logfile of HijackThis v1.98.0
Scan saved at 6:38:36 PM, on 7/3/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\msrexe.exe
C:\WINDOWS\System32\lqwzzx.exe
C:\Documents and Settings\User1\Application Data\nurh.exe
C:\WINDOWS\System32\hjqgcbi.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\User1\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {99078794-6831-1765-763B-9566D3697899} - C:\WINDOWS\ntul.dll (file missing)
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [mveqaadhz] C:\WINDOWS\System32\lqwzzx.exe
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - HKCU\..\Run: [Ahrt] C:\Documents and Settings\User1\Application Data\nurh.exe
O4 - HKCU\..\Run: [Iib] C:\WINDOWS\System32\hjqgcbi.exe
O4 - Startup: Wireless Desktop.lnk = C:\Program Files\Wireless Desktop\MagicKey.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flings...TInc/bridge.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

#8 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 03 July 2004 - 05:43 PM

Well you are clear of the res:// variant :).

Here are the steps to get a cleaner computer

1) Restart so that Ad-Aware can remove the rest of the items it couldnt delete.
2) Uninstall P2P Networking through the Add/Remove Programs in the Control Panel.
3) Post a new Hijack This log to remove the remains


Ducky :)
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#9 avidvr6

avidvr6

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 03 July 2004 - 05:46 PM

OK sounds good:
Thanks for helping me out so fast I really apreciate it!

#10 avidvr6

avidvr6

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 03 July 2004 - 05:52 PM

OK adaware cleaned some stuff up on start up. P2P networking wasnt on the add remove list!? And here is the H.T. log:
Logfile of HijackThis v1.98.0
Scan saved at 6:51:00 PM, on 7/3/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\msrexe.exe
C:\WINDOWS\System32\lqwzzx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\User1\Application Data\nurh.exe
C:\WINDOWS\System32\hjqgcbi.exe
C:\DOCUME~1\User1\LOCALS~1\Temp\msbb.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\User1\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {99078794-6831-1765-763B-9566D3697899} - C:\WINDOWS\ntul.dll (file missing)
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [mveqaadhz] C:\WINDOWS\System32\lqwzzx.exe
O4 - HKLM\..\Run: [msbb] c:\docume~1\user1\locals~1\temp\msbb.exe
O4 - HKLM\..\Run: [mzkj] C:\WINDOWS\mzkj.exe
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [Ahrt] C:\Documents and Settings\User1\Application Data\nurh.exe
O4 - HKCU\..\Run: [Iib] C:\WINDOWS\System32\hjqgcbi.exe
O4 - Startup: Wireless Desktop.lnk = C:\Program Files\Wireless Desktop\MagicKey.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flings...TInc/bridge.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

#11 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 03 July 2004 - 05:59 PM

Ok startup Hijack this and tick the boxes next to these items.


R3 - Default URLSearchHook is missing
O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {99078794-6831-1765-763B-9566D3697899} - C:\WINDOWS\ntul.dll (file missing)
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [mveqaadhz] C:\WINDOWS\System32\lqwzzx.exe
O4 - HKLM\..\Run: [msbb] c:\docume~1\user1\locals~1\temp\msbb.exe
O4 - HKLM\..\Run: [mzkj] C:\WINDOWS\mzkj.exe
O4 - HKCU\..\Run: [Ahrt] C:\Documents and Settings\User1\Application Data\nurh.exe
O4 - HKCU\..\Run: [Iib] C:\WINDOWS\System32\hjqgcbi.exe


Then close all windows and hit fix checked. Restart and delete the following files

Files:
C:\WINDOWS\Downloaded Program Files\bridge.dll
C:\Program Files\Common files\updater\wupdater.exe
C:\WINDOWS\System32\msrexe.exe
C:\WINDOWS\System32\lqwzzx.exe
C:\WINDOWS\mzkj.exe
C:\Documents and Settings\User1\Application Data\nurh.exe
C:\WINDOWS\System32\hjqgcbi.exe


Folders:
C:\WINDOWS\System32\P2P Networking


Then please post a new Hijack This log. Im still looking for information on some files.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#12 avidvr6

avidvr6

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 03 July 2004 - 06:00 PM

Do I delete the entire p2p networking folder?

#13 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 03 July 2004 - 06:01 PM

Yes :)
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#14 avidvr6

avidvr6

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 03 July 2004 - 06:21 PM

Ok, hjqgcbi.exe & nurh.exe were write protected and lqwzzx.exe was used by another person or program... and something happened to the notepad program so I have to fix that to get H.T. working again...

#15 avidvr6

avidvr6

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 03 July 2004 - 06:31 PM

ok here it is:
Logfile of HijackThis v1.98.0
Scan saved at 7:29:56 PM, on 7/3/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\msrexe.exe
C:\WINDOWS\System32\lqwzzx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\User1\Application Data\nurh.exe
C:\WINDOWS\System32\hjqgcbi.exe
C:\DOCUME~1\User1\LOCALS~1\Temp\msbb.exe
C:\Documents and Settings\User1\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [jfdicckvqpwv] C:\WINDOWS\System32\lqwzzx.exe
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O4 - Startup: Wireless Desktop.lnk = C:\Program Files\Wireless Desktop\MagicKey.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://static.flings...TInc/bridge.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

There are still some pop ups but my homepage has stayed at google for a while now!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button