Jump to content


Photo

c:\spad, myexexex and casinopalazzo


  • Please log in to reply
31 replies to this topic

#1 Dedalus

Dedalus

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 02 June 2004 - 06:53 AM

Hi,

I've been using your forums for a while now and I think they're excellent. I've now registered as you guys seem to have a handle on the latest variants of the malware that's out there.

I am currently plagued by the c:\spad - myexexex browser hijack, and a hijack which pops-up casinopalazzo.com and deposits a casinopalazzo internet shortcut on my desktop. I believe the 2 are separate.

When I first noticed c:\spad, I took shaddowwar's excellent advice to another forum user, and it appeared to work. But alas no - the hijacker runs intermittently and it was just coincidence.

Despite running SpywareGuard and BHODemon, it seems these things got on board when I was screwing around with my browser security. It's now set to medium with 'disable' set against all ActiveX downloads.

I've run SpybotS&D and CWSshredder, but to no avail, although they did clear up some other nasties.

Firstly: spad/myexexex
1. Ran HijackThis. Fixed all the references to c:\spad\start.html and http:\\www.myexexex.com... it found there.
2. Realised that the hijacker runs intermittently and re-edits the registry
3. I used a clear.reg file (again from this forum) to clear up the registry
4. Took shadowwar's tips and deleted the file c_10230.dll. Couldn't find any of the other dll's referred to on the forums (hpcmdty.dll, crtv32 etc.)
5. Still plagued by the damn thing.

6. Solution so far:
Placed a file on the root of C:\ called spad to prevent the creation of the spad directory by the hijacker. Thankfully, it seems to do this first, so the rest of the registry stuff it does is never executed. Now at the point the program tries to create spad it fails and I get "C:\spad is not accessible" followed by "Cannot run c:\spad\inst.exe". Using Task Manager while those dialogs are onscreen, I find a strange .dat file in \User\Temporary Internet Files. The file is 4-letter (XXXX.dat) randomly named and shortlived i.e. it disappears after the dialogues are closed or, I presume, after the spad hijacker succeeds.
I've grabbed a copy of the file, before it disappeared, so perhaps someone here could take a look at it and see if they can figure out what's creating it? I can forward the file or put in a website and send a link.

I've also posted my HJT log below. I'd appreciate it if you could scan through it to see what's up, although it does seem pretty clean to my ignorant eyes.

Can anyone suggest what I might try next? If we can tackle this one first I'll worry about the casinopalazzo problem later.

Thanks,
Dedalus

Logfile of HijackThis v1.97.7
Scan saved at 12:51:25, on 02/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\ZoneLabs\MINILOG.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\tbctray.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\BT Voyager\BT Voyager Wireless\WLM.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\BHODemon\BHODemon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Ian\Desktop\Anti-Virus, Spyware, Trojans\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BT Voyager Wireless Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 02 June 2004 - 07:10 AM

Hi Dedalus

I actually think the two issues are related - this is the second time I have seen a resilient myexexex with that shortcut - also unresolved at the moment. Could you send that file to this e-mail address and I'll take a look.
Posted Image

#3 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 02 June 2004 - 09:00 AM

Thanks, I've got the file now. Could you download PV from: http://tools.zerosrealm.com/pv.zip

Create a folder on your desktop called PV then extract all the files in pv.zip to that folder. It will not work if you run it from inside the zip. After unzipped open the pv folder. Double click on the runme.bat

A dos window will open. Be sure to have at least 1 Internet Explorer window open. Please select option 2 for explorer dll's by typing 2 and then pressing enter.

Notepad will open with a log in it. Please copy and paste the entire log into this topic.
Posted Image

#4 Dedalus

Dedalus

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 02 June 2004 - 09:08 AM

PV output as requested:


Module information for 'iexplore.exe'
MODULE BASE SIZE PATH
iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe 6.00.2600.0000 (xpclient.010817-1148) Internet Explorer
ntdll.dll 77f50000 679936 C:\WINDOWS\System32\ntdll.dll 5.1.2600.114 (xpclnt_qfe.021108-2107) NT Layer DLL
kernel32.dll 77e60000 937984 C:\WINDOWS\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL
USER32.dll 77d40000 548864 C:\WINDOWS\system32\USER32.dll 5.1.2600.118 (xpclnt_qfe.021108-2107) Windows XP USER API Client DLL
GDI32.dll 77c70000 253952 C:\WINDOWS\system32\GDI32.dll 5.1.2600.132 (xpclnt_qfe.021108-2107) GDI Client DLL
ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API
RPCRT4.dll 78000000 454656 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.135 (xpclnt_qfe.021108-2107) Remote Procedure Call Runtime
SHLWAPI.dll 63180000 409600 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2730.1200 Shell Light-weight Utility Library
SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2737.800 Shell Doc Object and Control Library
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-1148) User Experience Controls Library
SHELL32.dll 773d0000 8314880 C:\WINDOWS\system32\SHELL32.dll 6.00.2600.115 (xpclnt_qfe.021108-2107) Windows Shell Common Dll
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpclient.010817-1148) Common Controls Library
ole32.dll 771b0000 1126400 C:\WINDOWS\system32\ole32.dll 5.1.2600.136 (xpclnt_qfe.021108-2107) Microsoft OLE for Windows
uxtheme.dll 5ad70000 212992 C:\WINDOWS\system32\uxtheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library
BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2737.1600 Shell Browser UI Library
browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser UI Library
appHelp.dll 75f40000 118784 C:\WINDOWS\system32\appHelp.dll 5.1.2600.0 (xpclient.010817-1148) Application Compatibility Client Library
CLBCATQ.DLL 7c620000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT™ and Windows 95™ Operating Systems
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
WININET.dll 63000000 610304 C:\WINDOWS\system32\WININET.dll 6.00.2737.800 Internet Extensions for Win32
CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.137 (xpclnt_qfe.021108-2107) ASN.1 Runtime APIs
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
SETUPAPI.dll 76670000 933888 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows Setup API
googletoolbar1.dll 10000000 753664 c:\windows\downloaded program files\googletoolbar1.dll 2, 0, 111, 0 Google IE Client Toolbar
urlmon.dll 1a400000 495616 C:\WINDOWS\system32\urlmon.dll 6.00.2736.2300 OLE32 Extensions for Win32
WSOCK32.dll 71ad0000 32768 C:\WINDOWS\System32\WSOCK32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL
WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
WINTRUST.dll 76c30000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.0 (XPClient.010817-1148) Windows NT Image Helper
WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL
serwvdrv.dll 5cd70000 28672 C:\WINDOWS\System32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Serial Wave driver
umdmxfrm.dll 5b0a0000 28672 C:\WINDOWS\System32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module
rsaenh.dll ffd0000 139264 C:\WINDOWS\System32\rsaenh.dll 5.1.2518.0 (main.010714-2114) Microsoft Base Cryptographic Provider
RASAPI32.DLL 1810000 233472 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.28 (xpclnt_qfe.010827-1803) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access Connection Manager
NETAPI32.dll 71c20000 315392 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.122 (xpclnt_qfe.021108-2107) Net Win32 API DLL
TAPI32.dll 76eb0000 172032 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Windows™ Telephony API Client DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
sensapi.dll 722b0000 20480 C:\WINDOWS\System32\sensapi.dll 5.1.2600.0 (XPClient.010817-1148) SENS Connectivity API DLL
USERENV.dll 75a70000 667648 C:\WINDOWS\system32\USERENV.dll 5.1.2600.0 (xpclient.010817-1148) Userenv
dlprotect.dll 11000000 192512 C:\Program Files\SpywareGuard\dlprotect.dll 2.02 SpywareGuard Download Protection
MSVBVM60.DLL 73420000 1388544 C:\WINDOWS\System32\MSVBVM60.DLL 6.00.9237 Visual Basic Virtual Machine
cxmsx[1].exe 1ef0000 53248 C:\Documents and Settings\Monster\Local Settings\Temporary Internet Files\Content.IE5\4H67KXIV\cxmsx[1].exe
shdoclc.dll 1f10000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2715.400 Shell Doc Object and Control Library
mlang.dll 74770000 585728 C:\WINDOWS\System32\mlang.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL
mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL
msi.dll 76400000 2076672 C:\WINDOWS\System32\msi.dll 2.0.2600.0 Windows Installer
SXS.DLL 75e90000 659456 C:\WINDOWS\System32\SXS.DLL 5.1.2600.0 (xpclient.010817-1148) Fusion 2.5
winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL
mshtml.dll 63580000 2777088 C:\WINDOWS\System32\mshtml.dll 6.00.2737.800 Microsoft ® HTML Viewer
msimtf.dll 746f0000 167936 C:\WINDOWS\System32\msimtf.dll 5.1.2600.0 (xpclient.010817-1148) Active IMM Server DLL
MSCTF.dll 74720000 307200 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.0 (xpclient.010817-1148) MSCTF Server DLL
IMM32.DLL 76390000 106496 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.0 (xpclient.010817-1148) Windows XP IMM32 API Client DLL
jscript.dll 6b700000 589824 c:\windows\system32\jscript.dll 5.6.0.8513 Microsoft ® JScript
iepeers.dll 66e50000 241664 C:\WINDOWS\System32\iepeers.dll 6.00.2600.0000 (xpclient.010817-1148) Internet Explorer Peer Objects
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.0 (XPClient.010817-1148) Windows Spooler Driver
MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
mshtmled.dll 74cb0000 454656 C:\WINDOWS\System32\mshtmled.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft ® HTML Editing Component
wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper
actxprxy.dll 71d40000 110592 C:\WINDOWS\System32\actxprxy.dll 6.00.2600.0000 (XPClient.010817-1148) ActiveX Interface Marshaling Library
plugin.ocx 72b20000 98304 C:\WINDOWS\System32\plugin.ocx 6.00.2600.0000 (xpclient.010817-1148) ActiveX Plugin OCX
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2600.0000 (xpclient.010817-1148) Common Dialogs DLL
ntshrui.dll 76990000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.0 (xpclient.010817-1148) Shell extensions for sharing
ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)
LINKINFO.dll 76980000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking

#5 anaselg

anaselg

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 02 June 2004 - 09:08 AM

Ive got the same problem with casino palazzo, and I just cant get rid of it, should I download the PV.zip thing and follow your instruction or is it a different process?

Cheers

#6 Slav

Slav

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 June 2004 - 09:16 AM

I have the same trouble too. What to do?
(I mean this could be very effective, three persons could be helped at one time :p )

Edited by Slav, 02 June 2004 - 09:29 AM.


#7 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 02 June 2004 - 09:29 AM

Hmmm.. what's this?

cxmsx[1].exe 1ef0000 53248 C:\Documents and Settings\Monster\Local Settings\Temporary Internet Files\Content.IE5\4H67KXIV\cxmsx[1].exe

Could you find that file and send it to me. Then delete it. This tool is useful - click here to download System Security Suite. Extract it from the zip file into a folder and doubleclick on sss.exe. Check the boxes under the 'Items to Clear' tab and click 'Clear Selected Items'. You will be prompted to reboot, do so. Repeat for all log-in accounts on your computer.
Posted Image

#8 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 02 June 2004 - 09:34 AM

Ok this is darn strange. Normally the policy here is to not post in other peoples threads. Being this is new and never seen a few things i would like everyone that posted so far to follow my instructions and post here. Please no one else.

Ok if you have not downloaded pv.zip yet please do so from the link Daemon provided.

Next i need to see a few other logs from it.

First i need to see an option 1 log for explorer dlls

Than i need to you go to the registry menu and select the option for Mosiac's Runkeys export.

Please post both logs into this thread.



#9 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 02 June 2004 - 09:52 AM

Dedalus - could you provide the additional logs. anaselg and Slav - please add your log files as shadowwar requested.
Posted Image

#10 Dedalus

Dedalus

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 02 June 2004 - 09:55 AM

As per Shadowwar request:

PV Option 1 Explorer dlls:


Module information for 'explorer.exe'
MODULE BASE SIZE PATH
explorer.exe 1000000 1011712 C:\WINDOWS\explorer.exe 6.00.2600.0000 (xpclient.010817-1148) Windows Explorer
ntdll.dll 77f50000 679936 C:\WINDOWS\System32\ntdll.dll 5.1.2600.114 (xpclnt_qfe.021108-2107) NT Layer DLL
kernel32.dll 77e60000 937984 C:\WINDOWS\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL
ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API
RPCRT4.dll 78000000 454656 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.135 (xpclnt_qfe.021108-2107) Remote Procedure Call Runtime
GDI32.dll 77c70000 253952 C:\WINDOWS\system32\GDI32.dll 5.1.2600.132 (xpclnt_qfe.021108-2107) GDI Client DLL
USER32.dll 77d40000 548864 C:\WINDOWS\system32\USER32.dll 5.1.2600.118 (xpclnt_qfe.021108-2107) Windows XP USER API Client DLL
SHLWAPI.dll 63180000 409600 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2730.1200 Shell Light-weight Utility Library
SHELL32.dll 773d0000 8314880 C:\WINDOWS\system32\SHELL32.dll 6.00.2600.115 (xpclnt_qfe.021108-2107) Windows Shell Common Dll
ole32.dll 771b0000 1126400 C:\WINDOWS\system32\ole32.dll 5.1.2600.136 (xpclnt_qfe.021108-2107) Microsoft OLE for Windows
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT™ and Windows 95™ Operating Systems
BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2737.1600 Shell Browser UI Library
SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2737.800 Shell Doc Object and Control Library
UxTheme.dll 5ad70000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
appHelp.dll 75f40000 118784 C:\WINDOWS\system32\appHelp.dll 5.1.2600.0 (xpclient.010817-1148) Application Compatibility Client Library
CLBCATQ.DLL 7c620000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
themeui.dll 5b630000 458752 C:\WINDOWS\System32\themeui.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Theme API
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface
MSIMG32.dll 76380000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.0 (xpclient.010817-1148) GDIEXT Client DLL
netapi32.dll 71c20000 315392 C:\WINDOWS\System32\netapi32.dll 5.1.2600.122 (xpclnt_qfe.021108-2107) Net Win32 API DLL
spywareguard.dll 22200000 126976 C:\Program Files\SpywareGuard\spywareguard.dll 2.02 SpywareGuard Protection
MSVBVM60.DLL 73420000 1388544 C:\WINDOWS\System32\MSVBVM60.DLL 6.00.9237 Visual Basic Virtual Machine
USERENV.dll 75a70000 667648 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
actxprxy.dll 71d40000 110592 C:\WINDOWS\System32\actxprxy.dll 6.00.2600.0000 (XPClient.010817-1148) ActiveX Interface Marshaling Library
LINKINFO.dll 76980000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking
ntshrui.dll 76990000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.0 (xpclient.010817-1148) Shell extensions for sharing
ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)
SAMLIB.dll 71bf0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL
SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
NETSHELL.dll 75cf0000 1638400 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.0 (xpclient.010817-1148) Network Connections Shell
credui.dll 76c00000 184320 C:\WINDOWS\system32\credui.dll 5.1.2600.0 (xpclient.010817-1148) Credential Manager User Interface
WS2_32.dll 71ab0000 86016 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
iphlpapi.dll 76d60000 86016 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2 (xpclient.010817-1148) IP Helper API
netman.dll 76de0000 155648 C:\WINDOWS\system32\netman.dll 5.1.2600.0 (xpclient.010817-1148) Network Connections Manager
MPRAPI.dll 76d40000 90112 C:\WINDOWS\system32\MPRAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT MP Router Administration DLL
ACTIVEDS.dll 76e40000 192512 C:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) ADs Router Layer DLL
adsldpc.dll 76e10000 147456 C:\WINDOWS\system32\adsldpc.dll 5.1.2600.0 (xpclient.010817-1148) ADs LDAP Provider C DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\system32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
RASAPI32.dll 76ee0000 225280 C:\WINDOWS\system32\RASAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\system32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager
TAPI32.dll 76eb0000 172032 C:\WINDOWS\system32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Windows™ Telephony API Client DLL
WINMM.dll 76b40000 180224 C:\WINDOWS\system32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL
WZCSvc.DLL 76da0000 196608 C:\WINDOWS\system32\WZCSvc.DLL 5.1.2600.0 (xpclient.010817-1148) Wireless Zero Configuration Service
WMI.dll 76d30000 16384 C:\WINDOWS\system32\WMI.dll 5.1.2600.0 (XPClient.010817-1148) WMI DC and DP functionality
DHCPCSVC.DLL 76d80000 110592 C:\WINDOWS\system32\DHCPCSVC.DLL 5.1.2600.1106 (xpsp1.020828-1920) DHCP Client Service
DNSAPI.dll 76f20000 151552 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL
CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.137 (xpclnt_qfe.021108-2107) ASN.1 Runtime APIs
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Terminal Server SDK APIs
WINSTA.dll 76360000 61440 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.0 (xpclient.010817-1148) Winstation Library
serwvdrv.dll 5cd70000 28672 C:\WINDOWS\System32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Serial Wave driver
umdmxfrm.dll 5b0a0000 28672 C:\WINDOWS\System32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module
webcheck.dll 74b30000 266240 C:\WINDOWS\System32\webcheck.dll 6.00.2600.0000 (xpclient.010817-1148) Web Site Monitor
stobject.dll 74b00000 131072 C:\WINDOWS\System32\stobject.dll 5.1.2600.0 (xpclient.010817-1148) Systray shell service object
BatMeter.dll 74af0000 36864 C:\WINDOWS\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-1148) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 28672 C:\WINDOWS\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-1148) Power Profile Helper DLL
msi.dll 76400000 2076672 C:\WINDOWS\System32\msi.dll 2.0.2600.0 Windows Installer
ImapiRoxPS.dll 10000000 28672 C:\WINDOWS\System32\ImapiRoxPS.dll
WININET.dll 63000000 610304 C:\WINDOWS\system32\WININET.dll 6.00.2737.800 Internet Extensions for Win32
urlmon.dll 1a400000 495616 C:\WINDOWS\system32\urlmon.dll 6.00.2736.2300 OLE32 Extensions for Win32
printui.dll 74b80000 532480 C:\WINDOWS\System32\printui.dll 5.1.2600.1106 (xpsp1.020828-1920) Print UI DLL
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.1106 (xpsp1.020828-1920) Windows Spooler Driver
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL
MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
fxsst.dll 68df0000 573440 C:\WINDOWS\System32\fxsst.dll 5.2.1776.0 Fax Service
FXSAPI.dll 69010000 458752 C:\WINDOWS\System32\FXSAPI.dll 5.2.1776.0 Microsoft Fax API Support DLL
NTMARTA.DLL 76ce0000 126976 C:\WINDOWS\System32\NTMARTA.DLL 5.1.2600.0 (xpclient.010817-1148) Windows NT MARTA provider
SXS.DLL 75e90000 659456 C:\WINDOWS\System32\SXS.DLL 5.1.2600.0 (xpclient.010817-1148) Fusion 2.5
drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Lan Manager
NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL
browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser UI Library
dlprotect.dll 11000000 192512 C:\Program Files\SpywareGuard\dlprotect.dll 2.02 SpywareGuard Download Protection
DUSER.dll 6c1b0000 274432 C:\WINDOWS\System32\DUSER.dll 5.1.2600.0 (xpclient.010817-1148) Windows DirectUser Engine
WINTRUST.dll 76c30000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper
rsaenh.dll ffd0000 139264 C:\WINDOWS\System32\rsaenh.dll 5.1.2518.0 (main.010714-2114) Microsoft Base Cryptographic Provider
asfsipc.dll 70eb0000 28672 C:\WINDOWS\System32\asfsipc.dll 1.1.00.3917 ASFSipc Object
MSISIP.DLL 605f0000 53248 C:\WINDOWS\System32\MSISIP.DLL 2.0.2600.0 MSI Signature SIP Provider
wshext.dll 74ea0000 65536 C:\WINDOWS\System32\wshext.dll 5.6.0.6626 Microsoft ® Shell Extension for Windows Script Host
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) Common Dialogs DLL


And Mosaic Runkeys export:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"DellTouch"="C:\\WINDOWS\\DELLMMKB.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"TraySantaCruz"="C:\\WINDOWS\\System32\\tbctray.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunonceEx]

#11 Slav

Slav

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 June 2004 - 09:58 AM

Thanks for helping. My original thread is Please don't let the bastards...
I didn't understand the"option for Mosiac's Runkeys export" part, you'd have to explain for me, sorry...
Here comes the log from option 1 (that's what you wanted, right?) :


Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1015808 C:\WINDOWS\Explorer.EXE 6.00.2800.1106 (xpsp1.020828-1920) Utforskaren
ntdll.dll 77f50000 692224 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) DLL-fil för NT Layer
kernel32.dll 77e60000 958464 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Klient-DLL för Windows NT BASE API
msvcrt.dll 77c00000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
ADVAPI32.dll 77dc0000 643072 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API
RPCRT4.dll 78000000 548864 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1254 (xpsp2.030801-1834) Remote Procedure Call Runtime
GDI32.dll 77c60000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDI Client DLL
USER32.dll 77d30000 548864 C:\WINDOWS\system32\USER32.dll 5.1.2600.1134 (xpsp2.020921-0842) Klient-DLL-fil för Windows XP
SHLWAPI.dll 63180000 413696 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1226 Shell Light-weight Utility Library
SHELL32.dll 773c0000 8339456 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1233 (xpsp2.030604-1804) DLL-fil för Windows-gränssnittet
ole32.dll 7ccc0000 1183744 C:\WINDOWS\system32\ole32.dll 5.1.2600.1263 (xpsp2.030819-2129) Microsoft OLE för Windows
OLEAUT32.dll 77110000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT™ and Windows 95™ Operating Systems
BROWSEUI.dll 75f60000 1032192 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1106 (xpsp1.020828-1920) Bibliotek för gränssnittsläsare
SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1203 Shell Doc Object och Control Library
UxTheme.dll 5b270000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Bibliotek för Microsoft UxTheme
IMM32.DLL 76370000 114688 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL
LPK.DLL 62f00000 32768 C:\WINDOWS\System32\LPK.DLL 5.1.2600.0 (xpclient.010817-1148) Language Pack
USP10.dll 72f70000 368640 C:\WINDOWS\System32\USP10.dll 1.0409.2600.1106 (xpsp1.020828-1920) Uniscribe Unicode script processor
comctl32.dll 78090000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library
comctl32.dll 77330000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
msctfime.ime 810000 176128 C:\WINDOWS\System32\msctfime.ime 5.1.2600.1106 (xpsp1.020828-1920) Microsoft Text Frame Work Service IME
appHelp.dll 75f20000 122880 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
CLBCATQ.DLL 76fc0000 491520 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.42
COMRes.dll 77040000 819200 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77bf0000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
cscui.dll 76600000 323584 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI
CSCDLL.dll 765e0000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Agent för frånkopplat nätverk
themeui.dll 5bb30000 462848 C:\WINDOWS\System32\themeui.dll 6.00.2800.1106 (xpsp1.020828-1920) Programmeringsgränssnitt (API) för Windows-teman
Secur32.dll 76f80000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
MSIMG32.dll 76360000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDIEXT Client DLL
USERENV.dll 75a50000 675840 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
Msimtf.dll 746c0000 155648 C:\WINDOWS\System32\Msimtf.dll 5.1.2600.1106 (xpsp1.020828-1920) Active IMM Server DLL
MSCTF.dll 746f0000 278528 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL-fil för MSCTF-servern
msutb.dll 60130000 196608 C:\WINDOWS\System32\msutb.dll 5.1.2600.1106 (xpsp1.020828-1920) Server-DLL-fil för MSUTB
netapi32.dll 71c10000 319488 C:\WINDOWS\System32\netapi32.dll 5.1.2600.1106 (xpsp1.020828-1920) Net Win32 API DLL
LINKINFO.dll 76970000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking
ntshrui.dll 76980000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.1106 (xpsp1.020828-1920) Shell-tillägg för delning
ATL.DLL 76b10000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1226 OLE32-tillägg för Win32
WINSTA.dll 76340000 61440 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.1106 (xpsp1.020828-1920) Winstation Library
webcheck.dll 74b00000 270336 C:\WINDOWS\System32\webcheck.dll 6.00.2800.1106 (xpsp1.020828-1920) Webbplatsövervakare
SETUPAPI.dll 76660000 954368 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) API för installationsprogrammet för Windows
stobject.dll 74ad0000 131072 C:\WINDOWS\System32\stobject.dll 5.1.2600.1106 (xpsp1.020828-1920) Systray shell-tjänstobjekt
BatMeter.dll 74ac0000 36864 C:\WINDOWS\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-1148) Battery Meter Helper DLL
POWRPROF.dll 74aa0000 28672 C:\WINDOWS\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-1148) Power Profile Helper DLL
WTSAPI32.dll 76f40000 32768 C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Terminal Server SDK APIs
WINMM.dll 76b30000 184320 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
wdmaud.drv 72cf0000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72ce0000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77bd0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM-ljudfilter
midimap.dll 77bc0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper
NETSHELL.dll 75cd0000 1646592 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.1106 (xpsp1.020828-1920) Användargränssnitt för nätverksanslutning
credui.dll 76bf0000 184320 C:\WINDOWS\system32\credui.dll 5.1.2600.1106 (xpsp1.020828-1920) Användargränssnitt för referenshanteraren
WS2_32.dll 71aa0000 86016 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71a90000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
iphlpapi.dll 76d50000 94208 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2 (xpsp1.020828-1920) API för IP Helper
WINTRUST.dll 76c20000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) API för autentisering av Microsoft Trust
CRYPT32.dll 762a0000 561152 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) 32-bitars kryptografi-API
MSASN1.dll 76280000 61440 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.0 (XPClient.010817-1148) ASN.1 Runtime APIs
IMAGEHLP.dll 76c80000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper
rsaenh.dll ffd0000 143360 C:\WINDOWS\System32\rsaenh.dll 5.1.2600.1029 (xpsp1.020426-1800) Microsoft Base Cryptographic Provider
msi.dll 1a10000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
printui.dll 74b50000 536576 C:\WINDOWS\System32\printui.dll 5.1.2600.1106 (xpsp1.020828-1920) Print UI DLL
WINSPOOL.DRV 72fd0000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.1106 (xpsp1.020828-1920) Drivrutin för Windows-bufferthanterare
ACTIVEDS.dll 76e30000 192512 C:\WINDOWS\System32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) DLL-fil för Active Directory Router Layer
adsldpc.dll 76e00000 151552 C:\WINDOWS\System32\adsldpc.dll 5.1.2600.1106 (xpsp1.020828-1920) ADs LDAP-provider C DLL
WLDAP32.dll 76f50000 184320 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
CFGMGR32.dll 74ab0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL
MPR.dll 71b10000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) DLL-fil för router med flera providers
drprov.dll 75f40000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71c00000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Lan Manager
NETUI0.dll 71cc0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c80000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71c70000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
SAMLIB.dll 71be0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL
davclnt.dll 75f50000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) DLL-fil för Webb-DAV-klient
srclient.dll 5c560000 73728 C:\WINDOWS\System32\srclient.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL-fil för systemåterställningsklienten
framedyn.dll 69840000 188416 C:\WINDOWS\System32\Wbem\framedyn.dll 5.1.2600.0 (xpclient.010817-1148) WMI SDK Provider Framework
SXS.DLL 75e70000 684032 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5
zipfldr.dll 73350000 335872 C:\WINDOWS\System32\zipfldr.dll 6.00.2800.1126 (xpsp2.020921-0842) Komprimerade mappar
browselc.dll 72420000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Bibliotek för gränssnittsläsare
WININET.dll 761e0000 622592 C:\WINDOWS\system32\WININET.dll 6.00.2800.1106 (xpsp1.020828-1920) Internet-tillbehör för Win32
DUSER.dll 6c730000 278528 C:\WINDOWS\System32\DUSER.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows DirectUser Engine
shdoclc.dll 76150000 565248 C:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Doc Object och Control Library
NavShExt.dll 10000000 106496 C:\Program\Norton AntiVirus\NavShExt.dll 8.07.17 Norton AntiVirusNAVShellExt Module
MSVCP60.dll 76060000 397312 C:\WINDOWS\System32\MSVCP60.dll 6.00.8972.0 Microsoft ® C++ Runtime Library
ICQLiteShell.dll c30000 61440 C:\Program\ICQLite\ICQLiteShell.dll 1, 0, 0, 1 ICQLiteShell Module
MFC42.DLL 73da0000 991232 C:\WINDOWS\System32\MFC42.DLL 6.00.8665.0 MFCDLL Shared Library - Retail Version
MFC42LOC.DLL 61ec0000 53248 C:\WINDOWS\System32\MFC42LOC.DLL 6.00.8665.0 MFC Språkspecifika resurser
sfc_os.dll 76c50000 167936 C:\WINDOWS\System32\sfc_os.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Filskydd
incdshx.dll 1c000000 135168 C:\Program\Ahead\InCD\incdshx.dll 4, 0, 1, 24 UDF Shell Extension DLL
mydocs.dll 72400000 102400 C:\WINDOWS\System32\mydocs.dll 6.00.2600.0000 (xpclient.010817-1148) Gränssnitt för Mina dokument
MLANG.dll 74740000 585728 C:\WINDOWS\System32\MLANG.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL
AcroIEHelper.dll 1e50000 45056 C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX

#12 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 02 June 2004 - 10:00 AM

dedalus.. couple more please.

in the registry menu of pv select the extensions key export, protocal export, and shellservice. Please post all three.



#13 Slav

Slav

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 June 2004 - 10:05 AM

What do I do next? And what about the "option for Mosiac's Runkeys export" thing? Do you need that?

Edited by Slav, 02 June 2004 - 10:06 AM.


#14 Dedalus

Dedalus

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 02 June 2004 - 10:07 AM

Shadowwar - nice tool. In the order requested:

Extensions Key report:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{196BB14D-07CE-47BB-B8AF-C879CE2693BB}]
"clsid"="{196BB14D-07CE-47BB-B8AF-C879CE2693BB}"
"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"
"ButtonText"="Microsoft® JavaScript® Console"
"Default Visible"="No"
"HotIcon"="@shdoclc.dll,36"
"MenuStatusBar"="@shdoclc.dll,-865"
"MenuText"="JavaScript Console"
"ToolTip"="Opens JavaScript Console"
"ImageFilename"="shdocvw.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{23A617EF-358F-4A2D-BAB5-7DCDAD38A641}]
"clsid"="{23A617EF-358F-4A2D-BAB5-7DCDAD38A641}"
"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"
"ButtonText"="Microsoft® JavaScript® Console"
"Default Visible"="No"
"HotIcon"="@shdoclc.dll,36"
"MenuStatusBar"="@shdoclc.dll,-865"
"MenuText"="JavaScript Console"
"ToolTip"="Opens JavaScript Console"
"ImageFilename"="shdocvw.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2F6722AB-DF08-4C04-A70B-2B8F2BD39CD2}]
"clsid"="{2F6722AB-DF08-4C04-A70B-2B8F2BD39CD2}"
"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"
"ButtonText"="Microsoft® JavaScript® Console"
"Default Visible"="No"
"HotIcon"="@shdoclc.dll,36"
"MenuStatusBar"="@shdoclc.dll,-865"
"MenuText"="JavaScript Console"
"ToolTip"="Opens JavaScript Console"
"ImageFilename"="shdocvw.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5A50962B-1355-46C3-9837-41755CEB445F}]
"clsid"="{5A50962B-1355-46C3-9837-41755CEB445F}"
"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"
"ButtonText"="Microsoft® JavaScript® Console"
"Default Visible"="No"
"HotIcon"="@shdoclc.dll,36"
"MenuStatusBar"="@shdoclc.dll,-865"
"MenuText"="JavaScript Console"
"ToolTip"="Opens JavaScript Console"
"ImageFilename"="shdocvw.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{61B9B007-7BD7-4EF1-8004-16B06BA55707}]
"clsid"="{61B9B007-7BD7-4EF1-8004-16B06BA55707}"
"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"
"ButtonText"="Microsoft® JavaScript® Console"
"Default Visible"="No"
"HotIcon"="@shdoclc.dll,36"
"MenuStatusBar"="@shdoclc.dll,-865"
"MenuText"="JavaScript Console"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{7A099794-3C5C-456C-BD65-DF55EC3B42EE}]
"clsid"="{7A099794-3C5C-456C-BD65-DF55EC3B42EE}"
"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"
"ButtonText"="Microsoft® JavaScript® Console"
"Default Visible"="No"
"HotIcon"="@shdoclc.dll,36"
"MenuStatusBar"="@shdoclc.dll,-865"
"MenuText"="JavaScript Console"
"ToolTip"="Opens JavaScript Console"
"ImageFilename"="shdocvw.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{87420808-0A35-4C11-8141-5659504EE107}]
"clsid"="{87420808-0A35-4C11-8141-5659504EE107}"
"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"
"ButtonText"="Microsoft® JavaScript® Console"
"Default Visible"="No"
"HotIcon"="@shdoclc.dll,36"
"MenuStatusBar"="@shdoclc.dll,-865"
"MenuText"="JavaScript Console"
"ToolTip"="Opens JavaScript Console"
"ImageFilename"="shdocvw.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9455301C-CF6B-11D3-A266-00C04F689C50}]
"Default Visible"="Yes"
"ButtonText"="Researcher"
"HotIcon"="C:\\Program Files\\Common Files\\Microsoft Shared\\Reference 2001\\EROProj.dll,104"
"Icon"="C:\\Program Files\\Common Files\\Microsoft Shared\\Reference 2001\\EROProj.dll,106"
"MenuStatusBar"="Opens Encarta Researcher"
"CLSID"="{E0DD6CAB-2D10-11D2-8F1A-0000F87ABD16}"
"BandCLSID"="{9455301C-CF6B-11D3-A266-00C04F689C50}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9BAAC115-5D22-4213-A142-0E6D7E7314D0}]
"clsid"="{9BAAC115-5D22-4213-A142-0E6D7E7314D0}"
"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"
"ButtonText"="Microsoft® JavaScript® Console"
"Default Visible"="No"
"HotIcon"="@shdoclc.dll,36"
"MenuStatusBar"="@shdoclc.dll,-865"
"MenuText"="JavaScript Console"
"ToolTip"="Opens JavaScript Console"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}]
"Default Visible"="Yes"
"ButtonText"="AIM"
"HotIcon"="C:\\Program Files\\AIM95\\aimres.dll,144"
"Icon"="C:\\Program Files\\AIM95\\aimres.dll,143"
"CLSID"="{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"
"Exec"="C:\\Program Files\\AIM95\\aim.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CC0547C1-5EC1-457A-9FF1-61ED5062075D}]
"clsid"="{CC0547C1-5EC1-457A-9FF1-61ED5062075D}"
"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"
"ButtonText"="Microsoft® JavaScript® Console"
"Default Visible"="No"
"HotIcon"="@shdoclc.dll,36"
"MenuStatusBar"="@shdoclc.dll,-865"
"MenuText"="JavaScript Console"
"ToolTip"="Opens JavaScript Console"
"ImageFilename"="shdocvw.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}]
"CLSID"="{E0DD6CAB-2D10-11D2-8F1A-0000F87ABD16}"
"ButtonText"="Real.com"
"HotIcon"="C:\\Program Files\\Real\\RealPlayer\\eb_act.ico"
"Icon"="C:\\Program Files\\Real\\RealPlayer\\eb_inact.ico"
"BandCLSID"="{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}"
"ToolTip"="Real.com Explorer Bar"
"Default Visible"="Yes"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD8BB0D6-70AB-4D30-9B71-37818FF51C66}]
"clsid"="{CD8BB0D6-70AB-4D30-9B71-37818FF51C66}"
"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"
"ButtonText"="Microsoft® JavaScript® Console"
"Default Visible"="No"
"HotIcon"="@shdoclc.dll,36"
"MenuStatusBar"="@shdoclc.dll,-865"
"MenuText"="JavaScript Console"
"ToolTip"="Opens JavaScript Console"
"ImageFilename"="shdocvw.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}]
"CLSID"="{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"
"Exec"="C:\\Program Files\\Messenger\\MSMSGS.EXE"
"Default Visible"="Yes"
"HotIcon"="C:\\Program Files\\Messenger\\MSMSGS.EXE,302"
"Icon"="C:\\Program Files\\Messenger\\MSMSGS.EXE,301"
"ButtonText"="Messenger"
"MenuText"="Windows Messenger"
"ToolTip"="Windows Messenger"


Protocol Keys:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER]

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


ShellServiceObject Keys:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

#15 Dedalus

Dedalus

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 02 June 2004 - 10:20 AM

Daemon,

Interestingly (maybe) I can't delete cxmsx[1].exe. Getting a file is in use or read-only message. I'll try delete it in safe mode.

Dedalus

#16 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 02 June 2004 - 10:54 AM

Slav. Do not worry bout it. dont need it anymore.

Dedalus. In the registry menu can you select the regsearch tool.

Search for this:
cxmsx[1].exe



#17 Slav

Slav

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 June 2004 - 10:59 AM

could someone tell me what's going on or should I just trash my computer out the window :D ? I live on the seventh floor...

#18 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 02 June 2004 - 10:59 AM

Slav could i see option 2 in pv for iexplorer dll's

Slav thats what we are trying to figure out. This is a brand new variant.
:techsupport:



#19 Slav

Slav

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 June 2004 - 11:04 AM

Ye, sure. Sorry not all of it is in english, but I'm sure you'll manage it :p If not - ask :p

Module information for 'iexplore.exe'
MODULE BASE SIZE PATH
iexplore.exe 400000 102400 C:\Program\Internet Explorer\iexplore.exe 6.00.2800.1106 (xpsp1.020828-1920) Internet Explorer
ntdll.dll 77f50000 692224 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) DLL-fil för NT Layer
kernel32.dll 77e60000 958464 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Klient-DLL för Windows NT BASE API
msvcrt.dll 77c00000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
USER32.dll 77d30000 548864 C:\WINDOWS\system32\USER32.dll 5.1.2600.1134 (xpsp2.020921-0842) Klient-DLL-fil för Windows XP
GDI32.dll 77c60000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDI Client DLL
ADVAPI32.dll 77dc0000 643072 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API
RPCRT4.dll 78000000 548864 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1254 (xpsp2.030801-1834) Remote Procedure Call Runtime
SHLWAPI.dll 63180000 413696 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1226 Shell Light-weight Utility Library
SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1203 Shell Doc Object och Control Library
IMM32.DLL 76370000 114688 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL
LPK.DLL 62f00000 32768 C:\WINDOWS\System32\LPK.DLL 5.1.2600.0 (xpclient.010817-1148) Language Pack
USP10.dll 72f70000 368640 C:\WINDOWS\System32\USP10.dll 1.0409.2600.1106 (xpsp1.020828-1920) Uniscribe Unicode script processor
comctl32.dll 78090000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library
SHELL32.dll 773c0000 8339456 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1233 (xpsp2.030604-1804) DLL-fil för Windows-gränssnittet
comctl32.dll 77330000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
ole32.dll 7ccc0000 1183744 C:\WINDOWS\system32\ole32.dll 5.1.2600.1263 (xpsp2.030819-2129) Microsoft OLE för Windows
MSCTF.dll 746f0000 278528 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL-fil för MSCTF-servern
BROWSEUI.dll 75f60000 1032192 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1106 (xpsp1.020828-1920) Bibliotek för gränssnittsläsare
browselc.dll 72420000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Bibliotek för gränssnittsläsare
appHelp.dll 75f20000 122880 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
CLBCATQ.DLL 76fc0000 491520 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.42
OLEAUT32.dll 77110000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT™ and Windows 95™ Operating Systems
COMRes.dll 77040000 819200 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77bf0000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
msctfime.ime 970000 176128 C:\WINDOWS\System32\msctfime.ime 5.1.2600.1106 (xpsp1.020828-1920) Microsoft Text Frame Work Service IME
Msimtf.dll 746c0000 155648 C:\WINDOWS\System32\Msimtf.dll 5.1.2600.1106 (xpsp1.020828-1920) Active IMM Server DLL
SETUPAPI.dll 76660000 954368 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) API för installationsprogrammet för Windows
UxTheme.dll 5b270000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Bibliotek för Microsoft UxTheme
WININET.dll 761e0000 622592 C:\WINDOWS\system32\WININET.dll 6.00.2800.1106 (xpsp1.020828-1920) Internet-tillbehör för Win32
CRYPT32.dll 762a0000 561152 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) 32-bitars kryptografi-API
MSASN1.dll 76280000 61440 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.0 (XPClient.010817-1148) ASN.1 Runtime APIs
Secur32.dll 76f80000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
cscui.dll 76600000 323584 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI
CSCDLL.dll 765e0000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Agent för frånkopplat nätverk
USERENV.dll 75a50000 675840 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
AcroIEHelper.dll 10000000 45056 C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX
NavShExt.dll f70000 106496 C:\Program\Norton AntiVirus\NavShExt.dll 8.07.17 Norton AntiVirusNAVShellExt Module
ATL.DLL 76b10000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
MSVCP60.dll 76060000 397312 C:\WINDOWS\System32\MSVCP60.dll 6.00.8972.0 Microsoft ® C++ Runtime Library
urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1226 OLE32-tillägg för Win32
changes_homepage.dll 1010000 61440 C:\WINDOWS\System32\changes_homepage.dll
c_10230.dll 1030000 69632 C:\WINDOWS\System32\c_10230.dll
shdoclc.dll 76150000 565248 C:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Doc Object och Control Library
mlang.dll 74740000 585728 C:\WINDOWS\System32\mlang.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL
mshtml.dll 63580000 2818048 C:\WINDOWS\System32\mshtml.dll 6.00.2800.1226 Microsoft ® Visningsprogram för HTML
msi.dll 1980000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
SXS.DLL 75e70000 684032 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5
MSLS31.DLL 74690000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
scrauth.dll 1100000 110592 C:\Program\Delade filer\Symantec Shared\Script Blocking\scrauth.dll 1, 1, 0, 126 ScriptBlocking Authenticator
ScrBlock.dll 1140000 122880 C:\Program\Delade filer\Symantec Shared\Script Blocking\ScrBlock.dll 1, 1, 0, 126 ScriptBlocking
wintrust.dll 76c20000 176128 C:\WINDOWS\System32\wintrust.dll 5.131.2600.0 (xpclient.010817-1148) API för autentisering av Microsoft Trust
IMAGEHLP.dll 76c80000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper
rsaenh.dll ffd0000 143360 C:\WINDOWS\System32\rsaenh.dll 5.1.2600.1029 (xpsp1.020426-1800) Microsoft Base Cryptographic Provider
netapi32.dll 71c10000 319488 C:\WINDOWS\System32\netapi32.dll 5.1.2600.1106 (xpsp1.020828-1920) Net Win32 API DLL
cryptnet.dll 73d20000 65536 C:\WINDOWS\System32\cryptnet.dll 5.131.2600.0 (xpclient.010817-1148) Crypto Network Related API
WLDAP32.dll 76f50000 184320 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
jscript.dll 6b700000 589824 c:\windows\system32\jscript.dll 5.6.0.8513 Microsoft ® JScript
MPR.dll 71b10000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) DLL-fil för router med flera providers
drprov.dll 75f40000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71c00000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Lan Manager
NETUI0.dll 71cc0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c80000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71c70000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
SAMLIB.dll 71be0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL
davclnt.dll 75f50000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) DLL-fil för Webb-DAV-klient
MSGINA.dll 75950000 987136 C:\WINDOWS\System32\MSGINA.dll 5.1.2600.1106 (xpsp1.020828-1920) Inloggnings-GINA för Windows NT
WINSTA.dll 76340000 61440 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.1106 (xpsp1.020828-1920) Winstation Library
ODBC32.dll 2910000 204800 C:\WINDOWS\System32\ODBC32.dll 3.520.9041.40 Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 76390000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) DLL-fil med vanliga dialogrutor
odbcint.dll 1f850000 94208 C:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC-resurser
wsock32.dll 71ac0000 36864 C:\WINDOWS\System32\wsock32.dll 5.1.2600.0 (xpclient.010817-1148) 32-bitars DLL-fil för Windows Socket
WS2_32.dll 71aa0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71a90000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
mswsock.dll 71a40000 245760 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Tjänstprovider för Microsoft Windows Sockets 2.0
wshtcpip.dll 71a80000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
RASAPI32.DLL 76ed0000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Programmeringsgränssnitt för Fjärråtkomst
rasman.dll 76e80000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager
TAPI32.dll 76ea0000 176128 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Klient-DLL för Microsoft® Windows™-telefoni-API
rtutils.dll 76e70000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
WINMM.dll 76b30000 184320 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
sensapi.dll 722a0000 20480 C:\WINDOWS\System32\sensapi.dll 5.1.2600.1106 (xpsp1.020828-1920) SENS Connectivity API DLL
DNSAPI.dll 76f10000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) DNS Client API DLL
winrnr.dll 76fa0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL
rasadhlp.dll 76fb0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
mshtmled.dll 74c80000 454656 C:\WINDOWS\System32\mshtmled.dll 6.00.2800.1106 (xpsp1.020828-1920) HTML-redigeringskomponent för Microsoft ®

#20 Dedalus

Dedalus

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 02 June 2004 - 11:14 AM

The last one in the directory \Anti-Virus....etc\ is one I kept to one side to send to Daemon and in case we need it again.

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "cxmsx[1].exe" 02/06/2004 17:12:51

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


@="C:\\Documents and Settings\\Test\\Local Settings\\Temporary Internet Files\\Content.IE5\\IR6F2GAI\\cxmsx[1].exe"

@="C:\\Documents and Settings\\Monster\\Local Settings\\Temporary Internet Files\\Content.IE5\\4X2FG12V\\cxmsx[1].exe"

@="C:\\Documents and Settings\\Test\\Local Settings\\Temporary Internet Files\\Content.IE5\\IR6F2GAI\\cxmsx[1].exe"

@="C:\\Documents and Settings\\Test\\Local Settings\\Temporary Internet Files\\Content.IE5\\B4BF6376\\cxmsx[1].exe"

@="C:\\Documents and Settings\\Test\\Local Settings\\Temporary Internet Files\\Content.IE5\\IR6F2GAI\\cxmsx[1].exe"

@="C:\\Documents and Settings\\Test\\Local Settings\\Temporary Internet Files\\Content.IE5\\4BKGDAQZ\\cxmsx[1].exe"

@="C:\\Documents and Settings\\Monster\\Local Settings\\Temporary Internet Files\\Content.IE5\\4H67KXIV\\cxmsx[1].exe"

@="C:\\Documents and Settings\\Test\\Local Settings\\Temporary Internet Files\\Content.IE5\\IR6F2GAI\\cxmsx[1].exe"

@="C:\\Documents and Settings\\Test\\Local Settings\\Temporary Internet Files\\Content.IE5\\IR6F2GAI\\cxmsx[1].exe"

"cxmsx[1].exe"=hex:6d,e7,bd,40

"File1"="C:\\Documents and Settings\\Ian\\Desktop\\Anti-Virus, Spyware, Trojans\\cxmsx[1].exe"

#21 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 02 June 2004 - 11:33 AM

Slav yours looks different than dedalus.. Post back to your own thread. In pv go to option 8 for the registry menu. Post the iextensions option in your thread/post.

Dedalus. need you to do a manual search with regedit as the tool is not showing the whole key.

start/run
regedit
select edit/find
search for this:
4X2FG12V
after it finds a key right click the last folder in the left pane and hit export.
Save the export to the desktop for now.
hit f3 to search for the next.
Repeat till no more items found.

clsoe regedit
go to desktop and open the files you exported with notepad.
paste the contents here.

Trying to figure out where this exe is loading from.



#22 Dedalus

Dedalus

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 02 June 2004 - 11:59 AM

Only 2 instances in the registry. I should tell you that in the course of the last few hours I have deleted the user directory structure 'Test'. The user was deleted before but the directory structure and files lingered.

Results of regedit/search:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{23A617EF-358F-4A2D-BAB5-7DCDAD38A641}]

[HKEY_CLASSES_ROOT\CLSID\{23A617EF-358F-4A2D-BAB5-7DCDAD38A641}\InprocServer32]
@="C:\\Documents and Settings\\Monster\\Local Settings\\Temporary Internet Files\\Content.IE5\\4X2FG12V\\cxmsx[1].exe"



Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{23A617EF-358F-4A2D-BAB5-7DCDAD38A641}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{23A617EF-358F-4A2D-BAB5-7DCDAD38A641}\InprocServer32]
@="C:\\Documents and Settings\\Monster\\Local Settings\\Temporary Internet Files\\Content.IE5\\4X2FG12V\\cxmsx[1].exe"

#23 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 02 June 2004 - 12:06 PM

Ok. dedalus. Now i get the whole picture.

First ctrl alt del and make sure that exe is not running.
Than do this:

Make sure all IE's are closed first.


Load up hijackthis and check and fix the following:

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

Reboot.
Give me a new hijackthis log and a new pv option 2 log.



#24 Dedalus

Dedalus

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 02 June 2004 - 12:18 PM

HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 18:18:25, on 02/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\ZoneLabs\MINILOG.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\tbctray.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Netropa\OSD.exe
C:\Program Files\BT Voyager\BT Voyager Wireless\WLM.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\BHODemon\BHODemon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ian\Desktop\Anti-Virus, Spyware, Trojans\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BT Voyager Wireless Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab


PV Option #2 log:


Module information for 'iexplore.exe'
MODULE BASE SIZE PATH
iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe 6.00.2800.1106 (xpsp1.020828-1920) Internet Explorer
ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) NT Layer DLL
kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1255 (xpsp2.030804-1745) Windows XP USER API Client DLL
GDI32.dll 7e090000 266240 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1346 (xpsp2.040109-1800) GDI Client DLL
ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API
RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
SHLWAPI.dll 70a70000 409600 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Light-weight Utility Library
SHDOCVW.dll 769c0000 1351680 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Doc Object and Control Library
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library
SHELL32.dll 773d0000 8331264 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1233 (xpsp2.030604-1804) Windows Shell Common Dll
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
ole32.dll 771b0000 1196032 C:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE for Windows
uxtheme.dll 5ad70000 212992 C:\WINDOWS\System32\uxtheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library
BROWSEUI.dll 75f80000 1032192 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library
browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library
appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
CLBCATQ.DLL 7c890000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT™ and Windows 95™ Operating Systems
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
WININET.dll 76200000 622592 C:\WINDOWS\system32\WININET.dll 6.00.2800.1106 (xpsp1.020828-1920) Internet Extensions for Win32
CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
googletoolbar1.dll 10000000 753664 c:\windows\downloaded program files\googletoolbar1.dll 2, 0, 111, 0 Google IE Client Toolbar
urlmon.dll 760f0000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1106 (xpsp1.020828-1920) OLE32 Extensions for Win32
WSOCK32.dll 71ad0000 32768 C:\WINDOWS\System32\WSOCK32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL
WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
WINTRUST.dll 76c30000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper
WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
serwvdrv.dll 5cd70000 28672 C:\WINDOWS\System32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Serial Wave driver
umdmxfrm.dll 5b0a0000 28672 C:\WINDOWS\System32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module
rsaenh.dll ffd0000 143360 C:\WINDOWS\System32\rsaenh.dll 5.1.2600.1029 (xpsp1.020426-1800) Microsoft Base Cryptographic Provider
RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager
NETAPI32.dll 71c20000 319488 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.1343 (xpsp2.040109-1800) Net Win32 API DLL
TAPI32.dll 76eb0000 176128 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Windows™ Telephony API Client DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
sensapi.dll 722b0000 20480 C:\WINDOWS\System32\sensapi.dll 5.1.2600.1106 (xpsp1.020828-1920) SENS Connectivity API DLL
USERENV.dll 75a70000 675840 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
dlprotect.dll 11000000 192512 C:\Program Files\SpywareGuard\dlprotect.dll 2.02 SpywareGuard Download Protection
MSVBVM60.DLL 73420000 1388544 C:\WINDOWS\System32\MSVBVM60.DLL 6.00.9237 Visual Basic Virtual Machine
shdoclc.dll 71800000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2715.400 Shell Doc Object and Control Library
mlang.dll 74770000 585728 C:\WINDOWS\System32\mlang.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL
mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
msi.dll 2440000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
SXS.DLL 75e90000 684032 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5
DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) DNS Client API DLL
winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
mshtml.dll 74810000 2846720 C:\WINDOWS\System32\mshtml.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft ® HTML Viewer
msimtf.dll 746f0000 155648 C:\WINDOWS\System32\msimtf.dll 5.1.2600.1106 (xpsp1.020828-1920) Active IMM Server DLL
MSCTF.dll 74720000 278528 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) MSCTF Server DLL
IMM32.DLL 76390000 114688 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL
jscript.dll 6b700000 589824 c:\windows\system32\jscript.dll 5.6.0.8513 Microsoft ® JScript
MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
iepeers.dll 66e50000 241664 C:\WINDOWS\System32\iepeers.dll 6.00.2800.1106 (xpsp1.020828-1920) Internet Explorer Peer Objects
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.1106 (xpsp1.020828-1920) Windows Spooler Driver
mshtmled.dll 74cb0000 454656 C:\WINDOWS\System32\mshtmled.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft ® HTML Editing Component
wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper

#25 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 02 June 2004 - 12:21 PM

ok how is it now?
check and fix this one:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

Should be all set.



#26 Dedalus

Dedalus

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 02 June 2004 - 12:31 PM

The pop-up and hijacker have been quiet for about an hour now, but I think that's becasue I've opened only a limited number of browsers and surfed only to a limited number of new URLs. (The occurrence of the pop-up is random...)

As for the blank key you spotted, I suspect I did that myself while manually removing the edited homepage during one of my previous experimental cures.

I will hop around as many URLs as I can and report back in this topic within 24hrs to report a definitive all clear or not. Regardless, thank you both (Daemon and Shadowwar) for your help and your persistence. I'll make a donation and buy the bloody t-shirt if you've nailed it.

One more quick point; would you mind giving me a quick note on what you think the thing was and how it worked? I took a brief look in the exe with a hex editor and saw that it referred to a 'previous name' of jcconsole.dll and seemed to have legit Microsoft Javascript copyright notices in there, but otherwise I'm flummoxed. I also noticed that if I executed the .exe by clicking on it, it promptly disappeared from that location. Anyway, any explanation appreciated.

Thanks,
Dedalus

#27 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 02 June 2004 - 12:39 PM

Ok. It was loading from the iextensions key in the registry. The exe fakes the microsoft entries in the log to throw us off. i need to look at the file yet but microsoft i dont think would be too happy. The extensions key is other button in the top bar of internet explorer. So it loads when you load IE. This file contacted somewhere to download the popup and being it ran from temp internet files it would keep clearing itself out and reinstalling itself. Need to investigate the file to see where it was contacting but thats pretty much what happened.



#28 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 02 June 2004 - 01:17 PM

There is no icon/smily here for :Hats Off: for shadowwar. Great detective work and help here - Always a pleasure watching you helping others.

#29 Slav

Slav

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 June 2004 - 01:34 PM

could anyone help me too? PLEASE!

#30 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 02 June 2004 - 01:56 PM

Already on it SLAV

#31 Dedalus

Dedalus

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 03 June 2004 - 06:09 AM

Good news! The hijacker seems to be gone. Thanks again for your help.

Dedalus

#32 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 03 June 2004 - 06:53 AM

Glad to help. Thanks for working with us!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button