Jump to content


Photo

Help please :(


  • Please log in to reply
5 replies to this topic

#1 Gessfk

Gessfk

    Member

  • New Member
  • Pip
  • 3 posts

Posted 29 June 2004 - 06:22 AM

So somehow I got spyware up my butt. I don't know how it got in, because usually I'm pretty careful about what I download. The last things I've downloaded have been: 3dMark04, 3dmark03, pcmark04, and net transport "2". I had net transport, the original version, and it was spyware free, but I dunno, now the second version has some different website and stuff, so dunno.

Anyway, here's the problem: I can't get rid of this spy ware shit. I run cws shredder, and it seems to find searchx most often, but has also found msconfig I think, and maybe even another. It's like there's some hole in my computer that keeps letting this shit back in, because everytime I remove it, it comes back like an hour later it seems like. I tried reading about searchx on spywareinfo, but I don't fully understand what it's talking about on how to remove it. I also read that the realyellowpages sometimes comes with it, and how bad that one was. That kinda scared me, because it almost sounded like what I had, but I did what that one said, and didn't find it in the log from some file I downloaded in the instructions. Anyway, I'm super tired, and posting this before I go to sleep. Here's the log files I got from various programs

Hijack this:

Logfile of HijackThis v1.98.0
Scan saved at 4:07:34 AM, on 6/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\locator.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Mr1\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...lim/install.cab

Startup list:

StartupList report, 6/29/2004, 4:03:34 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\Mr1\Desktop\StartupList.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\locator.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\notepad.exe
C:\Documents and Settings\Mr1\Desktop\StartupList.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NeroCheck = C:\WINNT\system32\NeroCheck.exe
Synchronization Manager = mobsync.exe /logon
POINTER = point32.exe

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[Office Update Installation Engine]
InProcServer32 = C:\WINNT\opuc.dll
CODEBASE = http://office.micros...ontent/opuc.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akama...meInstaller.exe

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...7861.6590277778

[{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}]
CODEBASE = http://install.wildt...lim/install.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 4,402 bytes
Report generated in 0.080 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

(note: I told it to run autoexec.bat, and pointer32 is my mouse software)

and here is the Internet explorer DLL list:


Module information for 'IEXPLORE.EXE'
MODULE BASE SIZE PATH
IEXPLORE.EXE 400000 102400 C:\Program Files\Internet Explorer\IEXPLORE.EXE 6.00.2800.1106 Internet Explorer
ntdll.dll 77f80000 512000 C:\WINNT\system32\ntdll.dll 5.00.2195.6899 NT Layer DLL
msvcrt.dll 78000000 282624 C:\WINNT\system32\msvcrt.dll 6.10.9844.0 Microsoft ® C Runtime Library
KERNEL32.dll 7c570000 753664 C:\WINNT\system32\KERNEL32.dll 5.00.2195.6897 Windows NT BASE API Client DLL
USER32.dll 77e10000 413696 C:\WINNT\system32\USER32.dll 5.00.2195.6897 Windows 2000 USER API Client DLL
GDI32.DLL 77f40000 253952 C:\WINNT\system32\GDI32.DLL 5.00.2195.6898 GDI Client DLL
SHLWAPI.dll 70a70000 413696 C:\WINNT\system32\SHLWAPI.dll 6.00.2800.1400 Shell Light-weight Utility Library
ADVAPI32.dll 7c2d0000 401408 C:\WINNT\system32\ADVAPI32.dll 5.00.2195.6876 Advanced Windows 32 Base API
RPCRT4.DLL 77d30000 462848 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6904 Remote Procedure Call Runtime
SHDOCVW.dll 71700000 1347584 C:\WINNT\system32\SHDOCVW.dll 6.00.2800.1400 Shell Doc Object and Control Library
IMM32.DLL 75e60000 106496 C:\WINNT\system32\IMM32.DLL 5.00.2195.6655 Windows 2000 IMM32 API Client DLL
WS2_32.DLL 75030000 81920 C:\WINNT\system32\WS2_32.DLL 5.00.2195.6601 Windows Socket 2.0 32-Bit DLL
WS2HELP.DLL 75020000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT
comctl32.dll 950000 540672 C:\WINNT\system32\comctl32.dll 5.81 Common Controls Library
SHELL32.dll 782f0000 2392064 C:\WINNT\system32\SHELL32.dll 5.00.3700.6705 Windows Shell Common Dll
ole32.dll 77a50000 978944 C:\WINNT\system32\ole32.dll 5.00.2195.6906 Microsoft OLE for Windows
POINT32.dll 61210000 36864 C:\Program Files\Microsoft Hardware\Mouse\POINT32.dll 4.00.0657.0 Microsoft IntelliPoint
BROWSEUI.dll 71500000 1036288 C:\WINNT\system32\BROWSEUI.dll 6.00.2800.1400 Shell Browser UI Library
browselc.dll 71960000 73728 C:\WINNT\system32\browselc.dll 6.00.2800.1106 Shell Browser UI Library
CLBCATQ.DLL 775a0000 589824 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3511.0
OLEAUT32.dll 779b0000 634880 C:\WINNT\system32\OLEAUT32.dll 2.40.4522
WININET.dll 63000000 614400 C:\WINNT\system32\WININET.dll 6.00.2800.1405 Internet Extensions for Win32
CRYPT32.dll 7c740000 552960 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6824 Crypto API32
MSASN1.DLL 77430000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6905 ASN.1 Runtime APIs
cscui.dll 77840000 253952 C:\WINNT\system32\cscui.dll 5.00.2195.6705 Client Side Caching UI
CSCDLL.DLL 770c0000 143360 C:\WINNT\system32\CSCDLL.DLL 5.00.2195.6713 Offline Network Agent
urlmon.dll 1a400000 499712 C:\WINNT\system32\urlmon.dll 6.00.2800.1400 OLE32 Extensions for Win32
VERSION.dll 77820000 28672 C:\WINNT\system32\VERSION.dll 5.00.2195.6623 Version Checking and File Installation Libraries
LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2195.6611 LZ Expand/Compress API DLL
mshtml.dll 63580000 2818048 C:\WINNT\System32\mshtml.dll 6.00.2800.1400 Microsoft ® HTML Viewer
shdoclc.dll 718c0000 540672 C:\WINNT\system32\shdoclc.dll 6.00.2800.1106 Shell Doc Object and Control Library
MLANG.dll 70440000 585728 C:\WINNT\system32\MLANG.dll 6.00.2800.1106 Multi Language Support DLL
msi.dll 2410000 2113536 C:\WINNT\system32\msi.dll 2.0.2600.1183 Windows Installer
MSH_ZWF.dll 61220000 45056 C:\Program Files\Microsoft Hardware\Mouse\MSH_ZWF.dll 4.00.0657.0 Microsoft IntelliPoint
MSLS31.DLL 75ac0000 163840 C:\WINNT\system32\MSLS31.DLL 3.10.337.0 Microsoft Line Services library file
MPR.DLL 76620000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.6824 Multiple Provider Router DLL
ntlanman.dll 75160000 49152 C:\WINNT\System32\ntlanman.dll 5.00.2195.6601 Microsoft® Lan Manager
NETUI0.DLL 75210000 86016 C:\WINNT\System32\NETUI0.DLL 5.00.2195.6601 NT LM UI Common Code - GUI Classes
NETUI1.DLL 751d0000 229376 C:\WINNT\System32\NETUI1.DLL 5.00.2134.1 NT LM UI Common Code - Networking classes
NETAPI32.DLL 75170000 323584 C:\WINNT\System32\NETAPI32.DLL 5.00.2195.6897 Net Win32 API DLL
SECUR32.DLL 7c340000 61440 C:\WINNT\System32\SECUR32.DLL 5.00.2195.6695 Security Support Provider Interface
NETRAP.DLL 751c0000 24576 C:\WINNT\System32\NETRAP.DLL 5.00.2134.1 Net Remote Admin Protocol DLL
SAMLIB.DLL 75150000 61440 C:\WINNT\System32\SAMLIB.DLL 5.00.2195.6897 SAM Library DLL
WLDAP32.DLL 77950000 172032 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.6666 Win32 LDAP API DLL
DNSAPI.DLL 77980000 147456 C:\WINNT\System32\DNSAPI.DLL 5.00.2195.6824 DNS Client API DLL
WSOCK32.DLL 75050000 32768 C:\WINNT\System32\WSOCK32.DLL 5.00.2195.6603 Windows Socket 32-Bit DLL
RASAPI32.dll 774e0000 208896 C:\WINNT\system32\RASAPI32.dll 5.00.2195.6625 Remote Access API
RASMAN.DLL 774c0000 69632 C:\WINNT\system32\RASMAN.DLL 5.00.2195.6738 Remote Access Connection Manager
TAPI32.DLL 77530000 139264 C:\WINNT\system32\TAPI32.DLL 5.00.2195.6664 Microsoft® Windows™ Telephony API Client DLL
RTUTILS.DLL 77830000 57344 C:\WINNT\system32\RTUTILS.DLL 5.00.2168.1 Routing Utilities
USERENV.DLL 7c0f0000 397312 C:\WINNT\system32\USERENV.DLL 5.00.2195.6794 Userenv
msafd.dll 74fd0000 122880 C:\WINNT\system32\msafd.dll 5.00.2195.6602 Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 75010000 28672 C:\WINNT\System32\wshtcpip.dll 5.00.2195.6601 Windows Sockets Helper DLL
rnr20.dll 782c0000 49152 C:\WINNT\System32\rnr20.dll 5.00.2195.6603 Windows Socket2 NameSpace DLL
iphlpapi.dll 77340000 77824 C:\WINNT\system32\iphlpapi.dll 5.00.2195.6602 IP Helper API
ICMP.DLL 77520000 20480 C:\WINNT\system32\ICMP.DLL 5.00.2134.1 ICMP DLL
MPRAPI.DLL 77320000 94208 C:\WINNT\system32\MPRAPI.DLL 5.00.2181.1 Windows NT MP Router Administration DLL
ACTIVEDS.DLL 773b0000 192512 C:\WINNT\system32\ACTIVEDS.DLL 5.00.2195.6601 ADs Router Layer DLL
ADSLDPC.DLL 77380000 143360 C:\WINNT\system32\ADSLDPC.DLL 5.00.2195.6701 ADs LDAP Provider C DLL
SETUPAPI.DLL 77880000 581632 C:\WINNT\system32\SETUPAPI.DLL 5.00.2195.6622 Windows Setup API
DHCPCSVC.DLL 77360000 102400 C:\WINNT\system32\DHCPCSVC.DLL 5.00.2195.6685 DHCP Client Service
winrnr.dll 777e0000 32768 C:\WINNT\System32\winrnr.dll 5.00.2160.1 LDAP RnR Provider DLL
rasadhlp.dll 777f0000 20480 C:\WINNT\system32\rasadhlp.dll 5.00.2168.1 Remote Access AutoDial Helper
jscript.dll 6b700000 589824 c:\winnt\system32\jscript.dll 5.6.0.8513 Microsoft ® JScript
iepeers.dll 70fb0000 241664 C:\WINNT\System32\iepeers.dll 6.00.2800.1106 Internet Explorer Peer Objects
WINSPOOL.DRV 77800000 122880 C:\WINNT\System32\WINSPOOL.DRV 5.00.2195.6659 Windows Spooler Driver
mshtmled.dll 70f30000 450560 C:\WINNT\System32\mshtmled.dll 6.00.2800.1106 Microsoft ® HTML Editing Component
mscoree.dll 79170000 135168 C:\WINNT\System32\mscoree.dll 1.0.3705.0 Microsoft .NET Runtime Execution Engine
mscorie.dll 79410000 73728 C:\WINNT\Microsoft.NET\Framework\v1.0.3705\mscorie.dll 1.0.3705.0 Microsoft .NET IE MIME Filter
MSVCR70.dll 7c000000 344064 C:\WINNT\Microsoft.NET\Framework\v1.0.3705\MSVCR70.dll 7.00.9466.0 Microsoft® C Runtime Library
plugin.ocx 43d0000 98304 C:\WINNT\system32\plugin.ocx 6.00.2800.1106 ActiveX Plugin OCX
wintrust.dll 76930000 176128 C:\WINNT\system32\wintrust.dll 5.131.2195.6824 Microsoft Trust Verification APIs
IMAGEHLP.dll 77920000 143360 C:\WINNT\system32\IMAGEHLP.dll 5.00.2195.6613 Windows NT Image Helper
comdlg32.dll 76b30000 253952 C:\WINNT\system32\comdlg32.dll 5.00.3700.6693 Common Dialogs DLL
ntshrui.dll 76fa0000 61440 C:\WINNT\system32\ntshrui.dll 5.00.2134.1 Shell extensions for sharing
ATL.DLL 773e0000 86016 C:\WINNT\system32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
c_is2022.dll 74360000 20480 C:\WINNT\system32\c_is2022.dll 5.00.2195.6688 ISO-2022 Code Page Translation DLL
MSRATING.DLL 70400000 143360 C:\WINNT\system32\MSRATING.DLL 6.00.2800.1106 Internet Ratings and Local User Management DLL
msratelc.dll 30000000 69632 C:\WINNT\system32\msratelc.dll 6.00.2800.1106 Internet Ratings and Local User Management DLL








Thanks in advance, good night.

#2 Gessfk

Gessfk

    Member

  • New Member
  • Pip
  • 3 posts

Posted 01 July 2004 - 02:18 AM

Updates

Logfile of HijackThis v1.98.0
Scan saved at 12:16:36 AM, on 7/1/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\locator.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\SYSTEM32\ATIPTAXX.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\a2\a2guard.exe
C:\Starcraft\starcraft.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\mIRC\mirc.exe
C:\Documents and Settings\Mr1\Desktop\HijackThis.exe

F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

IE DLLs

 Module information for  'IEXPLORE.EXE'
  MODULE          BASE     SIZE     PATH
IEXPLORE.EXE      400000   102400 C:\Program Files\Internet Explorer\IEXPLORE.EXE  6.00.2800.1106       Internet Explorer
ntdll.dll       77f80000   512000 C:\WINNT\system32\ntdll.dll               5.00.2195.6899       NT Layer DLL
msvcrt.dll      78000000   282624 C:\WINNT\system32\msvcrt.dll              6.10.9844.0          Microsoft (R) C Runtime Library
KERNEL32.dll    7c570000   753664 C:\WINNT\system32\KERNEL32.dll            5.00.2195.6897       Windows NT BASE API Client DLL
USER32.dll      77e10000   413696 C:\WINNT\system32\USER32.dll              5.00.2195.6897       Windows 2000 USER API Client DLL
GDI32.DLL       77f40000   253952 C:\WINNT\system32\GDI32.DLL               5.00.2195.6898       GDI Client DLL
SHLWAPI.dll     70a70000   413696 C:\WINNT\system32\SHLWAPI.dll             6.00.2800.1400       Shell Light-weight Utility Library
ADVAPI32.dll    7c2d0000   401408 C:\WINNT\system32\ADVAPI32.dll            5.00.2195.6876       Advanced Windows 32 Base API
RPCRT4.DLL      77d30000   462848 C:\WINNT\system32\RPCRT4.DLL              5.00.2195.6904       Remote Procedure Call Runtime
SHDOCVW.dll     71700000  1347584 C:\WINNT\system32\SHDOCVW.dll             6.00.2800.1400       Shell Doc Object and Control Library
IMM32.DLL       75e60000   106496 C:\WINNT\system32\IMM32.DLL               5.00.2195.6655       Windows 2000 IMM32 API Client DLL
WS2_32.DLL      75030000    81920 C:\WINNT\system32\WS2_32.DLL              5.00.2195.6601       Windows Socket 2.0 32-Bit DLL
WS2HELP.DLL     75020000    32768 C:\WINNT\system32\WS2HELP.DLL             5.00.2134.1          Windows Socket 2.0 Helper for Windows NT
comctl32.dll      950000   540672 C:\WINNT\system32\comctl32.dll            5.81                 Common Controls Library
a2handler.dll   57800000   114688 C:\Program Files\a2\a2handler.dll        
oleaut32.dll    779b0000   634880 C:\WINNT\system32\oleaut32.dll            2.40.4522           
ole32.dll       77a50000   978944 C:\WINNT\system32\ole32.dll               5.00.2195.6906       Microsoft OLE for Windows
SHELL32.dll     782f0000  2392064 C:\WINNT\system32\SHELL32.dll             5.00.3700.6705       Windows Shell Common Dll
INDICDLL.dll    6e420000    24576 C:\WINNT\system32\INDICDLL.dll            5.00.2920.0000       Keyboard Language Indicator Shell Hook Extension
POINT32.dll     61210000    36864 C:\Program Files\Microsoft Hardware\Mouse\POINT32.dll  4.00.0657.0          Microsoft IntelliPoint
BROWSEUI.dll    71500000  1036288 C:\WINNT\system32\BROWSEUI.dll            6.00.2800.1400       Shell Browser UI Library
browselc.dll    71960000    73728 C:\WINNT\system32\browselc.dll            6.00.2800.1106       Shell Browser UI Library
CLBCATQ.DLL     775a0000   589824 C:\WINNT\system32\CLBCATQ.DLL             2000.2.3511.0       
WININET.dll     63000000   614400 C:\WINNT\system32\WININET.dll             6.00.2800.1405       Internet Extensions for Win32
CRYPT32.dll     7c740000   552960 C:\WINNT\system32\CRYPT32.dll             5.131.2195.6824      Crypto API32
MSASN1.DLL      77430000    65536 C:\WINNT\system32\MSASN1.DLL              5.00.2195.6905       ASN.1 Runtime APIs
cscui.dll       77840000   253952 C:\WINNT\system32\cscui.dll               5.00.2195.6705       Client Side Caching UI
CSCDLL.DLL      770c0000   143360 C:\WINNT\system32\CSCDLL.DLL              5.00.2195.6713       Offline Network Agent
urlmon.dll      1a400000   499712 C:\WINNT\system32\urlmon.dll              6.00.2800.1400       OLE32 Extensions for Win32
VERSION.dll     77820000    28672 C:\WINNT\system32\VERSION.dll             5.00.2195.6623       Version Checking and File Installation Libraries
LZ32.DLL        759b0000    24576 C:\WINNT\system32\LZ32.DLL                5.00.2195.6611       LZ Expand/Compress API DLL
mshtml.dll      63580000  2818048 C:\WINNT\System32\mshtml.dll              6.00.2800.1400       Microsoft (R) HTML Viewer
shdoclc.dll     718c0000   540672 C:\WINNT\system32\shdoclc.dll             6.00.2800.1106       Shell Doc Object and Control Library
MLANG.dll       70440000   585728 C:\WINNT\system32\MLANG.dll               6.00.2800.1106       Multi Language Support DLL
msi.dll          2620000  2113536 C:\WINNT\system32\msi.dll                 2.0.2600.1183        Windows Installer
MSH_ZWF.dll     61220000    45056 C:\Program Files\Microsoft Hardware\Mouse\MSH_ZWF.dll  4.00.0657.0          Microsoft IntelliPoint
MSLS31.DLL      75ac0000   163840 C:\WINNT\system32\MSLS31.DLL              3.10.337.0           Microsoft Line Services library file
wsock32.dll     75050000    32768 C:\WINNT\system32\wsock32.dll             5.00.2195.6603       Windows Socket 32-Bit DLL
RASAPI32.dll    774e0000   208896 C:\WINNT\system32\RASAPI32.dll            5.00.2195.6625       Remote Access API
RASMAN.DLL      774c0000    69632 C:\WINNT\system32\RASMAN.DLL              5.00.2195.6738       Remote Access Connection Manager
TAPI32.DLL      77530000   139264 C:\WINNT\system32\TAPI32.DLL              5.00.2195.6664       Microsoft® Windows(TM) Telephony API Client DLL
RTUTILS.DLL     77830000    57344 C:\WINNT\system32\RTUTILS.DLL             5.00.2168.1          Routing Utilities
USERENV.DLL     7c0f0000   397312 C:\WINNT\system32\USERENV.DLL             5.00.2195.6794       Userenv
netapi32.dll    75170000   323584 C:\WINNT\system32\netapi32.dll            5.00.2195.6897       Net Win32 API DLL
SECUR32.DLL     7c340000    61440 C:\WINNT\system32\SECUR32.DLL             5.00.2195.6695       Security Support Provider Interface
NETRAP.DLL      751c0000    24576 C:\WINNT\system32\NETRAP.DLL              5.00.2134.1          Net Remote Admin Protocol DLL
SAMLIB.DLL      75150000    61440 C:\WINNT\system32\SAMLIB.DLL              5.00.2195.6897       SAM Library DLL
WLDAP32.DLL     77950000   172032 C:\WINNT\system32\WLDAP32.DLL             5.00.2195.6666       Win32 LDAP API DLL
DNSAPI.DLL      77980000   147456 C:\WINNT\system32\DNSAPI.DLL              5.00.2195.6824       DNS Client API DLL
rnr20.dll       782c0000    49152 C:\WINNT\System32\rnr20.dll               5.00.2195.6603       Windows Socket2 NameSpace DLL
iphlpapi.dll    77340000    77824 C:\WINNT\system32\iphlpapi.dll            5.00.2195.6602       IP Helper API
ICMP.DLL        77520000    20480 C:\WINNT\system32\ICMP.DLL                5.00.2134.1          ICMP DLL
MPRAPI.DLL      77320000    94208 C:\WINNT\system32\MPRAPI.DLL              5.00.2181.1          Windows NT MP Router Administration DLL
ACTIVEDS.DLL    773b0000   192512 C:\WINNT\system32\ACTIVEDS.DLL            5.00.2195.6601       ADs Router Layer DLL
ADSLDPC.DLL     77380000   143360 C:\WINNT\system32\ADSLDPC.DLL             5.00.2195.6701       ADs LDAP Provider C DLL
SETUPAPI.DLL    77880000   581632 C:\WINNT\system32\SETUPAPI.DLL            5.00.2195.6622       Windows Setup API
DHCPCSVC.DLL    77360000   102400 C:\WINNT\system32\DHCPCSVC.DLL            5.00.2195.6685       DHCP Client Service
msafd.dll       74fd0000   122880 C:\WINNT\system32\msafd.dll               5.00.2195.6602       Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll    75010000    28672 C:\WINNT\System32\wshtcpip.dll            5.00.2195.6601       Windows Sockets Helper DLL
winrnr.dll      777e0000    32768 C:\WINNT\System32\winrnr.dll              5.00.2160.1          LDAP RnR Provider DLL
rasadhlp.dll    777f0000    20480 C:\WINNT\system32\rasadhlp.dll            5.00.2168.1          Remote Access AutoDial Helper
jscript.dll     6b700000   589824 c:\winnt\system32\jscript.dll             5.6.0.8513           Microsoft (r) JScript
vbscript.dll    6b600000   462848 c:\winnt\system32\vbscript.dll            5.6.0.7426           Microsoft (r) VBScript
Flash.ocx       10000000  1732608 C:\WINNT\system32\macromed\flash\Flash.ocx  7,0,19,0             Macromedia Flash Player 7.0  r19
WINMM.dll       77570000   196608 C:\WINNT\system32\WINMM.dll               5.00.2161.1          MCI API DLL
comdlg32.dll    76b30000   253952 C:\WINNT\system32\comdlg32.dll            5.00.3700.6693       Common Dialogs DLL
serwvdrv.dll    681a0000    28672 C:\WINNT\system32\serwvdrv.dll            5.00.2134.1          Unimodem Serial Wave driver
umdmxfrm.dll    66740000    28672 C:\WINNT\system32\umdmxfrm.dll            5.00.2134.1          Unimodem Tranform Module
wdmaud.drv      77560000    32768 C:\WINNT\system32\wdmaud.drv              5.00.2195.6673       WDM Audio driver mapper
msacm32.drv     77400000    32768 C:\WINNT\system32\msacm32.drv             5.00.2134.1          Microsoft Sound Mapper
MSACM32.dll     77410000    77824 C:\WINNT\system32\MSACM32.dll             5.00.2134.1          Microsoft ACM Audio Filter
dxtrans.dll     35c50000   208896 C:\WINNT\System32\dxtrans.dll             6.00.2800.1106       DirectX Media -- DirectX Transform Core
ATL.DLL         773e0000    86016 C:\WINNT\System32\ATL.DLL                 3.00.9435            ATL Module for Windows NT (Unicode)
ddrawex.dll     727f0000    36864 C:\WINNT\System32\ddrawex.dll             5.00.2134.1          Direct Draw Ex
DDRAW.dll       51000000   290816 C:\WINNT\System32\DDRAW.dll               5.3.0000000.900 built by: DIRECTX Microsoft DirectDraw
DCIMAN32.dll    728a0000    24576 C:\WINNT\System32\DCIMAN32.dll            5.00.2180.1          DCI Manager
dxtmsft.dll     35cb0000   364544 C:\WINNT\System32\dxtmsft.dll             6.00.2800.1106       DirectX Media -- Image DirectX Transforms
ACTXPRXY.DLL    703d0000   110592 C:\WINNT\system32\ACTXPRXY.DLL            6.00.2800.1106       ActiveX Interface Marshaling Library
dispex.dll       58a0000    45056 C:\WINNT\System32\dispex.dll              5.6.0.6626           Microsoft (r) DispEx
mshtmled.dll    70f30000   450560 C:\WINNT\System32\mshtmled.dll            6.00.2800.1106       Microsoft (R) HTML Editing Component
docprop2.dll    71f00000   315392 C:\WINNT\System32\docprop2.dll            5.00.2178.1          DocProp2
MSVFW32.DLL     6a8f0000   131072 C:\WINNT\System32\MSVFW32.DLL             5.00.2195.6612       Microsoft Video for Windows DLL
AVIFIL32.DLL    74870000    90112 C:\WINNT\System32\AVIFIL32.DLL            5.00.2195.6612       Microsoft AVI File support library
faxshell.dll    70020000    20480 C:\WINNT\system32\faxshell.dll            5.00.2134.1          Fax Tiff Data Column Provider
c_is2022.dll    74360000    20480 C:\WINNT\system32\c_is2022.dll            5.00.2195.6688       ISO-2022 Code Page Translation DLL

Start up
StartupList report, 7/1/2004, 12:17:00 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\Mr1\Desktop\StartupList.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\locator.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\SYSTEM32\ATIPTAXX.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\a2\a2guard.exe
C:\Starcraft\starcraft.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\mIRC\mirc.exe
C:\Documents and Settings\Mr1\Desktop\StartupList.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\SYSTEM32\Userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NeroCheck = C:\WINNT\system32\NeroCheck.exe
Synchronization Manager = mobsync.exe /logon
POINTER = point32.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

internat.exe = internat.exe
a² = "C:\Program Files\a2\a2guard.exe"

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[Office Update Installation Engine]
InProcServer32 = C:\WINNT\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.6590277778

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 4,431 bytes
Report generated in 0.111 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only


#3 Archon_Wing

Archon_Wing

    Donut Patron

  • Trusted Advisor
  • PipPipPipPip
  • 368 posts

Posted 01 July 2004 - 03:25 AM

*Being helped in chat*
Download Registrar Lite:
http://www.resplendence.com/reglite


Setting up:
Install Registrar Lite.



Start:
Copy and paste this line to reglite's address bar. Then press 'Go':
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

And hit the "go" tab .
Find: "Appinit_Dlls" value on the right side
panel, DoubleClick, copy and post here
the following fields:
-Size:
-Value:

Post the above results and a new HiJackThis log in this thread.

Edited by Archon_Wing, 01 July 2004 - 03:27 AM.

Rights are never important until you don't have them.

#4 Archon_Wing

Archon_Wing

    Donut Patron

  • Trusted Advisor
  • PipPipPipPip
  • 368 posts

Posted 01 July 2004 - 03:31 AM

First download Winfile. http://www10.brinkst...last/pvtool.htm (Second one)
Unzip this file to its own folder.

Now we are going to get rid of the hidden DLL that is causing all the problems.
In Registar Lite:
=====================================
First we need to make it visible:
Copy and paste this line to reglite's address bar. Then press 'Go':

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Rename the Folder Windows to NotWindows
(the folder is highlighted as a purple folder in the left hand pane of reglite)

Click "AppInit_DLLs" again and clear the data value:
C:\WINDOWS\System32\wdm.dll
< -- delete this line ,
'Apply' and 'ok' to set.

Rename the NotWindows folder back to its original name Windows
========================================
Restart your computer.

After restart, try to locate the wdm.dll
in System32 folder but Don't attempt to delete it yet.

Go to your root drive: C:\ And create new folder.
Name it: "junk"
===============================

Run the 'Winfile' you previously downloaded and unzipped.
Expand and navigate to System32 folder.
You need to navigate by Double clicking to expand.

When in System32 click top menu: File --> Select files
Copy and paste to the box:wdm.dll hit select-
Find and highlite that file.
Next in top menu>Security>permissions, tell us what is listed there for that file.
Also check the 'owner' tab

Lastly, try this: Menu -File --> move...
In From: Copy/paste:
C:\WINDOWS\System32\wdm.dll


In To: Copy and paste:
C:\junk\wdm.dll


Then hit ok.

Close Winfile and check in C:\junk for that file.

No further action is needed yet...

Post back results for now.

Edited by Archon_Wing, 01 July 2004 - 03:33 AM.

Rights are never important until you don't have them.

#5 Gessfk

Gessfk

    Member

  • New Member
  • Pip
  • 3 posts

Posted 01 July 2004 - 04:07 AM

New and improved (clean!!!) computer thanks to archon:

Logfile of HijackThis v1.98.0
Scan saved at 2:06:45 AM, on 7/1/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\locator.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Documents and Settings\Mr1\Desktop\HijackThis.exe

F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab


#6 Archon_Wing

Archon_Wing

    Donut Patron

  • Trusted Advisor
  • PipPipPipPip
  • 368 posts

Posted 01 July 2004 - 04:15 AM

You can also take some steps to prevent being hijacked again

Protection - download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiu...rce.htm#IESPYAD

Both are very small free programs that you run once, and then just occasionally to check for updates.
Don't forget Windows update. Get them now and then at http://windowsupdate.microsoft.com/
Also, download Sun Java if you haven't already at http://java.com/en/index.jsp Downloading it gets rid of the flaws that MS java has that people like the CWS folks like to take advantage of too much

And also see
So how did I get infected in the first place?

Rights are never important until you don't have them.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button