• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Gessfk

Help please :(

6 posts in this topic

So somehow I got spyware up my butt. I don't know how it got in, because usually I'm pretty careful about what I download. The last things I've downloaded have been: 3dMark04, 3dmark03, pcmark04, and net transport "2". I had net transport, the original version, and it was spyware free, but I dunno, now the second version has some different website and stuff, so dunno.

 

Anyway, here's the problem: I can't get rid of this spy ware shit. I run cws shredder, and it seems to find searchx most often, but has also found msconfig I think, and maybe even another. It's like there's some hole in my computer that keeps letting this shit back in, because everytime I remove it, it comes back like an hour later it seems like. I tried reading about searchx on spywareinfo, but I don't fully understand what it's talking about on how to remove it. I also read that the realyellowpages sometimes comes with it, and how bad that one was. That kinda scared me, because it almost sounded like what I had, but I did what that one said, and didn't find it in the log from some file I downloaded in the instructions. Anyway, I'm super tired, and posting this before I go to sleep. Here's the log files I got from various programs

 

Hijack this:

 

Logfile of HijackThis v1.98.0

Scan saved at 4:07:34 AM, on 6/29/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\tcpsvcs.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\locator.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Mr1\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [POINTER] point32.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...lim/install.cab

 

Startup list:

 

StartupList report, 6/29/2004, 4:03:34 AM

StartupList version: 1.52

Started from : C:\Documents and Settings\Mr1\Desktop\StartupList.EXE

Detected: Windows 2000 SP4 (WinNT 5.00.2195)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

==================================================

 

Running processes:

 

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\tcpsvcs.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\locator.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINNT\system32\notepad.exe

C:\Documents and Settings\Mr1\Desktop\StartupList.exe

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINNT\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

NeroCheck = C:\WINNT\system32\NeroCheck.exe

Synchronization Manager = mobsync.exe /logon

POINTER = point32.exe

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=*Registry value not found*

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

Symantec NetDetect.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[shockwave ActiveX Control]

InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll

CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

 

[{33564D57-0000-0010-8000-00AA00389B71}]

CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

 

[Office Update Installation Engine]

InProcServer32 = C:\WINNT\opuc.dll

CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

 

[{41F17733-B041-4099-A042-B518BB6A408C}]

CODEBASE = http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

 

[HouseCall Control]

InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx

CODEBASE = http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

 

[update Class]

InProcServer32 = C:\WINNT\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7861.6590277778

 

[{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}]

CODEBASE = http://install.wildtangent.com/bgn/partner...lim/install.cab

 

[shockwave Flash Object]

InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll

WebCheck: C:\WINNT\System32\webcheck.dll

SysTray: stobject.dll

 

--------------------------------------------------

End of report, 4,402 bytes

Report generated in 0.080 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

 

(note: I told it to run autoexec.bat, and pointer32 is my mouse software)

 

and here is the Internet explorer DLL list:

 

 

Module information for 'IEXPLORE.EXE'

MODULE BASE SIZE PATH

IEXPLORE.EXE 400000 102400 C:\Program Files\Internet Explorer\IEXPLORE.EXE 6.00.2800.1106 Internet Explorer

ntdll.dll 77f80000 512000 C:\WINNT\system32\ntdll.dll 5.00.2195.6899 NT Layer DLL

msvcrt.dll 78000000 282624 C:\WINNT\system32\msvcrt.dll 6.10.9844.0 Microsoft ® C Runtime Library

KERNEL32.dll 7c570000 753664 C:\WINNT\system32\KERNEL32.dll 5.00.2195.6897 Windows NT BASE API Client DLL

USER32.dll 77e10000 413696 C:\WINNT\system32\USER32.dll 5.00.2195.6897 Windows 2000 USER API Client DLL

GDI32.DLL 77f40000 253952 C:\WINNT\system32\GDI32.DLL 5.00.2195.6898 GDI Client DLL

SHLWAPI.dll 70a70000 413696 C:\WINNT\system32\SHLWAPI.dll 6.00.2800.1400 Shell Light-weight Utility Library

ADVAPI32.dll 7c2d0000 401408 C:\WINNT\system32\ADVAPI32.dll 5.00.2195.6876 Advanced Windows 32 Base API

RPCRT4.DLL 77d30000 462848 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6904 Remote Procedure Call Runtime

SHDOCVW.dll 71700000 1347584 C:\WINNT\system32\SHDOCVW.dll 6.00.2800.1400 Shell Doc Object and Control Library

IMM32.DLL 75e60000 106496 C:\WINNT\system32\IMM32.DLL 5.00.2195.6655 Windows 2000 IMM32 API Client DLL

WS2_32.DLL 75030000 81920 C:\WINNT\system32\WS2_32.DLL 5.00.2195.6601 Windows Socket 2.0 32-Bit DLL

WS2HELP.DLL 75020000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT

comctl32.dll 950000 540672 C:\WINNT\system32\comctl32.dll 5.81 Common Controls Library

SHELL32.dll 782f0000 2392064 C:\WINNT\system32\SHELL32.dll 5.00.3700.6705 Windows Shell Common Dll

ole32.dll 77a50000 978944 C:\WINNT\system32\ole32.dll 5.00.2195.6906 Microsoft OLE for Windows

POINT32.dll 61210000 36864 C:\Program Files\Microsoft Hardware\Mouse\POINT32.dll 4.00.0657.0 Microsoft IntelliPoint

BROWSEUI.dll 71500000 1036288 C:\WINNT\system32\BROWSEUI.dll 6.00.2800.1400 Shell Browser UI Library

browselc.dll 71960000 73728 C:\WINNT\system32\browselc.dll 6.00.2800.1106 Shell Browser UI Library

CLBCATQ.DLL 775a0000 589824 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3511.0

OLEAUT32.dll 779b0000 634880 C:\WINNT\system32\OLEAUT32.dll 2.40.4522

WININET.dll 63000000 614400 C:\WINNT\system32\WININET.dll 6.00.2800.1405 Internet Extensions for Win32

CRYPT32.dll 7c740000 552960 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6824 Crypto API32

MSASN1.DLL 77430000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6905 ASN.1 Runtime APIs

cscui.dll 77840000 253952 C:\WINNT\system32\cscui.dll 5.00.2195.6705 Client Side Caching UI

CSCDLL.DLL 770c0000 143360 C:\WINNT\system32\CSCDLL.DLL 5.00.2195.6713 Offline Network Agent

urlmon.dll 1a400000 499712 C:\WINNT\system32\urlmon.dll 6.00.2800.1400 OLE32 Extensions for Win32

VERSION.dll 77820000 28672 C:\WINNT\system32\VERSION.dll 5.00.2195.6623 Version Checking and File Installation Libraries

LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2195.6611 LZ Expand/Compress API DLL

mshtml.dll 63580000 2818048 C:\WINNT\System32\mshtml.dll 6.00.2800.1400 Microsoft ® HTML Viewer

shdoclc.dll 718c0000 540672 C:\WINNT\system32\shdoclc.dll 6.00.2800.1106 Shell Doc Object and Control Library

MLANG.dll 70440000 585728 C:\WINNT\system32\MLANG.dll 6.00.2800.1106 Multi Language Support DLL

msi.dll 2410000 2113536 C:\WINNT\system32\msi.dll 2.0.2600.1183 Windows Installer

MSH_ZWF.dll 61220000 45056 C:\Program Files\Microsoft Hardware\Mouse\MSH_ZWF.dll 4.00.0657.0 Microsoft IntelliPoint

MSLS31.DLL 75ac0000 163840 C:\WINNT\system32\MSLS31.DLL 3.10.337.0 Microsoft Line Services library file

MPR.DLL 76620000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.6824 Multiple Provider Router DLL

ntlanman.dll 75160000 49152 C:\WINNT\System32\ntlanman.dll 5.00.2195.6601 Microsoft® Lan Manager

NETUI0.DLL 75210000 86016 C:\WINNT\System32\NETUI0.DLL 5.00.2195.6601 NT LM UI Common Code - GUI Classes

NETUI1.DLL 751d0000 229376 C:\WINNT\System32\NETUI1.DLL 5.00.2134.1 NT LM UI Common Code - Networking classes

NETAPI32.DLL 75170000 323584 C:\WINNT\System32\NETAPI32.DLL 5.00.2195.6897 Net Win32 API DLL

SECUR32.DLL 7c340000 61440 C:\WINNT\System32\SECUR32.DLL 5.00.2195.6695 Security Support Provider Interface

NETRAP.DLL 751c0000 24576 C:\WINNT\System32\NETRAP.DLL 5.00.2134.1 Net Remote Admin Protocol DLL

SAMLIB.DLL 75150000 61440 C:\WINNT\System32\SAMLIB.DLL 5.00.2195.6897 SAM Library DLL

WLDAP32.DLL 77950000 172032 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.6666 Win32 LDAP API DLL

DNSAPI.DLL 77980000 147456 C:\WINNT\System32\DNSAPI.DLL 5.00.2195.6824 DNS Client API DLL

WSOCK32.DLL 75050000 32768 C:\WINNT\System32\WSOCK32.DLL 5.00.2195.6603 Windows Socket 32-Bit DLL

RASAPI32.dll 774e0000 208896 C:\WINNT\system32\RASAPI32.dll 5.00.2195.6625 Remote Access API

RASMAN.DLL 774c0000 69632 C:\WINNT\system32\RASMAN.DLL 5.00.2195.6738 Remote Access Connection Manager

TAPI32.DLL 77530000 139264 C:\WINNT\system32\TAPI32.DLL 5.00.2195.6664 Microsoft® Windows Telephony API Client DLL

RTUTILS.DLL 77830000 57344 C:\WINNT\system32\RTUTILS.DLL 5.00.2168.1 Routing Utilities

USERENV.DLL 7c0f0000 397312 C:\WINNT\system32\USERENV.DLL 5.00.2195.6794 Userenv

msafd.dll 74fd0000 122880 C:\WINNT\system32\msafd.dll 5.00.2195.6602 Microsoft Windows Sockets 2.0 Service Provider

wshtcpip.dll 75010000 28672 C:\WINNT\System32\wshtcpip.dll 5.00.2195.6601 Windows Sockets Helper DLL

rnr20.dll 782c0000 49152 C:\WINNT\System32\rnr20.dll 5.00.2195.6603 Windows Socket2 NameSpace DLL

iphlpapi.dll 77340000 77824 C:\WINNT\system32\iphlpapi.dll 5.00.2195.6602 IP Helper API

ICMP.DLL 77520000 20480 C:\WINNT\system32\ICMP.DLL 5.00.2134.1 ICMP DLL

MPRAPI.DLL 77320000 94208 C:\WINNT\system32\MPRAPI.DLL 5.00.2181.1 Windows NT MP Router Administration DLL

ACTIVEDS.DLL 773b0000 192512 C:\WINNT\system32\ACTIVEDS.DLL 5.00.2195.6601 ADs Router Layer DLL

ADSLDPC.DLL 77380000 143360 C:\WINNT\system32\ADSLDPC.DLL 5.00.2195.6701 ADs LDAP Provider C DLL

SETUPAPI.DLL 77880000 581632 C:\WINNT\system32\SETUPAPI.DLL 5.00.2195.6622 Windows Setup API

DHCPCSVC.DLL 77360000 102400 C:\WINNT\system32\DHCPCSVC.DLL 5.00.2195.6685 DHCP Client Service

winrnr.dll 777e0000 32768 C:\WINNT\System32\winrnr.dll 5.00.2160.1 LDAP RnR Provider DLL

rasadhlp.dll 777f0000 20480 C:\WINNT\system32\rasadhlp.dll 5.00.2168.1 Remote Access AutoDial Helper

jscript.dll 6b700000 589824 c:\winnt\system32\jscript.dll 5.6.0.8513 Microsoft ® JScript

iepeers.dll 70fb0000 241664 C:\WINNT\System32\iepeers.dll 6.00.2800.1106 Internet Explorer Peer Objects

WINSPOOL.DRV 77800000 122880 C:\WINNT\System32\WINSPOOL.DRV 5.00.2195.6659 Windows Spooler Driver

mshtmled.dll 70f30000 450560 C:\WINNT\System32\mshtmled.dll 6.00.2800.1106 Microsoft ® HTML Editing Component

mscoree.dll 79170000 135168 C:\WINNT\System32\mscoree.dll 1.0.3705.0 Microsoft .NET Runtime Execution Engine

mscorie.dll 79410000 73728 C:\WINNT\Microsoft.NET\Framework\v1.0.3705\mscorie.dll 1.0.3705.0 Microsoft .NET IE MIME Filter

MSVCR70.dll 7c000000 344064 C:\WINNT\Microsoft.NET\Framework\v1.0.3705\MSVCR70.dll 7.00.9466.0 Microsoft® C Runtime Library

plugin.ocx 43d0000 98304 C:\WINNT\system32\plugin.ocx 6.00.2800.1106 ActiveX Plugin OCX

wintrust.dll 76930000 176128 C:\WINNT\system32\wintrust.dll 5.131.2195.6824 Microsoft Trust Verification APIs

IMAGEHLP.dll 77920000 143360 C:\WINNT\system32\IMAGEHLP.dll 5.00.2195.6613 Windows NT Image Helper

comdlg32.dll 76b30000 253952 C:\WINNT\system32\comdlg32.dll 5.00.3700.6693 Common Dialogs DLL

ntshrui.dll 76fa0000 61440 C:\WINNT\system32\ntshrui.dll 5.00.2134.1 Shell extensions for sharing

ATL.DLL 773e0000 86016 C:\WINNT\system32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)

c_is2022.dll 74360000 20480 C:\WINNT\system32\c_is2022.dll 5.00.2195.6688 ISO-2022 Code Page Translation DLL

MSRATING.DLL 70400000 143360 C:\WINNT\system32\MSRATING.DLL 6.00.2800.1106 Internet Ratings and Local User Management DLL

msratelc.dll 30000000 69632 C:\WINNT\system32\msratelc.dll 6.00.2800.1106 Internet Ratings and Local User Management DLL

 

 

 

 

 

 

 

 

Thanks in advance, good night.

Share this post


Link to post
Share on other sites

Updates

 

Logfile of HijackThis v1.98.0
Scan saved at 12:16:36 AM, on 7/1/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\locator.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\SYSTEM32\ATIPTAXX.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\a2\a2guard.exe
C:\Starcraft\starcraft.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\mIRC\mirc.exe
C:\Documents and Settings\Mr1\Desktop\HijackThis.exe

F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

 

IE DLLs

 

  Module information for  'IEXPLORE.EXE'
 MODULE          BASE     SIZE     PATH
IEXPLORE.EXE      400000   102400 C:\Program Files\Internet Explorer\IEXPLORE.EXE  6.00.2800.1106       Internet Explorer
ntdll.dll       77f80000   512000 C:\WINNT\system32\ntdll.dll               5.00.2195.6899       NT Layer DLL
msvcrt.dll      78000000   282624 C:\WINNT\system32\msvcrt.dll              6.10.9844.0          Microsoft (R) C Runtime Library
KERNEL32.dll    7c570000   753664 C:\WINNT\system32\KERNEL32.dll            5.00.2195.6897       Windows NT BASE API Client DLL
USER32.dll      77e10000   413696 C:\WINNT\system32\USER32.dll              5.00.2195.6897       Windows 2000 USER API Client DLL
GDI32.DLL       77f40000   253952 C:\WINNT\system32\GDI32.DLL               5.00.2195.6898       GDI Client DLL
SHLWAPI.dll     70a70000   413696 C:\WINNT\system32\SHLWAPI.dll             6.00.2800.1400       Shell Light-weight Utility Library
ADVAPI32.dll    7c2d0000   401408 C:\WINNT\system32\ADVAPI32.dll            5.00.2195.6876       Advanced Windows 32 Base API
RPCRT4.DLL      77d30000   462848 C:\WINNT\system32\RPCRT4.DLL              5.00.2195.6904       Remote Procedure Call Runtime
SHDOCVW.dll     71700000  1347584 C:\WINNT\system32\SHDOCVW.dll             6.00.2800.1400       Shell Doc Object and Control Library
IMM32.DLL       75e60000   106496 C:\WINNT\system32\IMM32.DLL               5.00.2195.6655       Windows 2000 IMM32 API Client DLL
WS2_32.DLL      75030000    81920 C:\WINNT\system32\WS2_32.DLL              5.00.2195.6601       Windows Socket 2.0 32-Bit DLL
WS2HELP.DLL     75020000    32768 C:\WINNT\system32\WS2HELP.DLL             5.00.2134.1          Windows Socket 2.0 Helper for Windows NT
comctl32.dll      950000   540672 C:\WINNT\system32\comctl32.dll            5.81                 Common Controls Library
a2handler.dll   57800000   114688 C:\Program Files\a2\a2handler.dll        
oleaut32.dll    779b0000   634880 C:\WINNT\system32\oleaut32.dll            2.40.4522           
ole32.dll       77a50000   978944 C:\WINNT\system32\ole32.dll               5.00.2195.6906       Microsoft OLE for Windows
SHELL32.dll     782f0000  2392064 C:\WINNT\system32\SHELL32.dll             5.00.3700.6705       Windows Shell Common Dll
INDICDLL.dll    6e420000    24576 C:\WINNT\system32\INDICDLL.dll            5.00.2920.0000       Keyboard Language Indicator Shell Hook Extension
POINT32.dll     61210000    36864 C:\Program Files\Microsoft Hardware\Mouse\POINT32.dll  4.00.0657.0          Microsoft IntelliPoint
BROWSEUI.dll    71500000  1036288 C:\WINNT\system32\BROWSEUI.dll            6.00.2800.1400       Shell Browser UI Library
browselc.dll    71960000    73728 C:\WINNT\system32\browselc.dll            6.00.2800.1106       Shell Browser UI Library
CLBCATQ.DLL     775a0000   589824 C:\WINNT\system32\CLBCATQ.DLL             2000.2.3511.0       
WININET.dll     63000000   614400 C:\WINNT\system32\WININET.dll             6.00.2800.1405       Internet Extensions for Win32
CRYPT32.dll     7c740000   552960 C:\WINNT\system32\CRYPT32.dll             5.131.2195.6824      Crypto API32
MSASN1.DLL      77430000    65536 C:\WINNT\system32\MSASN1.DLL              5.00.2195.6905       ASN.1 Runtime APIs
cscui.dll       77840000   253952 C:\WINNT\system32\cscui.dll               5.00.2195.6705       Client Side Caching UI
CSCDLL.DLL      770c0000   143360 C:\WINNT\system32\CSCDLL.DLL              5.00.2195.6713       Offline Network Agent
urlmon.dll      1a400000   499712 C:\WINNT\system32\urlmon.dll              6.00.2800.1400       OLE32 Extensions for Win32
VERSION.dll     77820000    28672 C:\WINNT\system32\VERSION.dll             5.00.2195.6623       Version Checking and File Installation Libraries
LZ32.DLL        759b0000    24576 C:\WINNT\system32\LZ32.DLL                5.00.2195.6611       LZ Expand/Compress API DLL
mshtml.dll      63580000  2818048 C:\WINNT\System32\mshtml.dll              6.00.2800.1400       Microsoft (R) HTML Viewer
shdoclc.dll     718c0000   540672 C:\WINNT\system32\shdoclc.dll             6.00.2800.1106       Shell Doc Object and Control Library
MLANG.dll       70440000   585728 C:\WINNT\system32\MLANG.dll               6.00.2800.1106       Multi Language Support DLL
msi.dll          2620000  2113536 C:\WINNT\system32\msi.dll                 2.0.2600.1183        Windows Installer
MSH_ZWF.dll     61220000    45056 C:\Program Files\Microsoft Hardware\Mouse\MSH_ZWF.dll  4.00.0657.0          Microsoft IntelliPoint
MSLS31.DLL      75ac0000   163840 C:\WINNT\system32\MSLS31.DLL              3.10.337.0           Microsoft Line Services library file
wsock32.dll     75050000    32768 C:\WINNT\system32\wsock32.dll             5.00.2195.6603       Windows Socket 32-Bit DLL
RASAPI32.dll    774e0000   208896 C:\WINNT\system32\RASAPI32.dll            5.00.2195.6625       Remote Access API
RASMAN.DLL      774c0000    69632 C:\WINNT\system32\RASMAN.DLL              5.00.2195.6738       Remote Access Connection Manager
TAPI32.DLL      77530000   139264 C:\WINNT\system32\TAPI32.DLL              5.00.2195.6664       Microsoft® Windows(TM) Telephony API Client DLL
RTUTILS.DLL     77830000    57344 C:\WINNT\system32\RTUTILS.DLL             5.00.2168.1          Routing Utilities
USERENV.DLL     7c0f0000   397312 C:\WINNT\system32\USERENV.DLL             5.00.2195.6794       Userenv
netapi32.dll    75170000   323584 C:\WINNT\system32\netapi32.dll            5.00.2195.6897       Net Win32 API DLL
SECUR32.DLL     7c340000    61440 C:\WINNT\system32\SECUR32.DLL             5.00.2195.6695       Security Support Provider Interface
NETRAP.DLL      751c0000    24576 C:\WINNT\system32\NETRAP.DLL              5.00.2134.1          Net Remote Admin Protocol DLL
SAMLIB.DLL      75150000    61440 C:\WINNT\system32\SAMLIB.DLL              5.00.2195.6897       SAM Library DLL
WLDAP32.DLL     77950000   172032 C:\WINNT\system32\WLDAP32.DLL             5.00.2195.6666       Win32 LDAP API DLL
DNSAPI.DLL      77980000   147456 C:\WINNT\system32\DNSAPI.DLL              5.00.2195.6824       DNS Client API DLL
rnr20.dll       782c0000    49152 C:\WINNT\System32\rnr20.dll               5.00.2195.6603       Windows Socket2 NameSpace DLL
iphlpapi.dll    77340000    77824 C:\WINNT\system32\iphlpapi.dll            5.00.2195.6602       IP Helper API
ICMP.DLL        77520000    20480 C:\WINNT\system32\ICMP.DLL                5.00.2134.1          ICMP DLL
MPRAPI.DLL      77320000    94208 C:\WINNT\system32\MPRAPI.DLL              5.00.2181.1          Windows NT MP Router Administration DLL
ACTIVEDS.DLL    773b0000   192512 C:\WINNT\system32\ACTIVEDS.DLL            5.00.2195.6601       ADs Router Layer DLL
ADSLDPC.DLL     77380000   143360 C:\WINNT\system32\ADSLDPC.DLL             5.00.2195.6701       ADs LDAP Provider C DLL
SETUPAPI.DLL    77880000   581632 C:\WINNT\system32\SETUPAPI.DLL            5.00.2195.6622       Windows Setup API
DHCPCSVC.DLL    77360000   102400 C:\WINNT\system32\DHCPCSVC.DLL            5.00.2195.6685       DHCP Client Service
msafd.dll       74fd0000   122880 C:\WINNT\system32\msafd.dll               5.00.2195.6602       Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll    75010000    28672 C:\WINNT\System32\wshtcpip.dll            5.00.2195.6601       Windows Sockets Helper DLL
winrnr.dll      777e0000    32768 C:\WINNT\System32\winrnr.dll              5.00.2160.1          LDAP RnR Provider DLL
rasadhlp.dll    777f0000    20480 C:\WINNT\system32\rasadhlp.dll            5.00.2168.1          Remote Access AutoDial Helper
jscript.dll     6b700000   589824 c:\winnt\system32\jscript.dll             5.6.0.8513           Microsoft (r) JScript
vbscript.dll    6b600000   462848 c:\winnt\system32\vbscript.dll            5.6.0.7426           Microsoft (r) VBScript
Flash.ocx       10000000  1732608 C:\WINNT\system32\macromed\flash\Flash.ocx  7,0,19,0             Macromedia Flash Player 7.0  r19
WINMM.dll       77570000   196608 C:\WINNT\system32\WINMM.dll               5.00.2161.1          MCI API DLL
comdlg32.dll    76b30000   253952 C:\WINNT\system32\comdlg32.dll            5.00.3700.6693       Common Dialogs DLL
serwvdrv.dll    681a0000    28672 C:\WINNT\system32\serwvdrv.dll            5.00.2134.1          Unimodem Serial Wave driver
umdmxfrm.dll    66740000    28672 C:\WINNT\system32\umdmxfrm.dll            5.00.2134.1          Unimodem Tranform Module
wdmaud.drv      77560000    32768 C:\WINNT\system32\wdmaud.drv              5.00.2195.6673       WDM Audio driver mapper
msacm32.drv     77400000    32768 C:\WINNT\system32\msacm32.drv             5.00.2134.1          Microsoft Sound Mapper
MSACM32.dll     77410000    77824 C:\WINNT\system32\MSACM32.dll             5.00.2134.1          Microsoft ACM Audio Filter
dxtrans.dll     35c50000   208896 C:\WINNT\System32\dxtrans.dll             6.00.2800.1106       DirectX Media -- DirectX Transform Core
ATL.DLL         773e0000    86016 C:\WINNT\System32\ATL.DLL                 3.00.9435            ATL Module for Windows NT (Unicode)
ddrawex.dll     727f0000    36864 C:\WINNT\System32\ddrawex.dll             5.00.2134.1          Direct Draw Ex
DDRAW.dll       51000000   290816 C:\WINNT\System32\DDRAW.dll               5.3.0000000.900 built by: DIRECTX Microsoft DirectDraw
DCIMAN32.dll    728a0000    24576 C:\WINNT\System32\DCIMAN32.dll            5.00.2180.1          DCI Manager
dxtmsft.dll     35cb0000   364544 C:\WINNT\System32\dxtmsft.dll             6.00.2800.1106       DirectX Media -- Image DirectX Transforms
ACTXPRXY.DLL    703d0000   110592 C:\WINNT\system32\ACTXPRXY.DLL            6.00.2800.1106       ActiveX Interface Marshaling Library
dispex.dll       58a0000    45056 C:\WINNT\System32\dispex.dll              5.6.0.6626           Microsoft (r) DispEx
mshtmled.dll    70f30000   450560 C:\WINNT\System32\mshtmled.dll            6.00.2800.1106       Microsoft (R) HTML Editing Component
docprop2.dll    71f00000   315392 C:\WINNT\System32\docprop2.dll            5.00.2178.1          DocProp2
MSVFW32.DLL     6a8f0000   131072 C:\WINNT\System32\MSVFW32.DLL             5.00.2195.6612       Microsoft Video for Windows DLL
AVIFIL32.DLL    74870000    90112 C:\WINNT\System32\AVIFIL32.DLL            5.00.2195.6612       Microsoft AVI File support library
faxshell.dll    70020000    20480 C:\WINNT\system32\faxshell.dll            5.00.2134.1          Fax Tiff Data Column Provider
c_is2022.dll    74360000    20480 C:\WINNT\system32\c_is2022.dll            5.00.2195.6688       ISO-2022 Code Page Translation DLL

 

Start up

StartupList report, 7/1/2004, 12:17:00 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\Mr1\Desktop\StartupList.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\locator.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\SYSTEM32\ATIPTAXX.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\a2\a2guard.exe
C:\Starcraft\starcraft.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\mIRC\mirc.exe
C:\Documents and Settings\Mr1\Desktop\StartupList.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\SYSTEM32\Userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NeroCheck = C:\WINNT\system32\NeroCheck.exe
Synchronization Manager = mobsync.exe /logon
POINTER = point32.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

internat.exe = internat.exe
a² = "C:\Program Files\a2\a2guard.exe"

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[Office Update Installation Engine]
InProcServer32 = C:\WINNT\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.6590277778

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 4,431 bytes
Report generated in 0.111 seconds

Command line options:
  /verbose  - to add additional info on each section
  /complete - to include empty sections and unsuspicious data
  /full     - to include several rarely-important sections
  /force9x  - to include Win9x-only startups even if running on WinNT
  /forcent  - to include WinNT-only startups even if running on Win9x
  /forceall - to include all Win9x and WinNT startups, regardless of platform
  /history  - to list version history only

Share this post


Link to post
Share on other sites

*Being helped in chat*

Download Registrar Lite:

http://www.resplendence.com/reglite

 

 

Setting up:

Install Registrar Lite.

 

 

 

Start:

Copy and paste this line to reglite's address bar. Then press 'Go':

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

And hit the "go" tab .

Find: "Appinit_Dlls" value on the right side

panel, DoubleClick, copy and post here

the following fields:

-Size:

-Value:

 

Post the above results and a new HiJackThis log in this thread.

Edited by Archon_Wing

Share this post


Link to post
Share on other sites

First download Winfile. http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm (Second one)

Unzip this file to its own folder.

 

Now we are going to get rid of the hidden DLL that is causing all the problems.

In Registar Lite:

=====================================

First we need to make it visible:

Copy and paste this line to reglite's address bar. Then press 'Go':

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

Rename the Folder Windows to NotWindows

(the folder is highlighted as a purple folder in the left hand pane of reglite)

 

Click "AppInit_DLLs" again and clear the data value:

C:\WINDOWS\System32\wdm.dll

< -- delete this line ,

'Apply' and 'ok' to set.

 

Rename the NotWindows folder back to its original name Windows

========================================

Restart your computer.

 

After restart, try to locate the wdm.dll

in System32 folder but Don't attempt to delete it yet.

 

Go to your root drive: C:\ And create new folder.

Name it: "junk"

===============================

 

Run the 'Winfile' you previously downloaded and unzipped.

Expand and navigate to System32 folder.

You need to navigate by Double clicking to expand.

 

When in System32 click top menu: File --> Select files

Copy and paste to the box:wdm.dll hit select-

Find and highlite that file.

Next in top menu>Security>permissions, tell us what is listed there for that file.

Also check the 'owner' tab

 

Lastly, try this: Menu -File --> move...

In From: Copy/paste:

C:\WINDOWS\System32\wdm.dll

 

 

In To: Copy and paste:

C:\junk\wdm.dll

 

 

Then hit ok.

 

Close Winfile and check in C:\junk for that file.

 

No further action is needed yet...

 

Post back results for now.

Edited by Archon_Wing

Share this post


Link to post
Share on other sites

New and improved (clean!!!) computer thanks to archon:

 

Logfile of HijackThis v1.98.0
Scan saved at 2:06:45 AM, on 7/1/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\locator.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Documents and Settings\Mr1\Desktop\HijackThis.exe

F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

Share this post


Link to post
Share on other sites

You can also take some steps to prevent being hijacked again

Protection - download and install:

 

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacoolsoftware.com/spywareblaster.html

 

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

 

Both are very small free programs that you run once, and then just occasionally to check for updates.

Don't forget Windows update. Get them now and then at http://windowsupdate.microsoft.com/

Also, download Sun Java if you haven't already at http://java.com/en/index.jsp Downloading it gets rid of the flaws that MS java has that people like the CWS folks like to take advantage of too much

 

And also see

So how did I get infected in the first place?

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0