Jump to content


Photo

Search Engine Hijack


  • Please log in to reply
41 replies to this topic

#1 meh

meh

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 17 May 2004 - 02:09 AM

Hey, thanks ahead of time. I just get back from Gatech about a week ago, and one of the computers at home here is so full of spyware and stuff i've gone on a rampage, adaware, spybot, the works. Well, just when i thought i had cleaned this machine completely, i noticed something funny about google. everytime i searched, it gave me a page of ads that looked like real google results, then, when i went to page two, it reverted back to the real page one of google results. my lil bro thought google had changed and you had to pay them money to get the ads to go away, i laughed. i check a couple other search engines (yahoo, altavista, dogpile, metacrawler, msn) and lo and behold, the same first page of ads, all formated to look like their corrosponding search engine results, came up as the first page of results. ive never used hijack this, so i ran it, and got this log:

Logfile of HijackThis v1.97.7
Scan saved at 2:55:18 AM, on 5/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\MDM.EXE
C:\Documents and Settings\nick\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50038
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50038
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7EB2A76C-97AE-4CF3-9C6A-EA0F61F137E1} - http://www.sexxx-dir...FreeInstall.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7954.0054282407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwn...m/cab/crack.CAB

first thing i noticed was the websearch stuff still being there (i spent an hour removing that, it replaced the DNS error page with one looking exactly like it, only with the websearch browser built in, i was impressed)...and i noticed crack.CAB and 4FreeInstall.exe...

anywho, i removed those using hijack this, and a couple other little things (qt startup and some IE buttons), and the search engine hijack thing is still here. i've searched the registry, every little thing in IE possible (that i know of), everything, and can't figure it out. here's the new log and i hope to god you all can help me out.

thanks - nick

Logfile of HijackThis v1.97.7
Scan saved at 3:01:42 AM, on 5/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\MDM.EXE
C:\Documents and Settings\nick\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7954.0054282407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

thanks once again for any help!

Edited by meh, 17 May 2004 - 02:50 AM.


#2 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 17 May 2004 - 02:50 AM

Close all programs, tick the following for removal in HJT, and click "Fix Checked:"

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

Reboot.

Find and delete this file:

C:\WINDOWS\system32\dla\tfswshx.dll

Scan agian with HJT and post the new log.
Signature file is under revision. This will be back shortly.

#3 meh

meh

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 17 May 2004 - 03:04 AM

thanks for the help, mucho appreciated

"C:\WINDOWS\system32\dla\tfswshx.dll"

i went there, the file is not there (not hidden or anything...)

anywho, here's my log file, the search engines are all still hijacked...and i am still quite baffled...i'm gonna run a deep system search for the file though, i'll edit if i can find it elsewhere...

edit: found it in program files\sonic\dla\install - delete?
also - i've gone through my host files, there is nothing in there that shouldnt be there (aka - local host), so that rules out host file manipulation

Logfile of HijackThis v1.97.7
Scan saved at 4:02:26 AM, on 5/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\nick\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7954.0054282407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Edited by meh, 17 May 2004 - 03:08 AM.


#4 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 17 May 2004 - 03:10 AM

Download this zip file.

http://www.zero.vulc...ownloads/pv.zip

Please unzip it to the desktop. It will not work if you run it from inside the zip.

After you unzip it, go to the desktop. Open the pv folder. Double-click on the runme.bat file.

A DOS window will open. Please select option 1 for Explorer dll's by typing 1 and then pressing enter.

Notepad will open with a log in it. Please copy and paste the log into this post.
Signature file is under revision. This will be back shortly.

#5 meh

meh

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 17 May 2004 - 03:15 AM

once again, many thanks, work your wonders:

edit: should i delete the .dll from the sonic\dla\install folder?

Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1011712 C:\WINDOWS\Explorer.EXE 6.00.2800.1221 (xpsp2.030511-1403) Windows Explorer
ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) NT Layer DLL
kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API
RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
GDI32.dll 7e090000 266240 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1346 (xpsp2.040109-1800) GDI Client DLL
USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1255 (xpsp2.030804-1745) Windows XP USER API Client DLL
SHLWAPI.dll 70a70000 413696 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1400 Shell Light-weight Utility Library
SHELL32.dll 773d0000 8359936 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1348 (xpsp2.040109-1800) Windows Shell Common Dll
ole32.dll 771b0000 1196032 C:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE for Windows
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT™ and Windows 95™ Operating Systems
BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1400 Shell Browser UI Library
SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1400 Shell Doc Object and Control Library
UxTheme.dll 5ad70000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1331_x-ww_7abf6d02\comctl32.dll 6.0 (xpsp2.040109-1800) User Experience Controls Library
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
yla3.tmp 800000 471040 C:\WINDOWS\TEMP\yla3.tmp
MPR.DLL 71b20000 69632 C:\WINDOWS\system32\MPR.DLL 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
WSOCK32.DLL 71ad0000 32768 C:\WINDOWS\System32\WSOCK32.DLL 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL
WS2_32.dll 71ab0000 81920 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.1240 (xpsp2.030618-0119) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Lan Manager
NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETAPI32.dll 71c20000 319488 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.1343 (xpsp2.040109-1800) Net Win32 API DLL
NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
SAMLIB.dll 71bf0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL
appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
CLBCATQ.DLL 7c890000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
themeui.dll 559e0000 462848 C:\WINDOWS\System32\themeui.dll 6.00.2800.1106 (xpsp1.020828-1920) Windows Theme API
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
MSIMG32.dll 76380000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDIEXT Client DLL
USERENV.dll 75a70000 675840 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
LINKINFO.dll 76980000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking
ntshrui.dll 76990000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.1106 (xpsp1.020828-1920) Shell extensions for sharing
ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1400 OLE32 Extensions for Win32
WINTRUST.dll 76c30000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper
rsaenh.dll ffd0000 143360 C:\WINDOWS\System32\rsaenh.dll 5.1.2600.1029 (xpsp1.020426-1800) Microsoft Base Cryptographic Provider
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) Common Dialogs DLL
msi.dll 1370000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
WININET.dll 63000000 614400 C:\WINDOWS\system32\WININET.dll 6.00.2800.1405 Internet Extensions for Win32
pha2.tmp 1630000 471040 C:\WINDOWS\TEMP\pha2.tmp
WINSTA.dll 76360000 61440 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.1106 (xpsp1.020828-1920) Winstation Library
webcheck.dll 74b30000 266240 C:\WINDOWS\System32\webcheck.dll 6.00.2800.1106 (xpsp1.020828-1920) Web Site Monitor
stobject.dll 74b00000 131072 C:\WINDOWS\System32\stobject.dll 5.1.2600.1106 (xpsp1.020828-1920) Systray shell service object
BatMeter.dll 74af0000 36864 C:\WINDOWS\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-1148) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 28672 C:\WINDOWS\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-1148) Power Profile Helper DLL
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Terminal Server SDK APIs
NETSHELL.dll 75cf0000 1642496 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.1254 (xpsp2.030801-1834) Network Connections Shell
credui.dll 76c00000 184320 C:\WINDOWS\system32\credui.dll 5.1.2600.1106 (xpsp1.020828-1920) Credential Manager User Interface
iphlpapi.dll 76d60000 90112 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.1240 (xpsp2.030618-0119) IP Helper API
browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library
MSGINA.dll 75970000 991232 C:\WINDOWS\System32\MSGINA.dll 5.1.2600.1343 (xpsp2.040109-1800) Windows NT Logon GINA DLL
ODBC32.dll 1dd0000 204800 C:\WINDOWS\System32\ODBC32.dll 3.520.9042.0 Microsoft Data Access - ODBC Driver Manager
odbcint.dll 1f850000 90112 C:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC Resources
DUSER.dll 6c1b0000 278528 C:\WINDOWS\System32\DUSER.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows DirectUser Engine
sti.dll 73ba0000 73728 C:\WINDOWS\System32\sti.dll 5.1.2600.1106 (xpsp1.020828-1920) Still Image Devices client DLL
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL
WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper
printui.dll 74b80000 532480 C:\WINDOWS\System32\printui.dll 5.1.2600.1106 (xpsp1.020828-1920) Print UI DLL
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.1106 (xpsp1.020828-1920) Windows Spooler Driver
ACTIVEDS.dll 76e40000 192512 C:\WINDOWS\System32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) ADs Router Layer DLL
adsldpc.dll 76e10000 151552 C:\WINDOWS\System32\adsldpc.dll 5.1.2600.1106 (xpsp1.020828-1920) ADs LDAP Provider C DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
shdoclc.dll 76170000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Doc Object and Control Library
SXS.DLL 75e90000 688128 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1336 (xpsp2.040109-1800) Fusion 2.5
msxml3.dll 72e00000 1134592 C:\WINDOWS\System32\msxml3.dll 8.30.9926.0 MSXML 3.0 SP 3
RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager
TAPI32.dll 76eb0000 176128 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Windows™ Telephony API Client DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
sensapi.dll 722b0000 20480 C:\WINDOWS\System32\sensapi.dll 5.1.2600.1106 (xpsp1.020828-1920) SENS Connectivity API DLL
DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) DNS Client API DLL
winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL
rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
jscript.dll 6b700000 589824 C:\WINDOWS\System32\jscript.dll 5.6.0.8513 Microsoft ® JScript
mscoree.dll 79170000 155648 C:\WINDOWS\System32\mscoree.dll 1.1.4322.573 Microsoft .NET Runtime Execution Engine
Shfusion.dll 796e0000 253952 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Shfusion.dll 1.1.4322.573 Microsoft COM Runtime Fusion Assembly Viewer
MSVCR71.dll 7c340000 352256 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MSVCR71.dll 7.10.3052.4 Microsoft® C Runtime Library
mstask.dll 735d0000 258048 C:\WINDOWS\System32\mstask.dll 5.1.2600.1106 (xpsp1.020828-1920) Task Scheduler interface DLL
AlbuDBps.dll 2050000 32768 C:\Program Files\Logitech\Video\AlbuDBps.dll 8.1.1.1100 Album Database Proxy/Stub DLL
shmedia.dll 5cad0000 135168 C:\WINDOWS\System32\shmedia.dll 6.00.2800.1125 (xpsp2.020921-0842) Media File Property Extractor Shell Extension
MSVFW32.dll 73bd0000 131072 C:\WINDOWS\System32\MSVFW32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft Video for Windows DLL
AVIFIL32.dll 73b50000 86016 C:\WINDOWS\System32\AVIFIL32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft AVI File support library
igfxpph.dll 10000000 225280 C:\WINDOWS\System32\igfxpph.dll 3,0,0,2104 igfxpph Module
hccutils.DLL b50000 122880 C:\WINDOWS\System32\hccutils.DLL 3,0,0,2104 hccutils Module
igfxres.dll fa0000 159744 C:\WINDOWS\System32\igfxres.dll 3,0,0,2104 xxxxres Module
igfxsrvc.dll 16b0000 327680 C:\WINDOWS\System32\igfxsrvc.dll 3,0,0,2104 igfxsrvc Module
cryptnet.dll 73d50000 65536 C:\WINDOWS\System32\cryptnet.dll 5.131.2600.0 (xpclient.010817-1148) Crypto Network Related API
mydocs.dll 72410000 102400 C:\WINDOWS\System32\mydocs.dll 6.00.2600.0000 (xpclient.010817-1148) My Documents Folder UI
WZSHLSTB.DLL 16200000 24576 C:\PROGRA~1\WINZIP\WZSHLSTB.DLL 4.1 (32-bit) WinZip Shell Extension DLL
rarext.dll 1320000 176128 C:\Program Files\WinRAR\rarext.dll
actxprxy.dll 71d40000 110592 C:\WINDOWS\System32\actxprxy.dll 6.00.2600.0000 (XPClient.010817-1148) ActiveX Interface Marshaling Library
NTMARTA.DLL 76ce0000 126976 C:\WINDOWS\System32\NTMARTA.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows NT MARTA provider
AcroIEHelper.dll f20000 45056 C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX
asfsipc.dll 70eb0000 28672 C:\WINDOWS\System32\asfsipc.dll 1.1.00.3917 ASFSipc Object
MSISIP.DLL 605f0000 53248 C:\WINDOWS\System32\MSISIP.DLL 2.0.2600.0 MSI Signature SIP Provider
wshext.dll 74ea0000 65536 C:\WINDOWS\System32\wshext.dll 5.6.0.6626 Microsoft ® Shell Extension for Windows Script Host

Edited by meh, 17 May 2004 - 03:17 AM.


#6 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 17 May 2004 - 03:21 AM

You've got some things in there that should _DEFINITELY_ not be running. Can you please put them into a .zip archive and e-mail them to this address?

C:\WINDOWS\TEMP\pha2.tmp
C:\WINDOWS\TEMP\yla3.tmp

NOTHING in the temp folder should _EVER_ interface with anything.

After you do that, please download TheKillBox from the link in my signature.

Don't click any of the buttons. Click on the Action menu and choose "Delete on Reboot".

On the next screen, click on the File menu and choose "Add File".

Target these two files:

C:\WINDOWS\TEMP\pha2.tmp
C:\WINDOWS\TEMP\yla3.tmp

If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

When you're back in Windows, check to see if there's any change in the search problem and report back. Scan with HJT and post the new log.
Signature file is under revision. This will be back shortly.

#7 meh

meh

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 17 May 2004 - 03:32 AM

the killbox link is a big 404 error, file not found, and i emailed you from my hotmail address with the .rar, i can do .zip if you really need it, and ummm, thanks

#8 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 17 May 2004 - 03:36 AM

Use this TKB URL, then:

http://www.downloads...org/KillBox.zip

RAR works - I have WinRAR too. ^_^ Gotta be able to read everything in this business.

Edited by Tuxedo Jack, 17 May 2004 - 03:36 AM.

Signature file is under revision. This will be back shortly.

#9 meh

meh

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 17 May 2004 - 03:43 AM

so you got the email, good good. well, searches still are wonderfully ad-full....
heres the hjt log for your viewing pleasure

edit: fyi - ran the killbox thing, exactly as instructed, seemed to do exactly as expected too...

Logfile of HijackThis v1.97.7
Scan saved at 4:42:18 AM, on 5/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\MDM.EXE
C:\Documents and Settings\nick\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7954.0054282407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

i dont think it really changed...

tuxjack - i'm going to bed, its 5:15 here in the us est, and i have work tomorrow morning, so im gonna get a few hours of shuteye and check back in around lunch...once again, many thanks man, i truely appreciate it

Edited by meh, 17 May 2004 - 04:17 AM.


#10 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 17 May 2004 - 04:36 AM

Please give me a new pv log. After reading the raw hex dump from those, they are indeed a hijacker. I want to find what's causing those and kill it dead.
Signature file is under revision. This will be back shortly.

#11 meh

meh

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 17 May 2004 - 04:44 AM

now i really AM going to bed, ill check back tomorrow...i am also sending you a .rar of nga1.tmp as it is in temp folder yet in the log too...
night man, thanks a bunch

Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1011712 C:\WINDOWS\Explorer.EXE 6.00.2800.1221 (xpsp2.030511-1403) Windows Explorer
ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) NT Layer DLL
kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API
RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
GDI32.dll 7e090000 266240 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1346 (xpsp2.040109-1800) GDI Client DLL
USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1255 (xpsp2.030804-1745) Windows XP USER API Client DLL
SHLWAPI.dll 70a70000 413696 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1400 Shell Light-weight Utility Library
SHELL32.dll 773d0000 8359936 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1348 (xpsp2.040109-1800) Windows Shell Common Dll
ole32.dll 771b0000 1196032 C:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE for Windows
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT™ and Windows 95™ Operating Systems
BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1400 Shell Browser UI Library
SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1400 Shell Doc Object and Control Library
UxTheme.dll 5ad70000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1331_x-ww_7abf6d02\comctl32.dll 6.0 (xpsp2.040109-1800) User Experience Controls Library
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
nga1.tmp 800000 471040 C:\WINDOWS\TEMP\nga1.tmp
MPR.DLL 71b20000 69632 C:\WINDOWS\system32\MPR.DLL 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
WSOCK32.DLL 71ad0000 32768 C:\WINDOWS\System32\WSOCK32.DLL 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL
WS2_32.dll 71ab0000 81920 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.1240 (xpsp2.030618-0119) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Lan Manager
NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETAPI32.dll 71c20000 319488 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.1343 (xpsp2.040109-1800) Net Win32 API DLL
NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
SAMLIB.dll 71bf0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL
cscdll.dll 76600000 110592 C:\WINDOWS\System32\cscdll.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
CLBCATQ.DLL 7c890000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI
themeui.dll 559e0000 462848 C:\WINDOWS\System32\themeui.dll 6.00.2800.1106 (xpsp1.020828-1920) Windows Theme API
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
MSIMG32.dll 76380000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDIEXT Client DLL
USERENV.dll 75a70000 675840 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
actxprxy.dll 71d40000 110592 C:\WINDOWS\System32\actxprxy.dll 6.00.2600.0000 (XPClient.010817-1148) ActiveX Interface Marshaling Library
ntshrui.dll 76990000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.1106 (xpsp1.020828-1920) Shell extensions for sharing
ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
LINKINFO.dll 76980000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking
SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1400 OLE32 Extensions for Win32
WINTRUST.dll 76c30000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper
rsaenh.dll ffd0000 143360 C:\WINDOWS\System32\rsaenh.dll 5.1.2600.1029 (xpsp1.020426-1800) Microsoft Base Cryptographic Provider
msi.dll 1330000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
WININET.dll 63000000 614400 C:\WINDOWS\system32\WININET.dll 6.00.2800.1405 Internet Extensions for Win32
WINSTA.dll 76360000 61440 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.1106 (xpsp1.020828-1920) Winstation Library
webcheck.dll 74b30000 266240 C:\WINDOWS\System32\webcheck.dll 6.00.2800.1106 (xpsp1.020828-1920) Web Site Monitor
stobject.dll 74b00000 131072 C:\WINDOWS\System32\stobject.dll 5.1.2600.1106 (xpsp1.020828-1920) Systray shell service object
BatMeter.dll 74af0000 36864 C:\WINDOWS\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-1148) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 28672 C:\WINDOWS\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-1148) Power Profile Helper DLL
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Terminal Server SDK APIs
NETSHELL.dll 75cf0000 1642496 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.1254 (xpsp2.030801-1834) Network Connections Shell
credui.dll 76c00000 184320 C:\WINDOWS\system32\credui.dll 5.1.2600.1106 (xpsp1.020828-1920) Credential Manager User Interface
iphlpapi.dll 76d60000 90112 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.1240 (xpsp2.030618-0119) IP Helper API
SXS.DLL 75e90000 688128 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1336 (xpsp2.040109-1800) Fusion 2.5
printui.dll 74b80000 532480 C:\WINDOWS\System32\printui.dll 5.1.2600.1106 (xpsp1.020828-1920) Print UI DLL
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.1106 (xpsp1.020828-1920) Windows Spooler Driver
ACTIVEDS.dll 76e40000 192512 C:\WINDOWS\System32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) ADs Router Layer DLL
adsldpc.dll 76e10000 151552 C:\WINDOWS\System32\adsldpc.dll 5.1.2600.1106 (xpsp1.020828-1920) ADs LDAP Provider C DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL
WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
shdoclc.dll 76170000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Doc Object and Control Library
wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper
browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library
AcroIEHelper.dll 10000000 45056 C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX
DUSER.dll 6c1b0000 278528 C:\WINDOWS\System32\DUSER.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows DirectUser Engine
asfsipc.dll 70eb0000 28672 C:\WINDOWS\System32\asfsipc.dll 1.1.00.3917 ASFSipc Object
MSISIP.DLL 605f0000 53248 C:\WINDOWS\System32\MSISIP.DLL 2.0.2600.0 MSI Signature SIP Provider
wshext.dll 74ea0000 65536 C:\WINDOWS\System32\wshext.dll 5.6.0.6626 Microsoft ® Shell Extension for Windows Script Host
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) Common Dialogs DLL

#12 meh

meh

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 17 May 2004 - 12:08 PM

bump to see if anything happened while away...tuxjack seemed to be making some progress...

#13 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 17 May 2004 - 12:18 PM

Can we see option 2 in pv with one internet explorer open. also chose option eight and than option 4 and 6 please also.



#14 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 17 May 2004 - 12:19 PM

Don't click any of the buttons. Click on the Action menu and choose "Delete on Reboot".

On the next screen, click on the File menu and choose "Add File".

Target this file:

C:\WINDOWS\TEMP\nga1.tmp

If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

When you're back in Windows, delete everything in this folder:

C:\windows\temp

Check to see if there's any change in the search problem and report back. Scan with HJT and post the new log.
Signature file is under revision. This will be back shortly.

#15 meh

meh

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 17 May 2004 - 12:34 PM

aight, thanks...search problem still there, in clearing my temp folder, two conspicuous files are unable to be deleted.

"Cannot delete tha1: Access is denied" check write protections, etc. so those two files are still there. im gonna include the HJT log of tux jack, as well as 2, 8-4 and 6 for shadowwar...thanks again

oh: ran a quick 1 (wont post) but noticed that tha1.temp is chillin in there just like the others...go figure. anywho, the logs!

Logfile of HijackThis v1.97.7
Scan saved at 1:28:07 PM, on 5/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MDM.EXE
C:\Documents and Settings\nick\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7954.0054282407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

-----
option 2

Module information for 'iexplore.exe'
MODULE BASE SIZE PATH
iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe 6.00.2800.1106 (xpsp1.020828-1920) Internet Explorer
ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) NT Layer DLL
kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1255 (xpsp2.030804-1745) Windows XP USER API Client DLL
GDI32.dll 7e090000 266240 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1346 (xpsp2.040109-1800) GDI Client DLL
ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API
RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
SHLWAPI.dll 70a70000 413696 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1400 Shell Light-weight Utility Library
SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1400 Shell Doc Object and Control Library
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1331_x-ww_7abf6d02\comctl32.dll 6.0 (xpsp2.040109-1800) User Experience Controls Library
SHELL32.dll 773d0000 8359936 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1348 (xpsp2.040109-1800) Windows Shell Common Dll
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
ole32.dll 771b0000 1196032 C:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE for Windows
uxtheme.dll 5ad70000 212992 C:\WINDOWS\System32\uxtheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library
tha1.tmp 900000 471040 C:\WINDOWS\TEMP\tha1.tmp
MPR.DLL 71b20000 69632 C:\WINDOWS\system32\MPR.DLL 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
OLEAUT32.DLL 77120000 569344 C:\WINDOWS\system32\OLEAUT32.DLL 3.50.5016.0 Microsoft OLE 3.50 for Windows NT™ and Windows 95™ Operating Systems
WSOCK32.DLL 71ad0000 32768 C:\WINDOWS\System32\WSOCK32.DLL 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL
WS2_32.dll 71ab0000 81920 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.1240 (xpsp2.030618-0119) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1400 Shell Browser UI Library
browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library
appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
CLBCATQ.DLL 7c890000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
WININET.dll 63000000 614400 C:\WINDOWS\system32\WININET.dll 6.00.2800.1405 Internet Extensions for Win32
CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
googletoolbar1.dll 10000000 753664 c:\program files\google\googletoolbar1.dll 2, 0, 95, 0 Google IE Client Toolbar
urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1400 OLE32 Extensions for Win32
WINTRUST.dll 76c30000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper
WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager
NETAPI32.dll 71c20000 319488 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.1343 (xpsp2.040109-1800) Net Win32 API DLL
TAPI32.dll 76eb0000 176128 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Windows™ Telephony API Client DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
sensapi.dll 722b0000 20480 C:\WINDOWS\System32\sensapi.dll 5.1.2600.1106 (xpsp1.020828-1920) SENS Connectivity API DLL
USERENV.dll 75a70000 675840 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
AcroIEHelper.dll f10000 45056 C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX
shdoclc.dll 76170000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Doc Object and Control Library
mlang.dll 74770000 585728 C:\WINDOWS\System32\mlang.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL
mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) DNS Client API DLL
msi.dll 17a0000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
SXS.DLL 75e90000 688128 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1336 (xpsp2.040109-1800) Fusion 2.5
winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
msdhmd.dll 1090000 237568 C:\WINDOWS\System32\msdhmd.dll 1.0.0.1 TODO: <File description>
mshtml.dll 63580000 2818048 C:\WINDOWS\System32\mshtml.dll 6.00.2800.1400 Microsoft ® HTML Viewer
PDM.DLL 4a000000 180224 C:\WINDOWS\System32\PDM.DLL 6.00.8424 Process Debug Manager
MSDBG.DLL 4aa00000 86016 C:\WINDOWS\System32\MSDBG.DLL 6.00.8424 Active Debugging Proxy/Stub
msimtf.dll 746f0000 155648 C:\WINDOWS\System32\msimtf.dll 5.1.2600.1106 (xpsp1.020828-1920) Active IMM Server DLL
MSCTF.dll 74720000 278528 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) MSCTF Server DLL
MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
IMM32.DLL 76390000 114688 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL
drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Lan Manager
NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
SAMLIB.dll 71bf0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL
MSGINA.dll 75970000 991232 C:\WINDOWS\System32\MSGINA.dll 5.1.2600.1343 (xpsp2.040109-1800) Windows NT Logon GINA DLL
WINSTA.dll 76360000 61440 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.1106 (xpsp1.020828-1920) Winstation Library
ODBC32.dll 2410000 204800 C:\WINDOWS\System32\ODBC32.dll 3.520.9042.0 Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) Common Dialogs DLL
odbcint.dll 1f850000 90112 C:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC Resources
sti.dll 73ba0000 73728 C:\WINDOWS\System32\sti.dll 5.1.2600.1106 (xpsp1.020828-1920) Still Image Devices client DLL
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL
wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper
jscript.dll 6b700000 589824 C:\WINDOWS\System32\jscript.dll 5.6.0.8513 Microsoft ® JScript
mshtmled.dll 74cb0000 454656 C:\WINDOWS\System32\mshtmled.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft ® HTML Editing Component

---
option 8-4

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER]

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\text/html]
@="SearchRepPP Class"
"CLSID"="{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

----
option 8-6

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}]
"MenuText"="Sun Java Console"
"CLSID"="{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"
"ClsidExtension"="{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}]
"Default Visible"="Yes"
"ButtonText"="AIM"
"HotIcon"="C:\\Program Files\\AIM\\aimres.dll,144"
"Icon"="C:\\Program Files\\AIM\\aimres.dll,143"
"CLSID"="{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"
"Exec"="C:\\Program Files\\AIM\\aim.exe"


i hope i did those right, thanks again!

-nick

Edited by meh, 17 May 2004 - 12:36 PM.


#16 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 17 May 2004 - 12:41 PM

I'm going to bow out here and defer to Shadowwar - god knows he's a master with this. I'll still monitor, though.
Signature file is under revision. This will be back shortly.

#17 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 17 May 2004 - 12:42 PM

ok go here and download the registry search tool.

http://www.billsway.com/vbspage/

search for this and post the results:
CC905FF6-B553-496C-9DFA-CFF65ADCD0FC

By the way i cleaned one of these last week.. Hides nice from Hijackthis but easy to detect if know where to look.

This is part of the problem with the google results.

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\text/html]
@="SearchRepPP Class"
"CLSID"="{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}"



#18 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 17 May 2004 - 12:43 PM

Sorry to but in jack.. but this one hides nicely.



#19 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 17 May 2004 - 12:44 PM

Shadowwar, is this one of the new CWS variants that the little rats have cooked up specifically to evade detection or someodd?
Signature file is under revision. This will be back shortly.

#20 meh

meh

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 17 May 2004 - 12:44 PM

that bad eh? man oh man, when i first figured out what it was doing i was so incredibly impressed...thanks alot for getting me this far, i appreciate it man, im dropping you one more email, this time from my gatech account, of a screenshot of the thing in action, for you to admire, because i don't think my description was good enough. alright then, well, shadowwar, looks like its your turn, i appreciate the help and hope you can figure this one out.

#21 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 17 May 2004 - 12:46 PM

Well i was just lucky enough to physically get my hands on the machine to watch the thing in action. This one was created to avoid detection but easy to remove with a simple regmerge once we have the peices. We have one but need one other.



#22 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 17 May 2004 - 12:47 PM

Well Tux also in this case and option 2 log for iexplorer would of been better. Because its only happening with IE open and going to google. IT did show the file in the iexplorer but i want the reg key so we can clear that too.



#23 meh

meh

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 17 May 2004 - 12:48 PM

not just google, every search engine, but yea, dont think it matters...

and here ya go:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "CC905FF6-B553-496C-9DFA-CFF65ADCD0FC" 5/17/2004 1:48:20 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}\InprocServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}\ProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}\TypeLib]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}\VersionIndependentProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]
"CLSID"="{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\searchrep.SearchRepPP\CLSID]
@="{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\searchrep.SearchRepPP.1\CLSID]
@="{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}"

Edited by meh, 17 May 2004 - 12:49 PM.


#24 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 17 May 2004 - 12:53 PM

Ok navigate to this key in regedit:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}]

Right click it and hit export.
save it to desktop
open with notepad and paste contents here.



#25 meh

meh

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 17 May 2004 - 12:55 PM

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}]
@="SearchRepPP Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}\InprocServer32]
@="C:\\WINDOWS\\System32\\msdhmd.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}\ProgID]
@="Searchrep.SearchRepPP.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}\TypeLib]
@="{8DBD1CE8-2720-4774-8CC6-32737958AC4B}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}\VersionIndependentProgID]
@="Searchrep.SearchRepPP"

#26 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 17 May 2004 - 01:01 PM

ok regsearch tool this one too.. this thing is hooked a little deeper than i thought
8DBD1CE8-2720-4774-8CC6-32737958AC4B



#27 meh

meh

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 17 May 2004 - 01:03 PM

no instances of that key found (14 second search). i copied and pasted as to avoid typos...

#28 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 17 May 2004 - 01:04 PM

ok regsearch this one also..
tha1.tmp



#29 meh

meh

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 17 May 2004 - 01:05 PM

not found also...

#30 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 17 May 2004 - 01:09 PM

Hmm ok lets take care of the search hijacker.

Copy the contents of the quote box to notepad:

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC905FF6-B553-496C-9DFA-CFF65ADCD0FC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\searchrep.SearchRepPP\CLSID]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\searchrep.SearchRepPP.1\CLSID]

Hit save as
save as filename:
clear.reg
under the filename set to all types.
save it to the desktop.
Close all IE's
double click the clear.reg
when asked to merge say yes.

Then go and delete this file:

C:\WINDOWS\System32\msdhmd.dll
If it wont delete than reboot and delete it.

After that is all done open 1 ie again and give me an option2 log in pv.

Edited by shadowwar, 17 May 2004 - 01:10 PM.




#31 meh

meh

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 17 May 2004 - 01:14 PM

FIXED!!!! AMEN!!! quick question: care to explain what was goin on? where it came from? etc, etc, etc?

heres the option 2 log

Module information for 'iexplore.exe'
MODULE BASE SIZE PATH
iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe 6.00.2800.1106 (xpsp1.020828-1920) Internet Explorer
ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) NT Layer DLL
kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1255 (xpsp2.030804-1745) Windows XP USER API Client DLL
GDI32.dll 7e090000 266240 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1346 (xpsp2.040109-1800) GDI Client DLL
ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API
RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
SHLWAPI.dll 70a70000 413696 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1400 Shell Light-weight Utility Library
SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1400 Shell Doc Object and Control Library
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1331_x-ww_7abf6d02\comctl32.dll 6.0 (xpsp2.040109-1800) User Experience Controls Library
SHELL32.dll 773d0000 8359936 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1348 (xpsp2.040109-1800) Windows Shell Common Dll
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
ole32.dll 771b0000 1196032 C:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE for Windows
uxtheme.dll 5ad70000 212992 C:\WINDOWS\System32\uxtheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library
tha1.tmp 900000 471040 C:\WINDOWS\TEMP\tha1.tmp
MPR.DLL 71b20000 69632 C:\WINDOWS\system32\MPR.DLL 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
OLEAUT32.DLL 77120000 569344 C:\WINDOWS\system32\OLEAUT32.DLL 3.50.5016.0 Microsoft OLE 3.50 for Windows NT™ and Windows 95™ Operating Systems
WSOCK32.DLL 71ad0000 32768 C:\WINDOWS\System32\WSOCK32.DLL 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL
WS2_32.dll 71ab0000 81920 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.1240 (xpsp2.030618-0119) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1400 Shell Browser UI Library
browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library
appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
CLBCATQ.DLL 7c890000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
WININET.dll 63000000 614400 C:\WINDOWS\system32\WININET.dll 6.00.2800.1405 Internet Extensions for Win32
CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
googletoolbar1.dll 10000000 753664 c:\program files\google\googletoolbar1.dll 2, 0, 95, 0 Google IE Client Toolbar
urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1400 OLE32 Extensions for Win32
WINTRUST.dll 76c30000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper
WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager
NETAPI32.dll 71c20000 319488 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.1343 (xpsp2.040109-1800) Net Win32 API DLL
TAPI32.dll 76eb0000 176128 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Windows™ Telephony API Client DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
sensapi.dll 722b0000 20480 C:\WINDOWS\System32\sensapi.dll 5.1.2600.1106 (xpsp1.020828-1920) SENS Connectivity API DLL
USERENV.dll 75a70000 675840 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
AcroIEHelper.dll f10000 45056 C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX
shdoclc.dll 76170000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Doc Object and Control Library
mlang.dll 74770000 585728 C:\WINDOWS\System32\mlang.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL
mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) DNS Client API DLL
msi.dll 17a0000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
SXS.DLL 75e90000 688128 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1336 (xpsp2.040109-1800) Fusion 2.5
winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
mshtml.dll 63580000 2818048 C:\WINDOWS\System32\mshtml.dll 6.00.2800.1400 Microsoft ® HTML Viewer
PDM.DLL 4a000000 180224 C:\WINDOWS\System32\PDM.DLL 6.00.8424 Process Debug Manager
MSDBG.DLL 4aa00000 86016 C:\WINDOWS\System32\MSDBG.DLL 6.00.8424 Active Debugging Proxy/Stub
msimtf.dll 746f0000 155648 C:\WINDOWS\System32\msimtf.dll 5.1.2600.1106 (xpsp1.020828-1920) Active IMM Server DLL
MSCTF.dll 74720000 278528 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) MSCTF Server DLL
IMM32.DLL 76390000 114688 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL
jscript.dll 6b700000 589824 C:\WINDOWS\System32\jscript.dll 5.6.0.8513 Microsoft ® JScript
vbscript.dll 73300000 479232 C:\WINDOWS\System32\vbscript.dll 5.6.0.7426 Microsoft ® VBScript
Flash.ocx 2900000 1732608 C:\WINDOWS\System32\macromed\flash\Flash.ocx 7,0,19,0 Macromedia Flash Player 7.0 r19
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) Common Dialogs DLL
wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper
iepeers.dll 66e50000 241664 C:\WINDOWS\System32\iepeers.dll 6.00.2800.1106 (xpsp1.020828-1920) Internet Explorer Peer Objects
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.1106 (xpsp1.020828-1920) Windows Spooler Driver
MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
SwSupport.dll 69000000 57344 C:\WINDOWS\System32\Macromed\Common\SwSupport.dll 8.5.1r102 Shockwave Remote Support
ddrawex.dll 65000000 36864 C:\WINDOWS\System32\ddrawex.dll 5.3.0000000.900 built by: DIRECTX Direct Draw Ex
DDRAW.dll 51000000 315392 C:\WINDOWS\System32\DDRAW.dll 5.3.0000000.900 built by: DIRECTX Microsoft DirectDraw
DCIMAN32.dll 73bc0000 24576 C:\WINDOWS\System32\DCIMAN32.dll 5.1.2600.0 (xpclient.010817-1148) DCI Manager

Edited by meh, 17 May 2004 - 01:15 PM.


#32 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 17 May 2004 - 01:20 PM

Ok we still have one to deal with.

C:\WINDOWS\TEMP\tha1.tmp

Killbox that one with all ie's closed. let me know results.



#33 meh

meh

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 17 May 2004 - 01:27 PM

did that, a new .tmp file came up...

lha1.tmp 900000 471040 C:\WINDOWS\TEMP\lha1.tmp

(thats from a option 2 log)

i'm goin out for a bit though, i'll be back later...thanks for the help man, any ideas on how to remove these residual temp files would be greatly appreciated

#34 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 17 May 2004 - 01:35 PM

please email me a copy of that .tmp file.

Click here to email!



#35 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 17 May 2004 - 01:41 PM

Shadowwar, you want copies of the tmp files meh sent me earlier? I'm forwarding the message to you, 333KB RAR file and all.
Signature file is under revision. This will be back shortly.

#36 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 17 May 2004 - 02:04 PM

Ok will disect tonite and look.



#37 meh

meh

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 17 May 2004 - 02:45 PM

aight, i emailed the rar to both tux joker (in case he wanted it) and to shadowwar...hope you all can figure out how the .tmp's are being run when explorer and ie are being run...

#38 meh

meh

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 18 May 2004 - 01:19 AM

bump....any news on the temp files?

#39 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 18 May 2004 - 07:13 AM

i didnt have time last night. will look tonight. any symptoms that can be related to this?



#40 meh

meh

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 18 May 2004 - 08:21 AM

no, it's just that tux jack said files in the windows temp folder should not show up in pv's option 1 or option 2 logs, and i too would agree .tmp files should not be run/etc by IE or explorer...tux said that the tmp file he disected was a hijacker of some sort, the search engine problem is fixed though, and i had though the .tmp file's being run had to do with that, but apparently not..

#41 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 18 May 2004 - 09:49 AM

Never recieved copies of the files. Can you send again please?



#42 fullsack

fullsack

    Member

  • New Member
  • Pip
  • 1 posts

Posted 21 June 2004 - 09:58 PM

Tuxedo Jack & shadowwar - YOU GUYS ROCK

I've been having this problem for about 3 months now, did a simple search in the archive and came across this thread. Did everything you guys said, and it's finally fixed - thanks a million!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button