Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need help removing urllogic popups

Started by Cynful , Feb 11 2005 10:29 AM

  • Please log in to reply

#1
Cynful
Posted 11 February 2005 - 10:29 AM

Cynful

    New Member

  • Member
  • Pip
  • 2 posts
I have recurring popups from urllogic - scans have not been able to remove it. I'm posting my HijackThis log and my Find It NT-2K-XP output.

Thanks in advance for your help!

HIJACKTHIS LOG
Logfile of HijackThis v1.99.0
Scan saved at 10:11:47 AM, on 2/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\yriwiw.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Common Files\Pumatech Shared\5.3\LiveUpdate Client\PtLUWorker.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\SealedMedia\sealmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\KERB\SideCar.exe
C:\Program Files\Desktop Alert\desktopalert_1768445.exe
C:\KERB\krbcc32s.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\4D\4D_ISURF_6.7\4D WIN Client 6.7.3\4DClient.exe
C:\Documents and Settings\lpetersn\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.techtransfer.iastate.edu/
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [PtLiveUpdate] C:\Program Files\Common Files\Pumatech Shared\5.3\LiveUpdate Client\PtLUWorker.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinGuard Pro] C:\WINDOWS\System32\wgp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: Desktop Alert.lnk = C:\Program Files\Desktop Alert\desktopalert_1768445.exe
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SideCar.lnk = C:\KERB\SideCar.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - file://C:\DOCUME~1\lpetersn\LOCALS~1\Temp\ThereInstallHelper.2.0.2106.0.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iastate.edu
O17 - HKLM\Software\..\Telephony: DomainName = iastate.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1223BB3-88C3-4C97-A4C1-AAD5172BC94C}: NameServer = 129.186.1.200,129.186.140.200,129.186.142.200
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iastate.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = iastate.edu,ait.iastate.edu,ats.iastate.edu,adp.iastate.edu,vincent.iastate.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iastate.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = iastate.edu,ait.iastate.edu,ats.iastate.edu,adp.iastate.edu,vincent.iastate.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = iastate.edu,ait.iastate.edu,ats.iastate.edu,adp.iastate.edu,vincent.iastate.edu
O23 - Service: Bluetooth Service - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Client Update Service for Novell - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service - Unknown - C:\WINDOWS\system32\r_server.exe
O23 - Service: STOPzilla Local Service - Unknown - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)

Find It NT-2K-XP OUTPOUT
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\lpetersn\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 98AF-24CF

Directory of C:\WINDOWS\System32

01/12/2005 12:01 PM <DIR> dllcache
12/30/2004 11:03 AM 223,670 guard.tmp
12/30/2004 10:28 AM 223,670 f8j2li1o18.dll
12/30/2004 09:52 AM 223,670 lv2u09f9e.dll
12/30/2004 09:34 AM 223,670 m4ls0e37eh.dll
12/30/2004 09:31 AM 223,548 ktjml7111.dll
12/29/2004 05:29 PM 224,588 lv2o09f3e.dll
11/21/2003 10:06 AM <DIR> Microsoft
6 File(s) 1,342,816 bytes
2 Dir(s) 22,260,121,600 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 98AF-24CF

Directory of C:\WINDOWS\System32

01/12/2005 12:01 PM <DIR> dllcache
11/24/2004 11:31 AM 488 WindowsLogon.manifest
11/24/2004 11:31 AM 488 logonui.exe.manifest
11/24/2004 11:31 AM 749 cdplayer.exe.manifest
11/24/2004 11:31 AM 749 wuaucpl.cpl.manifest
11/24/2004 11:31 AM 749 sapi.cpl.manifest
11/24/2004 11:31 AM 749 ncpa.cpl.manifest
11/24/2004 11:31 AM 749 nwc.cpl.manifest
07/02/2003 01:56 PM <DIR> GroupPolicy
7 File(s) 4,721 bytes
2 Dir(s) 22,260,117,504 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 98AF-24CF

Directory of C:\WINDOWS\System32

12/30/2004 11:03 AM 223,670 guard.tmp
1 File(s) 223,670 bytes
0 Dir(s) 22,260,117,504 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 98AF-24CF

Directory of C:\WINDOWS\System32

12/30/2004 11:03 AM 223,670 guard.tmp
08/29/2002 06:00 AM 2,577 CONFIG.TMP
2 File(s) 226,247 bytes
0 Dir(s) 22,260,117,504 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{03A2F7E7-4B2A-485B-90D2-97DDAF365341}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Wed Nov 24 2004 11:31:34a A..HR 749 0.73 K
f8j2li~1.dll Thu Dec 30 2004 10:28:56a ..S.R 223,670 218.43 K
guard.tmp Thu Dec 30 2004 11:03:50a ..S.R 223,670 218.43 K
ktjml7~1.dll Thu Dec 30 2004 9:31:46a ..S.R 223,548 218.31 K
logonu~1.man Wed Nov 24 2004 11:31:42a A..HR 488 0.48 K
lv2o09~1.dll Wed Dec 29 2004 5:29:18p ..S.R 224,588 219.32 K
lv2u09~1.dll Thu Dec 30 2004 9:52:06a ..S.R 223,670 218.43 K
m4ls0e~1.dll Thu Dec 30 2004 9:34:12a ..S.R 223,670 218.43 K
ncpacp~1.man Wed Nov 24 2004 11:31:34a A..HR 749 0.73 K
nwccpl~1.man Wed Nov 24 2004 11:31:34a A..HR 749 0.73 K
sapicp~1.man Wed Nov 24 2004 11:31:34a A..HR 749 0.73 K
window~1.man Wed Nov 24 2004 11:31:42a A..HR 488 0.48 K
wuaucp~1.man Wed Nov 24 2004 11:31:34a A..HR 749 0.73 K

13 items found: 13 files, 0 directories.
Total of file sizes: 1,347,537 bytes 1.28 M

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\goycyc.dll: updates.qoologic.com
C:\WINDOWS\system32\pav.sig: Qoologic
C:\WINDOWS\system32\pav.sig: Qoologic
C:\WINDOWS\system32\pwzhzh.exe: updates.qoologic.com
C:\WINDOWS\system32\zboeoe.dll: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\pav.sig: AsPack
C:\WINDOWS\system32\qbapap.dat: .aspack
C:\WINDOWS\system32\yriwiw.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"NDPS"="C:\\WINDOWS\\System32\\dpmw32.exe"
"NWTRAY"="NWTRAY.EXE"
"PtLiveUpdate"="C:\\Program Files\\Common Files\\Pumatech Shared\\5.3\\LiveUpdate Client\\PtLUWorker.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\jusched.exe"
"WinGuard Pro"="C:\\WINDOWS\\System32\\wgp.exe"
"Narrator"="C:\\WINDOWS\\System32\\yriwiw.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"sealmon"="C:\\Program Files\\SealedMedia\\sealmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

Advertisements

#2
Cynful
Posted 11 February 2005 - 02:00 PM

Cynful

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I went through the "Do this before you post.." list of scans and suggestions again just to make sure I didn't miss something and I'm still having problems.

I searched the posts from other users that have had the same problem but i'm not finding the same registry or system files to delete/quarantine as you've had others do. I've sifted through every post I could find on the topic urllogic.

So, I'm back to square one - anything you can do to help would be greatly appreciated!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP