• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Dedalus

c:\spad, myexexex and casinopalazzo

32 posts in this topic

Hi,

 

I've been using your forums for a while now and I think they're excellent. I've now registered as you guys seem to have a handle on the latest variants of the malware that's out there.

 

I am currently plagued by the c:\spad - myexexex browser hijack, and a hijack which pops-up casinopalazzo.com and deposits a casinopalazzo internet shortcut on my desktop. I believe the 2 are separate.

 

When I first noticed c:\spad, I took shaddowwar's excellent advice to another forum user, and it appeared to work. But alas no - the hijacker runs intermittently and it was just coincidence.

 

Despite running SpywareGuard and BHODemon, it seems these things got on board when I was screwing around with my browser security. It's now set to medium with 'disable' set against all ActiveX downloads.

 

I've run SpybotS&D and CWSshredder, but to no avail, although they did clear up some other nasties.

 

Firstly: spad/myexexex

1. Ran HijackThis. Fixed all the references to c:\spad\start.html and http:\\www.myexexex.com... it found there.

2. Realised that the hijacker runs intermittently and re-edits the registry

3. I used a clear.reg file (again from this forum) to clear up the registry

4. Took shadowwar's tips and deleted the file c_10230.dll. Couldn't find any of the other dll's referred to on the forums (hpcmdty.dll, crtv32 etc.)

5. Still plagued by the damn thing.

 

6. Solution so far:

Placed a file on the root of C:\ called spad to prevent the creation of the spad directory by the hijacker. Thankfully, it seems to do this first, so the rest of the registry stuff it does is never executed. Now at the point the program tries to create spad it fails and I get "C:\spad is not accessible" followed by "Cannot run c:\spad\inst.exe". Using Task Manager while those dialogs are onscreen, I find a strange .dat file in \User\Temporary Internet Files. The file is 4-letter (XXXX.dat) randomly named and shortlived i.e. it disappears after the dialogues are closed or, I presume, after the spad hijacker succeeds.

I've grabbed a copy of the file, before it disappeared, so perhaps someone here could take a look at it and see if they can figure out what's creating it? I can forward the file or put in a website and send a link.

 

I've also posted my HJT log below. I'd appreciate it if you could scan through it to see what's up, although it does seem pretty clean to my ignorant eyes.

 

Can anyone suggest what I might try next? If we can tackle this one first I'll worry about the casinopalazzo problem later.

 

Thanks,

Dedalus

 

Logfile of HijackThis v1.97.7

Scan saved at 12:51:25, on 02/06/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Nhksrv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\ZoneLabs\MINILOG.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\DELLMMKB.EXE

C:\WINDOWS\System32\tbctray.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\BT Voyager\BT Voyager Wireless\WLM.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

C:\Program Files\BHODemon\BHODemon.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Netropa\OSD.exe

C:\Program Files\Outlook Express\MSIMN.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\System32\taskmgr.exe

C:\Documents and Settings\Ian\Desktop\Anti-Virus, Spyware, Trojans\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: BT Voyager Wireless Utility.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Researcher (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1...n/GoogleNav.cab

O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Hi Dedalus

 

I actually think the two issues are related - this is the second time I have seen a resilient myexexex with that shortcut - also unresolved at the moment. Could you send that file to this e-mail address and I'll take a look.

Share this post


Link to post
Share on other sites

Thanks, I've got the file now. Could you download PV from: http://tools.zerosrealm.com/pv.zip

 

Create a folder on your desktop called PV then extract all the files in pv.zip to that folder. It will not work if you run it from inside the zip. After unzipped open the pv folder. Double click on the runme.bat

 

A dos window will open. Be sure to have at least 1 Internet Explorer window open. Please select option 2 for explorer dll's by typing 2 and then pressing enter.

 

Notepad will open with a log in it. Please copy and paste the entire log into this topic.

Share this post


Link to post
Share on other sites

PV output as requested:

 

 

Module information for 'iexplore.exe'

MODULE BASE SIZE PATH

iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe 6.00.2600.0000 (xpclient.010817-1148) Internet Explorer

ntdll.dll 77f50000 679936 C:\WINDOWS\System32\ntdll.dll 5.1.2600.114 (xpclnt_qfe.021108-2107) NT Layer DLL

kernel32.dll 77e60000 937984 C:\WINDOWS\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT BASE API Client DLL

msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL

USER32.dll 77d40000 548864 C:\WINDOWS\system32\USER32.dll 5.1.2600.118 (xpclnt_qfe.021108-2107) Windows XP USER API Client DLL

GDI32.dll 77c70000 253952 C:\WINDOWS\system32\GDI32.dll 5.1.2600.132 (xpclnt_qfe.021108-2107) GDI Client DLL

ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API

RPCRT4.dll 78000000 454656 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.135 (xpclnt_qfe.021108-2107) Remote Procedure Call Runtime

SHLWAPI.dll 63180000 409600 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2730.1200 Shell Light-weight Utility Library

SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2737.800 Shell Doc Object and Control Library

comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-1148) User Experience Controls Library

SHELL32.dll 773d0000 8314880 C:\WINDOWS\system32\SHELL32.dll 6.00.2600.115 (xpclnt_qfe.021108-2107) Windows Shell Common Dll

comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpclient.010817-1148) Common Controls Library

ole32.dll 771b0000 1126400 C:\WINDOWS\system32\ole32.dll 5.1.2600.136 (xpclnt_qfe.021108-2107) Microsoft OLE for Windows

uxtheme.dll 5ad70000 212992 C:\WINDOWS\system32\uxtheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library

BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2737.1600 Shell Browser UI Library

browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser UI Library

appHelp.dll 75f40000 118784 C:\WINDOWS\system32\appHelp.dll 5.1.2600.0 (xpclient.010817-1148) Application Compatibility Client Library

CLBCATQ.DLL 7c620000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53

OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT and Windows 95 Operating Systems

COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42

VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries

WININET.dll 63000000 610304 C:\WINDOWS\system32\WININET.dll 6.00.2737.800 Internet Extensions for Win32

CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32

MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.137 (xpclnt_qfe.021108-2107) ASN.1 Runtime APIs

Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface

cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Client Side Caching UI

CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent

SETUPAPI.dll 76670000 933888 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows Setup API

googletoolbar1.dll 10000000 753664 c:\windows\downloaded program files\googletoolbar1.dll 2, 0, 111, 0 Google IE Client Toolbar

urlmon.dll 1a400000 495616 C:\WINDOWS\system32\urlmon.dll 6.00.2736.2300 OLE32 Extensions for Win32

WSOCK32.dll 71ad0000 32768 C:\WINDOWS\System32\WSOCK32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL

WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL

WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT

WINTRUST.dll 76c30000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs

IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.0 (XPClient.010817-1148) Windows NT Image Helper

WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL

serwvdrv.dll 5cd70000 28672 C:\WINDOWS\System32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Serial Wave driver

umdmxfrm.dll 5b0a0000 28672 C:\WINDOWS\System32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module

rsaenh.dll ffd0000 139264 C:\WINDOWS\System32\rsaenh.dll 5.1.2518.0 (main.010714-2114) Microsoft Base Cryptographic Provider

RASAPI32.DLL 1810000 233472 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.28 (xpclnt_qfe.010827-1803) Remote Access API

rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access Connection Manager

NETAPI32.dll 71c20000 315392 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.122 (xpclnt_qfe.021108-2107) Net Win32 API DLL

TAPI32.dll 76eb0000 172032 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Windows Telephony API Client DLL

rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities

sensapi.dll 722b0000 20480 C:\WINDOWS\System32\sensapi.dll 5.1.2600.0 (XPClient.010817-1148) SENS Connectivity API DLL

USERENV.dll 75a70000 667648 C:\WINDOWS\system32\USERENV.dll 5.1.2600.0 (xpclient.010817-1148) Userenv

dlprotect.dll 11000000 192512 C:\Program Files\SpywareGuard\dlprotect.dll 2.02 SpywareGuard Download Protection

MSVBVM60.DLL 73420000 1388544 C:\WINDOWS\System32\MSVBVM60.DLL 6.00.9237 Visual Basic Virtual Machine

cxmsx[1].exe 1ef0000 53248 C:\Documents and Settings\Monster\Local Settings\Temporary Internet Files\Content.IE5\4H67KXIV\cxmsx[1].exe

shdoclc.dll 1f10000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2715.400 Shell Doc Object and Control Library

mlang.dll 74770000 585728 C:\WINDOWS\System32\mlang.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL

mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider

wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL

rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper

DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL

msi.dll 76400000 2076672 C:\WINDOWS\System32\msi.dll 2.0.2600.0 Windows Installer

SXS.DLL 75e90000 659456 C:\WINDOWS\System32\SXS.DLL 5.1.2600.0 (xpclient.010817-1148) Fusion 2.5

winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL

WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL

mshtml.dll 63580000 2777088 C:\WINDOWS\System32\mshtml.dll 6.00.2737.800 Microsoft ® HTML Viewer

msimtf.dll 746f0000 167936 C:\WINDOWS\System32\msimtf.dll 5.1.2600.0 (xpclient.010817-1148) Active IMM Server DLL

MSCTF.dll 74720000 307200 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.0 (xpclient.010817-1148) MSCTF Server DLL

IMM32.DLL 76390000 106496 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.0 (xpclient.010817-1148) Windows XP IMM32 API Client DLL

jscript.dll 6b700000 589824 c:\windows\system32\jscript.dll 5.6.0.8513 Microsoft ® JScript

iepeers.dll 66e50000 241664 C:\WINDOWS\System32\iepeers.dll 6.00.2600.0000 (xpclient.010817-1148) Internet Explorer Peer Objects

WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.0 (XPClient.010817-1148) Windows Spooler Driver

MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file

mshtmled.dll 74cb0000 454656 C:\WINDOWS\System32\mshtmled.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft ® HTML Editing Component

wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper

msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper

MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter

midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper

actxprxy.dll 71d40000 110592 C:\WINDOWS\System32\actxprxy.dll 6.00.2600.0000 (XPClient.010817-1148) ActiveX Interface Marshaling Library

plugin.ocx 72b20000 98304 C:\WINDOWS\System32\plugin.ocx 6.00.2600.0000 (xpclient.010817-1148) ActiveX Plugin OCX

comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2600.0000 (xpclient.010817-1148) Common Dialogs DLL

ntshrui.dll 76990000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.0 (xpclient.010817-1148) Shell extensions for sharing

ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)

LINKINFO.dll 76980000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking

Share this post


Link to post
Share on other sites

Ive got the same problem with casino palazzo, and I just cant get rid of it, should I download the PV.zip thing and follow your instruction or is it a different process?

 

Cheers

Share this post


Link to post
Share on other sites

I have the same trouble too. What to do?

(I mean this could be very effective, three persons could be helped at one time :p )

Edited by Slav

Share this post


Link to post
Share on other sites

Hmmm.. what's this?

 

cxmsx[1].exe 1ef0000 53248 C:\Documents and Settings\Monster\Local Settings\Temporary Internet Files\Content.IE5\4H67KXIV\cxmsx[1].exe

 

Could you find that file and send it to me. Then delete it. This tool is useful - click here to download System Security Suite. Extract it from the zip file into a folder and doubleclick on sss.exe. Check the boxes under the 'Items to Clear' tab and click 'Clear Selected Items'. You will be prompted to reboot, do so. Repeat for all log-in accounts on your computer.

Share this post


Link to post
Share on other sites

Ok this is darn strange. Normally the policy here is to not post in other peoples threads. Being this is new and never seen a few things i would like everyone that posted so far to follow my instructions and post here. Please no one else.

 

Ok if you have not downloaded pv.zip yet please do so from the link Daemon provided.

 

Next i need to see a few other logs from it.

 

First i need to see an option 1 log for explorer dlls

 

Than i need to you go to the registry menu and select the option for Mosiac's Runkeys export.

 

Please post both logs into this thread.

Share this post


Link to post
Share on other sites

Dedalus - could you provide the additional logs. anaselg and Slav - please add your log files as shadowwar requested.

Share this post


Link to post
Share on other sites

As per Shadowwar request:

 

PV Option 1 Explorer dlls:

 

 

Module information for 'explorer.exe'

MODULE BASE SIZE PATH

explorer.exe 1000000 1011712 C:\WINDOWS\explorer.exe 6.00.2600.0000 (xpclient.010817-1148) Windows Explorer

ntdll.dll 77f50000 679936 C:\WINDOWS\System32\ntdll.dll 5.1.2600.114 (xpclnt_qfe.021108-2107) NT Layer DLL

kernel32.dll 77e60000 937984 C:\WINDOWS\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT BASE API Client DLL

msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL

ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API

RPCRT4.dll 78000000 454656 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.135 (xpclnt_qfe.021108-2107) Remote Procedure Call Runtime

GDI32.dll 77c70000 253952 C:\WINDOWS\system32\GDI32.dll 5.1.2600.132 (xpclnt_qfe.021108-2107) GDI Client DLL

USER32.dll 77d40000 548864 C:\WINDOWS\system32\USER32.dll 5.1.2600.118 (xpclnt_qfe.021108-2107) Windows XP USER API Client DLL

SHLWAPI.dll 63180000 409600 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2730.1200 Shell Light-weight Utility Library

SHELL32.dll 773d0000 8314880 C:\WINDOWS\system32\SHELL32.dll 6.00.2600.115 (xpclnt_qfe.021108-2107) Windows Shell Common Dll

ole32.dll 771b0000 1126400 C:\WINDOWS\system32\ole32.dll 5.1.2600.136 (xpclnt_qfe.021108-2107) Microsoft OLE for Windows

OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT and Windows 95 Operating Systems

BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2737.1600 Shell Browser UI Library

SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2737.800 Shell Doc Object and Control Library

UxTheme.dll 5ad70000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library

comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library

comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library

appHelp.dll 75f40000 118784 C:\WINDOWS\system32\appHelp.dll 5.1.2600.0 (xpclient.010817-1148) Application Compatibility Client Library

CLBCATQ.DLL 7c620000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53

COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42

VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries

cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Client Side Caching UI

CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent

themeui.dll 5b630000 458752 C:\WINDOWS\System32\themeui.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Theme API

Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface

MSIMG32.dll 76380000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.0 (xpclient.010817-1148) GDIEXT Client DLL

netapi32.dll 71c20000 315392 C:\WINDOWS\System32\netapi32.dll 5.1.2600.122 (xpclnt_qfe.021108-2107) Net Win32 API DLL

spywareguard.dll 22200000 126976 C:\Program Files\SpywareGuard\spywareguard.dll 2.02 SpywareGuard Protection

MSVBVM60.DLL 73420000 1388544 C:\WINDOWS\System32\MSVBVM60.DLL 6.00.9237 Visual Basic Virtual Machine

USERENV.dll 75a70000 667648 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv

actxprxy.dll 71d40000 110592 C:\WINDOWS\System32\actxprxy.dll 6.00.2600.0000 (XPClient.010817-1148) ActiveX Interface Marshaling Library

LINKINFO.dll 76980000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking

ntshrui.dll 76990000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.0 (xpclient.010817-1148) Shell extensions for sharing

ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)

SAMLIB.dll 71bf0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL

SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API

NETSHELL.dll 75cf0000 1638400 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.0 (xpclient.010817-1148) Network Connections Shell

credui.dll 76c00000 184320 C:\WINDOWS\system32\credui.dll 5.1.2600.0 (xpclient.010817-1148) Credential Manager User Interface

WS2_32.dll 71ab0000 86016 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL

WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT

iphlpapi.dll 76d60000 86016 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2 (xpclient.010817-1148) IP Helper API

netman.dll 76de0000 155648 C:\WINDOWS\system32\netman.dll 5.1.2600.0 (xpclient.010817-1148) Network Connections Manager

MPRAPI.dll 76d40000 90112 C:\WINDOWS\system32\MPRAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT MP Router Administration DLL

ACTIVEDS.dll 76e40000 192512 C:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) ADs Router Layer DLL

adsldpc.dll 76e10000 147456 C:\WINDOWS\system32\adsldpc.dll 5.1.2600.0 (xpclient.010817-1148) ADs LDAP Provider C DLL

WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL

rtutils.dll 76e80000 53248 C:\WINDOWS\system32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities

RASAPI32.dll 76ee0000 225280 C:\WINDOWS\system32\RASAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access API

rasman.dll 76e90000 69632 C:\WINDOWS\system32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager

TAPI32.dll 76eb0000 172032 C:\WINDOWS\system32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Windows Telephony API Client DLL

WINMM.dll 76b40000 180224 C:\WINDOWS\system32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL

WZCSvc.DLL 76da0000 196608 C:\WINDOWS\system32\WZCSvc.DLL 5.1.2600.0 (xpclient.010817-1148) Wireless Zero Configuration Service

WMI.dll 76d30000 16384 C:\WINDOWS\system32\WMI.dll 5.1.2600.0 (XPClient.010817-1148) WMI DC and DP functionality

DHCPCSVC.DLL 76d80000 110592 C:\WINDOWS\system32\DHCPCSVC.DLL 5.1.2600.1106 (xpsp1.020828-1920) DHCP Client Service

DNSAPI.dll 76f20000 151552 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL

CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32

MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.137 (xpclnt_qfe.021108-2107) ASN.1 Runtime APIs

WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Terminal Server SDK APIs

WINSTA.dll 76360000 61440 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.0 (xpclient.010817-1148) Winstation Library

serwvdrv.dll 5cd70000 28672 C:\WINDOWS\System32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Serial Wave driver

umdmxfrm.dll 5b0a0000 28672 C:\WINDOWS\System32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module

webcheck.dll 74b30000 266240 C:\WINDOWS\System32\webcheck.dll 6.00.2600.0000 (xpclient.010817-1148) Web Site Monitor

stobject.dll 74b00000 131072 C:\WINDOWS\System32\stobject.dll 5.1.2600.0 (xpclient.010817-1148) Systray shell service object

BatMeter.dll 74af0000 36864 C:\WINDOWS\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-1148) Battery Meter Helper DLL

POWRPROF.dll 74ad0000 28672 C:\WINDOWS\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-1148) Power Profile Helper DLL

msi.dll 76400000 2076672 C:\WINDOWS\System32\msi.dll 2.0.2600.0 Windows Installer

ImapiRoxPS.dll 10000000 28672 C:\WINDOWS\System32\ImapiRoxPS.dll

WININET.dll 63000000 610304 C:\WINDOWS\system32\WININET.dll 6.00.2737.800 Internet Extensions for Win32

urlmon.dll 1a400000 495616 C:\WINDOWS\system32\urlmon.dll 6.00.2736.2300 OLE32 Extensions for Win32

printui.dll 74b80000 532480 C:\WINDOWS\System32\printui.dll 5.1.2600.1106 (xpsp1.020828-1920) Print UI DLL

WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.1106 (xpsp1.020828-1920) Windows Spooler Driver

CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL

MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL

fxsst.dll 68df0000 573440 C:\WINDOWS\System32\fxsst.dll 5.2.1776.0 Fax Service

FXSAPI.dll 69010000 458752 C:\WINDOWS\System32\FXSAPI.dll 5.2.1776.0 Microsoft Fax API Support DLL

NTMARTA.DLL 76ce0000 126976 C:\WINDOWS\System32\NTMARTA.DLL 5.1.2600.0 (xpclient.010817-1148) Windows NT MARTA provider

SXS.DLL 75e90000 659456 C:\WINDOWS\System32\SXS.DLL 5.1.2600.0 (xpclient.010817-1148) Fusion 2.5

drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider

ntlanman.dll 71c10000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Lan Manager

NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes

NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes

NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL

davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL

browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser UI Library

dlprotect.dll 11000000 192512 C:\Program Files\SpywareGuard\dlprotect.dll 2.02 SpywareGuard Download Protection

DUSER.dll 6c1b0000 274432 C:\WINDOWS\System32\DUSER.dll 5.1.2600.0 (xpclient.010817-1148) Windows DirectUser Engine

WINTRUST.dll 76c30000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs

IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper

rsaenh.dll ffd0000 139264 C:\WINDOWS\System32\rsaenh.dll 5.1.2518.0 (main.010714-2114) Microsoft Base Cryptographic Provider

asfsipc.dll 70eb0000 28672 C:\WINDOWS\System32\asfsipc.dll 1.1.00.3917 ASFSipc Object

MSISIP.DLL 605f0000 53248 C:\WINDOWS\System32\MSISIP.DLL 2.0.2600.0 MSI Signature SIP Provider

wshext.dll 74ea0000 65536 C:\WINDOWS\System32\wshext.dll 5.6.0.6626 Microsoft ® Shell Extension for Windows Script Host

comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) Common Dialogs DLL

 

 

And Mosaic Runkeys export:

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""

"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"

"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"

"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"

"DellTouch"="C:\\WINDOWS\\DELLMMKB.EXE"

"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"

"TraySantaCruz"="C:\\WINDOWS\\System32\\tbctray.exe"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"NoChange"="1"

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"

 

Windows Registry Editor Version 5.00

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]

 

Windows Registry Editor Version 5.00

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunonceEx]

Share this post


Link to post
Share on other sites

Thanks for helping. My original thread is Please don't let the bastards...

I didn't understand the"option for Mosiac's Runkeys export" part, you'd have to explain for me, sorry...

Here comes the log from option 1 (that's what you wanted, right?) :

 

 

Module information for 'Explorer.EXE'

MODULE BASE SIZE PATH

Explorer.EXE 1000000 1015808 C:\WINDOWS\Explorer.EXE 6.00.2800.1106 (xpsp1.020828-1920) Utforskaren

ntdll.dll 77f50000 692224 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) DLL-fil för NT Layer

kernel32.dll 77e60000 958464 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Klient-DLL för Windows NT BASE API

msvcrt.dll 77c00000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL

ADVAPI32.dll 77dc0000 643072 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API

RPCRT4.dll 78000000 548864 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1254 (xpsp2.030801-1834) Remote Procedure Call Runtime

GDI32.dll 77c60000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDI Client DLL

USER32.dll 77d30000 548864 C:\WINDOWS\system32\USER32.dll 5.1.2600.1134 (xpsp2.020921-0842) Klient-DLL-fil för Windows XP

SHLWAPI.dll 63180000 413696 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1226 Shell Light-weight Utility Library

SHELL32.dll 773c0000 8339456 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1233 (xpsp2.030604-1804) DLL-fil för Windows-gränssnittet

ole32.dll 7ccc0000 1183744 C:\WINDOWS\system32\ole32.dll 5.1.2600.1263 (xpsp2.030819-2129) Microsoft OLE för Windows

OLEAUT32.dll 77110000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT and Windows 95 Operating Systems

BROWSEUI.dll 75f60000 1032192 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1106 (xpsp1.020828-1920) Bibliotek för gränssnittsläsare

SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1203 Shell Doc Object och Control Library

UxTheme.dll 5b270000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Bibliotek för Microsoft UxTheme

IMM32.DLL 76370000 114688 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL

LPK.DLL 62f00000 32768 C:\WINDOWS\System32\LPK.DLL 5.1.2600.0 (xpclient.010817-1148) Language Pack

USP10.dll 72f70000 368640 C:\WINDOWS\System32\USP10.dll 1.0409.2600.1106 (xpsp1.020828-1920) Uniscribe Unicode script processor

comctl32.dll 78090000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library

comctl32.dll 77330000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library

msctfime.ime 810000 176128 C:\WINDOWS\System32\msctfime.ime 5.1.2600.1106 (xpsp1.020828-1920) Microsoft Text Frame Work Service IME

appHelp.dll 75f20000 122880 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library

CLBCATQ.DLL 76fc0000 491520 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.42

COMRes.dll 77040000 819200 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42

VERSION.dll 77bf0000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries

cscui.dll 76600000 323584 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI

CSCDLL.dll 765e0000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Agent för frånkopplat nätverk

themeui.dll 5bb30000 462848 C:\WINDOWS\System32\themeui.dll 6.00.2800.1106 (xpsp1.020828-1920) Programmeringsgränssnitt (API) för Windows-teman

Secur32.dll 76f80000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface

MSIMG32.dll 76360000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDIEXT Client DLL

USERENV.dll 75a50000 675840 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv

Msimtf.dll 746c0000 155648 C:\WINDOWS\System32\Msimtf.dll 5.1.2600.1106 (xpsp1.020828-1920) Active IMM Server DLL

MSCTF.dll 746f0000 278528 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL-fil för MSCTF-servern

msutb.dll 60130000 196608 C:\WINDOWS\System32\msutb.dll 5.1.2600.1106 (xpsp1.020828-1920) Server-DLL-fil för MSUTB

netapi32.dll 71c10000 319488 C:\WINDOWS\System32\netapi32.dll 5.1.2600.1106 (xpsp1.020828-1920) Net Win32 API DLL

LINKINFO.dll 76970000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking

ntshrui.dll 76980000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.1106 (xpsp1.020828-1920) Shell-tillägg för delning

ATL.DLL 76b10000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)

urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1226 OLE32-tillägg för Win32

WINSTA.dll 76340000 61440 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.1106 (xpsp1.020828-1920) Winstation Library

webcheck.dll 74b00000 270336 C:\WINDOWS\System32\webcheck.dll 6.00.2800.1106 (xpsp1.020828-1920) Webbplatsövervakare

SETUPAPI.dll 76660000 954368 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) API för installationsprogrammet för Windows

stobject.dll 74ad0000 131072 C:\WINDOWS\System32\stobject.dll 5.1.2600.1106 (xpsp1.020828-1920) Systray shell-tjänstobjekt

BatMeter.dll 74ac0000 36864 C:\WINDOWS\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-1148) Battery Meter Helper DLL

POWRPROF.dll 74aa0000 28672 C:\WINDOWS\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-1148) Power Profile Helper DLL

WTSAPI32.dll 76f40000 32768 C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Terminal Server SDK APIs

WINMM.dll 76b30000 184320 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL

wdmaud.drv 72cf0000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper

msacm32.drv 72ce0000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper

MSACM32.dll 77bd0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM-ljudfilter

midimap.dll 77bc0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper

NETSHELL.dll 75cd0000 1646592 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.1106 (xpsp1.020828-1920) Användargränssnitt för nätverksanslutning

credui.dll 76bf0000 184320 C:\WINDOWS\system32\credui.dll 5.1.2600.1106 (xpsp1.020828-1920) Användargränssnitt för referenshanteraren

WS2_32.dll 71aa0000 86016 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL

WS2HELP.dll 71a90000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT

iphlpapi.dll 76d50000 94208 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2 (xpsp1.020828-1920) API för IP Helper

WINTRUST.dll 76c20000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) API för autentisering av Microsoft Trust

CRYPT32.dll 762a0000 561152 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) 32-bitars kryptografi-API

MSASN1.dll 76280000 61440 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.0 (XPClient.010817-1148) ASN.1 Runtime APIs

IMAGEHLP.dll 76c80000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper

rsaenh.dll ffd0000 143360 C:\WINDOWS\System32\rsaenh.dll 5.1.2600.1029 (xpsp1.020426-1800) Microsoft Base Cryptographic Provider

msi.dll 1a10000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer

printui.dll 74b50000 536576 C:\WINDOWS\System32\printui.dll 5.1.2600.1106 (xpsp1.020828-1920) Print UI DLL

WINSPOOL.DRV 72fd0000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.1106 (xpsp1.020828-1920) Drivrutin för Windows-bufferthanterare

ACTIVEDS.dll 76e30000 192512 C:\WINDOWS\System32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) DLL-fil för Active Directory Router Layer

adsldpc.dll 76e00000 151552 C:\WINDOWS\System32\adsldpc.dll 5.1.2600.1106 (xpsp1.020828-1920) ADs LDAP-provider C DLL

WLDAP32.dll 76f50000 184320 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL

CFGMGR32.dll 74ab0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL

MPR.dll 71b10000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) DLL-fil för router med flera providers

drprov.dll 75f40000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider

ntlanman.dll 71c00000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Lan Manager

NETUI0.dll 71cc0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes

NETUI1.dll 71c80000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes

NETRAP.dll 71c70000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL

SAMLIB.dll 71be0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL

davclnt.dll 75f50000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) DLL-fil för Webb-DAV-klient

srclient.dll 5c560000 73728 C:\WINDOWS\System32\srclient.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL-fil för systemåterställningsklienten

framedyn.dll 69840000 188416 C:\WINDOWS\System32\Wbem\framedyn.dll 5.1.2600.0 (xpclient.010817-1148) WMI SDK Provider Framework

SXS.DLL 75e70000 684032 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5

zipfldr.dll 73350000 335872 C:\WINDOWS\System32\zipfldr.dll 6.00.2800.1126 (xpsp2.020921-0842) Komprimerade mappar

browselc.dll 72420000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Bibliotek för gränssnittsläsare

WININET.dll 761e0000 622592 C:\WINDOWS\system32\WININET.dll 6.00.2800.1106 (xpsp1.020828-1920) Internet-tillbehör för Win32

DUSER.dll 6c730000 278528 C:\WINDOWS\System32\DUSER.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows DirectUser Engine

shdoclc.dll 76150000 565248 C:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Doc Object och Control Library

NavShExt.dll 10000000 106496 C:\Program\Norton AntiVirus\NavShExt.dll 8.07.17 Norton AntiVirusNAVShellExt Module

MSVCP60.dll 76060000 397312 C:\WINDOWS\System32\MSVCP60.dll 6.00.8972.0 Microsoft ® C++ Runtime Library

ICQLiteShell.dll c30000 61440 C:\Program\ICQLite\ICQLiteShell.dll 1, 0, 0, 1 ICQLiteShell Module

MFC42.DLL 73da0000 991232 C:\WINDOWS\System32\MFC42.DLL 6.00.8665.0 MFCDLL Shared Library - Retail Version

MFC42LOC.DLL 61ec0000 53248 C:\WINDOWS\System32\MFC42LOC.DLL 6.00.8665.0 MFC Språkspecifika resurser

sfc_os.dll 76c50000 167936 C:\WINDOWS\System32\sfc_os.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Filskydd

incdshx.dll 1c000000 135168 C:\Program\Ahead\InCD\incdshx.dll 4, 0, 1, 24 UDF Shell Extension DLL

mydocs.dll 72400000 102400 C:\WINDOWS\System32\mydocs.dll 6.00.2600.0000 (xpclient.010817-1148) Gränssnitt för Mina dokument

MLANG.dll 74740000 585728 C:\WINDOWS\System32\MLANG.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL

AcroIEHelper.dll 1e50000 45056 C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX

Share this post


Link to post
Share on other sites

dedalus.. couple more please.

 

in the registry menu of pv select the extensions key export, protocal export, and shellservice. Please post all three.

Share this post


Link to post
Share on other sites

What do I do next? And what about the "option for Mosiac's Runkeys export" thing? Do you need that?

Edited by Slav

Share this post


Link to post
Share on other sites

Shadowwar - nice tool. In the order requested:

 

Extensions Key report:

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{196BB14D-07CE-47BB-B8AF-C879CE2693BB}]

"clsid"="{196BB14D-07CE-47BB-B8AF-C879CE2693BB}"

"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"

"ButtonText"="Microsoft® JavaScript® Console"

"Default Visible"="No"

"HotIcon"="@shdoclc.dll,36"

"MenuStatusBar"="@shdoclc.dll,-865"

"MenuText"="JavaScript Console"

"ToolTip"="Opens JavaScript Console"

"ImageFilename"="shdocvw.dll"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{23A617EF-358F-4A2D-BAB5-7DCDAD38A641}]

"clsid"="{23A617EF-358F-4A2D-BAB5-7DCDAD38A641}"

"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"

"ButtonText"="Microsoft® JavaScript® Console"

"Default Visible"="No"

"HotIcon"="@shdoclc.dll,36"

"MenuStatusBar"="@shdoclc.dll,-865"

"MenuText"="JavaScript Console"

"ToolTip"="Opens JavaScript Console"

"ImageFilename"="shdocvw.dll"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2F6722AB-DF08-4C04-A70B-2B8F2BD39CD2}]

"clsid"="{2F6722AB-DF08-4C04-A70B-2B8F2BD39CD2}"

"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"

"ButtonText"="Microsoft® JavaScript® Console"

"Default Visible"="No"

"HotIcon"="@shdoclc.dll,36"

"MenuStatusBar"="@shdoclc.dll,-865"

"MenuText"="JavaScript Console"

"ToolTip"="Opens JavaScript Console"

"ImageFilename"="shdocvw.dll"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5A50962B-1355-46C3-9837-41755CEB445F}]

"clsid"="{5A50962B-1355-46C3-9837-41755CEB445F}"

"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"

"ButtonText"="Microsoft® JavaScript® Console"

"Default Visible"="No"

"HotIcon"="@shdoclc.dll,36"

"MenuStatusBar"="@shdoclc.dll,-865"

"MenuText"="JavaScript Console"

"ToolTip"="Opens JavaScript Console"

"ImageFilename"="shdocvw.dll"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{61B9B007-7BD7-4EF1-8004-16B06BA55707}]

"clsid"="{61B9B007-7BD7-4EF1-8004-16B06BA55707}"

"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"

"ButtonText"="Microsoft® JavaScript® Console"

"Default Visible"="No"

"HotIcon"="@shdoclc.dll,36"

"MenuStatusBar"="@shdoclc.dll,-865"

"MenuText"="JavaScript Console"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{7A099794-3C5C-456C-BD65-DF55EC3B42EE}]

"clsid"="{7A099794-3C5C-456C-BD65-DF55EC3B42EE}"

"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"

"ButtonText"="Microsoft® JavaScript® Console"

"Default Visible"="No"

"HotIcon"="@shdoclc.dll,36"

"MenuStatusBar"="@shdoclc.dll,-865"

"MenuText"="JavaScript Console"

"ToolTip"="Opens JavaScript Console"

"ImageFilename"="shdocvw.dll"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{87420808-0A35-4C11-8141-5659504EE107}]

"clsid"="{87420808-0A35-4C11-8141-5659504EE107}"

"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"

"ButtonText"="Microsoft® JavaScript® Console"

"Default Visible"="No"

"HotIcon"="@shdoclc.dll,36"

"MenuStatusBar"="@shdoclc.dll,-865"

"MenuText"="JavaScript Console"

"ToolTip"="Opens JavaScript Console"

"ImageFilename"="shdocvw.dll"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9455301C-CF6B-11D3-A266-00C04F689C50}]

"Default Visible"="Yes"

"ButtonText"="Researcher"

"HotIcon"="C:\\Program Files\\Common Files\\Microsoft Shared\\Reference 2001\\EROProj.dll,104"

"Icon"="C:\\Program Files\\Common Files\\Microsoft Shared\\Reference 2001\\EROProj.dll,106"

"MenuStatusBar"="Opens Encarta Researcher"

"CLSID"="{E0DD6CAB-2D10-11D2-8F1A-0000F87ABD16}"

"BandCLSID"="{9455301C-CF6B-11D3-A266-00C04F689C50}"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9BAAC115-5D22-4213-A142-0E6D7E7314D0}]

"clsid"="{9BAAC115-5D22-4213-A142-0E6D7E7314D0}"

"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"

"ButtonText"="Microsoft® JavaScript® Console"

"Default Visible"="No"

"HotIcon"="@shdoclc.dll,36"

"MenuStatusBar"="@shdoclc.dll,-865"

"MenuText"="JavaScript Console"

"ToolTip"="Opens JavaScript Console"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}]

"Default Visible"="Yes"

"ButtonText"="AIM"

"HotIcon"="C:\\Program Files\\AIM95\\aimres.dll,144"

"Icon"="C:\\Program Files\\AIM95\\aimres.dll,143"

"CLSID"="{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"

"Exec"="C:\\Program Files\\AIM95\\aim.exe"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CC0547C1-5EC1-457A-9FF1-61ED5062075D}]

"clsid"="{CC0547C1-5EC1-457A-9FF1-61ED5062075D}"

"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"

"ButtonText"="Microsoft® JavaScript® Console"

"Default Visible"="No"

"HotIcon"="@shdoclc.dll,36"

"MenuStatusBar"="@shdoclc.dll,-865"

"MenuText"="JavaScript Console"

"ToolTip"="Opens JavaScript Console"

"ImageFilename"="shdocvw.dll"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}]

"CLSID"="{E0DD6CAB-2D10-11D2-8F1A-0000F87ABD16}"

"ButtonText"="Real.com"

"HotIcon"="C:\\Program Files\\Real\\RealPlayer\\eb_act.ico"

"Icon"="C:\\Program Files\\Real\\RealPlayer\\eb_inact.ico"

"BandCLSID"="{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}"

"ToolTip"="Real.com Explorer Bar"

"Default Visible"="Yes"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD8BB0D6-70AB-4D30-9B71-37818FF51C66}]

"clsid"="{CD8BB0D6-70AB-4D30-9B71-37818FF51C66}"

"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"

"ButtonText"="Microsoft® JavaScript® Console"

"Default Visible"="No"

"HotIcon"="@shdoclc.dll,36"

"MenuStatusBar"="@shdoclc.dll,-865"

"MenuText"="JavaScript Console"

"ToolTip"="Opens JavaScript Console"

"ImageFilename"="shdocvw.dll"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}]

"CLSID"="{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"

"Exec"="C:\\Program Files\\Messenger\\MSMSGS.EXE"

"Default Visible"="Yes"

"HotIcon"="C:\\Program Files\\Messenger\\MSMSGS.EXE,302"

"Icon"="C:\\Program Files\\Messenger\\MSMSGS.EXE,301"

"ButtonText"="Messenger"

"MenuText"="Windows Messenger"

"ToolTip"="Windows Messenger"

 

 

Protocol Keys:

 

Windows Registry Editor Version 5.00

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

 

ShellServiceObject Keys:

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

Share this post


Link to post
Share on other sites

Daemon,

 

Interestingly (maybe) I can't delete cxmsx[1].exe. Getting a file is in use or read-only message. I'll try delete it in safe mode.

 

Dedalus

Share this post


Link to post
Share on other sites

Slav. Do not worry bout it. dont need it anymore.

 

Dedalus. In the registry menu can you select the regsearch tool.

 

Search for this:

cxmsx[1].exe

Share this post


Link to post
Share on other sites

could someone tell me what's going on or should I just trash my computer out the window :D ? I live on the seventh floor...

Share this post


Link to post
Share on other sites

Slav could i see option 2 in pv for iexplorer dll's

 

Slav thats what we are trying to figure out. This is a brand new variant.

:techsupport:

Share this post


Link to post
Share on other sites

Ye, sure. Sorry not all of it is in english, but I'm sure you'll manage it :p If not - ask :p

 

Module information for 'iexplore.exe'

MODULE BASE SIZE PATH

iexplore.exe 400000 102400 C:\Program\Internet Explorer\iexplore.exe 6.00.2800.1106 (xpsp1.020828-1920) Internet Explorer

ntdll.dll 77f50000 692224 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) DLL-fil för NT Layer

kernel32.dll 77e60000 958464 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Klient-DLL för Windows NT BASE API

msvcrt.dll 77c00000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL

USER32.dll 77d30000 548864 C:\WINDOWS\system32\USER32.dll 5.1.2600.1134 (xpsp2.020921-0842) Klient-DLL-fil för Windows XP

GDI32.dll 77c60000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDI Client DLL

ADVAPI32.dll 77dc0000 643072 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API

RPCRT4.dll 78000000 548864 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1254 (xpsp2.030801-1834) Remote Procedure Call Runtime

SHLWAPI.dll 63180000 413696 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1226 Shell Light-weight Utility Library

SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1203 Shell Doc Object och Control Library

IMM32.DLL 76370000 114688 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL

LPK.DLL 62f00000 32768 C:\WINDOWS\System32\LPK.DLL 5.1.2600.0 (xpclient.010817-1148) Language Pack

USP10.dll 72f70000 368640 C:\WINDOWS\System32\USP10.dll 1.0409.2600.1106 (xpsp1.020828-1920) Uniscribe Unicode script processor

comctl32.dll 78090000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library

SHELL32.dll 773c0000 8339456 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1233 (xpsp2.030604-1804) DLL-fil för Windows-gränssnittet

comctl32.dll 77330000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library

ole32.dll 7ccc0000 1183744 C:\WINDOWS\system32\ole32.dll 5.1.2600.1263 (xpsp2.030819-2129) Microsoft OLE för Windows

MSCTF.dll 746f0000 278528 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL-fil för MSCTF-servern

BROWSEUI.dll 75f60000 1032192 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1106 (xpsp1.020828-1920) Bibliotek för gränssnittsläsare

browselc.dll 72420000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Bibliotek för gränssnittsläsare

appHelp.dll 75f20000 122880 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library

CLBCATQ.DLL 76fc0000 491520 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.42

OLEAUT32.dll 77110000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT and Windows 95 Operating Systems

COMRes.dll 77040000 819200 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42

VERSION.dll 77bf0000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries

msctfime.ime 970000 176128 C:\WINDOWS\System32\msctfime.ime 5.1.2600.1106 (xpsp1.020828-1920) Microsoft Text Frame Work Service IME

Msimtf.dll 746c0000 155648 C:\WINDOWS\System32\Msimtf.dll 5.1.2600.1106 (xpsp1.020828-1920) Active IMM Server DLL

SETUPAPI.dll 76660000 954368 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) API för installationsprogrammet för Windows

UxTheme.dll 5b270000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Bibliotek för Microsoft UxTheme

WININET.dll 761e0000 622592 C:\WINDOWS\system32\WININET.dll 6.00.2800.1106 (xpsp1.020828-1920) Internet-tillbehör för Win32

CRYPT32.dll 762a0000 561152 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) 32-bitars kryptografi-API

MSASN1.dll 76280000 61440 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.0 (XPClient.010817-1148) ASN.1 Runtime APIs

Secur32.dll 76f80000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface

cscui.dll 76600000 323584 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI

CSCDLL.dll 765e0000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Agent för frånkopplat nätverk

USERENV.dll 75a50000 675840 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv

AcroIEHelper.dll 10000000 45056 C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX

NavShExt.dll f70000 106496 C:\Program\Norton AntiVirus\NavShExt.dll 8.07.17 Norton AntiVirusNAVShellExt Module

ATL.DLL 76b10000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)

MSVCP60.dll 76060000 397312 C:\WINDOWS\System32\MSVCP60.dll 6.00.8972.0 Microsoft ® C++ Runtime Library

urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1226 OLE32-tillägg för Win32

changes_homepage.dll 1010000 61440 C:\WINDOWS\System32\changes_homepage.dll

c_10230.dll 1030000 69632 C:\WINDOWS\System32\c_10230.dll

shdoclc.dll 76150000 565248 C:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Doc Object och Control Library

mlang.dll 74740000 585728 C:\WINDOWS\System32\mlang.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL

mshtml.dll 63580000 2818048 C:\WINDOWS\System32\mshtml.dll 6.00.2800.1226 Microsoft ® Visningsprogram för HTML

msi.dll 1980000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer

SXS.DLL 75e70000 684032 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5

MSLS31.DLL 74690000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file

scrauth.dll 1100000 110592 C:\Program\Delade filer\Symantec Shared\Script Blocking\scrauth.dll 1, 1, 0, 126 ScriptBlocking Authenticator

ScrBlock.dll 1140000 122880 C:\Program\Delade filer\Symantec Shared\Script Blocking\ScrBlock.dll 1, 1, 0, 126 ScriptBlocking

wintrust.dll 76c20000 176128 C:\WINDOWS\System32\wintrust.dll 5.131.2600.0 (xpclient.010817-1148) API för autentisering av Microsoft Trust

IMAGEHLP.dll 76c80000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper

rsaenh.dll ffd0000 143360 C:\WINDOWS\System32\rsaenh.dll 5.1.2600.1029 (xpsp1.020426-1800) Microsoft Base Cryptographic Provider

netapi32.dll 71c10000 319488 C:\WINDOWS\System32\netapi32.dll 5.1.2600.1106 (xpsp1.020828-1920) Net Win32 API DLL

cryptnet.dll 73d20000 65536 C:\WINDOWS\System32\cryptnet.dll 5.131.2600.0 (xpclient.010817-1148) Crypto Network Related API

WLDAP32.dll 76f50000 184320 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL

jscript.dll 6b700000 589824 c:\windows\system32\jscript.dll 5.6.0.8513 Microsoft ® JScript

MPR.dll 71b10000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) DLL-fil för router med flera providers

drprov.dll 75f40000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider

ntlanman.dll 71c00000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Lan Manager

NETUI0.dll 71cc0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes

NETUI1.dll 71c80000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes

NETRAP.dll 71c70000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL

SAMLIB.dll 71be0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL

davclnt.dll 75f50000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) DLL-fil för Webb-DAV-klient

MSGINA.dll 75950000 987136 C:\WINDOWS\System32\MSGINA.dll 5.1.2600.1106 (xpsp1.020828-1920) Inloggnings-GINA för Windows NT

WINSTA.dll 76340000 61440 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.1106 (xpsp1.020828-1920) Winstation Library

ODBC32.dll 2910000 204800 C:\WINDOWS\System32\ODBC32.dll 3.520.9041.40 Microsoft Data Access - ODBC Driver Manager

comdlg32.dll 76390000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) DLL-fil med vanliga dialogrutor

odbcint.dll 1f850000 94208 C:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC-resurser

wsock32.dll 71ac0000 36864 C:\WINDOWS\System32\wsock32.dll 5.1.2600.0 (xpclient.010817-1148) 32-bitars DLL-fil för Windows Socket

WS2_32.dll 71aa0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL

WS2HELP.dll 71a90000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT

mswsock.dll 71a40000 245760 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Tjänstprovider för Microsoft Windows Sockets 2.0

wshtcpip.dll 71a80000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL

RASAPI32.DLL 76ed0000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Programmeringsgränssnitt för Fjärråtkomst

rasman.dll 76e80000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager

TAPI32.dll 76ea0000 176128 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Klient-DLL för Microsoft® Windows-telefoni-API

rtutils.dll 76e70000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities

WINMM.dll 76b30000 184320 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL

sensapi.dll 722a0000 20480 C:\WINDOWS\System32\sensapi.dll 5.1.2600.1106 (xpsp1.020828-1920) SENS Connectivity API DLL

DNSAPI.dll 76f10000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) DNS Client API DLL

winrnr.dll 76fa0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL

rasadhlp.dll 76fb0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper

mshtmled.dll 74c80000 454656 C:\WINDOWS\System32\mshtmled.dll 6.00.2800.1106 (xpsp1.020828-1920) HTML-redigeringskomponent för Microsoft ®

Share this post


Link to post
Share on other sites

The last one in the directory \Anti-Virus....etc\ is one I kept to one side to send to Daemon and in case we need it again.

 

REGEDIT4

; RegSrch.vbs © Bill James

 

; Registry search results for string "cxmsx[1].exe" 02/06/2004 17:12:51

 

; NOTE: This file will be deleted when you close WordPad.

; You must manually save this file to a new location if you want to refer to it again later.

; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

 

 

@="C:\\Documents and Settings\\Test\\Local Settings\\Temporary Internet Files\\Content.IE5\\IR6F2GAI\\cxmsx[1].exe"

 

@="C:\\Documents and Settings\\Monster\\Local Settings\\Temporary Internet Files\\Content.IE5\\4X2FG12V\\cxmsx[1].exe"

 

@="C:\\Documents and Settings\\Test\\Local Settings\\Temporary Internet Files\\Content.IE5\\IR6F2GAI\\cxmsx[1].exe"

 

@="C:\\Documents and Settings\\Test\\Local Settings\\Temporary Internet Files\\Content.IE5\\B4BF6376\\cxmsx[1].exe"

 

@="C:\\Documents and Settings\\Test\\Local Settings\\Temporary Internet Files\\Content.IE5\\IR6F2GAI\\cxmsx[1].exe"

 

@="C:\\Documents and Settings\\Test\\Local Settings\\Temporary Internet Files\\Content.IE5\\4BKGDAQZ\\cxmsx[1].exe"

 

@="C:\\Documents and Settings\\Monster\\Local Settings\\Temporary Internet Files\\Content.IE5\\4H67KXIV\\cxmsx[1].exe"

 

@="C:\\Documents and Settings\\Test\\Local Settings\\Temporary Internet Files\\Content.IE5\\IR6F2GAI\\cxmsx[1].exe"

 

@="C:\\Documents and Settings\\Test\\Local Settings\\Temporary Internet Files\\Content.IE5\\IR6F2GAI\\cxmsx[1].exe"

 

"cxmsx[1].exe"=hex:6d,e7,bd,40

 

"File1"="C:\\Documents and Settings\\Ian\\Desktop\\Anti-Virus, Spyware, Trojans\\cxmsx[1].exe"

Share this post


Link to post
Share on other sites

Slav yours looks different than dedalus.. Post back to your own thread. In pv go to option 8 for the registry menu. Post the iextensions option in your thread/post.

 

Dedalus. need you to do a manual search with regedit as the tool is not showing the whole key.

 

start/run

regedit

select edit/find

search for this:

4X2FG12V

after it finds a key right click the last folder in the left pane and hit export.

Save the export to the desktop for now.

hit f3 to search for the next.

Repeat till no more items found.

 

clsoe regedit

go to desktop and open the files you exported with notepad.

paste the contents here.

 

Trying to figure out where this exe is loading from.

Share this post


Link to post
Share on other sites

Only 2 instances in the registry. I should tell you that in the course of the last few hours I have deleted the user directory structure 'Test'. The user was deleted before but the directory structure and files lingered.

 

Results of regedit/search:

 

Windows Registry Editor Version 5.00

 

[HKEY_CLASSES_ROOT\CLSID\{23A617EF-358F-4A2D-BAB5-7DCDAD38A641}]

 

[HKEY_CLASSES_ROOT\CLSID\{23A617EF-358F-4A2D-BAB5-7DCDAD38A641}\InprocServer32]

@="C:\\Documents and Settings\\Monster\\Local Settings\\Temporary Internet Files\\Content.IE5\\4X2FG12V\\cxmsx[1].exe"

 

 

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{23A617EF-358F-4A2D-BAB5-7DCDAD38A641}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{23A617EF-358F-4A2D-BAB5-7DCDAD38A641}\InprocServer32]

@="C:\\Documents and Settings\\Monster\\Local Settings\\Temporary Internet Files\\Content.IE5\\4X2FG12V\\cxmsx[1].exe"

Share this post


Link to post
Share on other sites

Ok. dedalus. Now i get the whole picture.

 

First ctrl alt del and make sure that exe is not running.

Than do this:

 

Make sure all IE's are closed first.

 

 

Load up hijackthis and check and fix the following:

 

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

 

Reboot.

Give me a new hijackthis log and a new pv option 2 log.

Share this post


Link to post
Share on other sites

HJT log:

 

Logfile of HijackThis v1.97.7

Scan saved at 18:18:25, on 02/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Nhksrv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\ZoneLabs\MINILOG.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\DELLMMKB.EXE

C:\WINDOWS\System32\tbctray.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Netropa\OSD.exe

C:\Program Files\BT Voyager\BT Voyager Wireless\WLM.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

C:\Program Files\BHODemon\BHODemon.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Ian\Desktop\Anti-Virus, Spyware, Trojans\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: BT Voyager Wireless Utility.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmtrans.html

O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1...n/GoogleNav.cab

O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

 

PV Option #2 log:

 

 

Module information for 'iexplore.exe'

MODULE BASE SIZE PATH

iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe 6.00.2800.1106 (xpsp1.020828-1920) Internet Explorer

ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) NT Layer DLL

kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT BASE API Client DLL

msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL

USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1255 (xpsp2.030804-1745) Windows XP USER API Client DLL

GDI32.dll 7e090000 266240 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1346 (xpsp2.040109-1800) GDI Client DLL

ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API

RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime

SHLWAPI.dll 70a70000 409600 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Light-weight Utility Library

SHDOCVW.dll 769c0000 1351680 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Doc Object and Control Library

comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library

SHELL32.dll 773d0000 8331264 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1233 (xpsp2.030604-1804) Windows Shell Common Dll

comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library

ole32.dll 771b0000 1196032 C:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE for Windows

uxtheme.dll 5ad70000 212992 C:\WINDOWS\System32\uxtheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library

BROWSEUI.dll 75f80000 1032192 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library

browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library

appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library

CLBCATQ.DLL 7c890000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53

OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT and Windows 95 Operating Systems

COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42

VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries

WININET.dll 76200000 622592 C:\WINDOWS\system32\WININET.dll 6.00.2800.1106 (xpsp1.020828-1920) Internet Extensions for Win32

CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32

MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs

Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface

cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI

CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent

SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API

googletoolbar1.dll 10000000 753664 c:\windows\downloaded program files\googletoolbar1.dll 2, 0, 111, 0 Google IE Client Toolbar

urlmon.dll 760f0000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1106 (xpsp1.020828-1920) OLE32 Extensions for Win32

WSOCK32.dll 71ad0000 32768 C:\WINDOWS\System32\WSOCK32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL

WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL

WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT

WINTRUST.dll 76c30000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs

IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper

WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL

serwvdrv.dll 5cd70000 28672 C:\WINDOWS\System32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Serial Wave driver

umdmxfrm.dll 5b0a0000 28672 C:\WINDOWS\System32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module

rsaenh.dll ffd0000 143360 C:\WINDOWS\System32\rsaenh.dll 5.1.2600.1029 (xpsp1.020426-1800) Microsoft Base Cryptographic Provider

RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Remote Access API

rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager

NETAPI32.dll 71c20000 319488 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.1343 (xpsp2.040109-1800) Net Win32 API DLL

TAPI32.dll 76eb0000 176128 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Windows Telephony API Client DLL

rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities

sensapi.dll 722b0000 20480 C:\WINDOWS\System32\sensapi.dll 5.1.2600.1106 (xpsp1.020828-1920) SENS Connectivity API DLL

USERENV.dll 75a70000 675840 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv

dlprotect.dll 11000000 192512 C:\Program Files\SpywareGuard\dlprotect.dll 2.02 SpywareGuard Download Protection

MSVBVM60.DLL 73420000 1388544 C:\WINDOWS\System32\MSVBVM60.DLL 6.00.9237 Visual Basic Virtual Machine

shdoclc.dll 71800000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2715.400 Shell Doc Object and Control Library

mlang.dll 74770000 585728 C:\WINDOWS\System32\mlang.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL

mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider

wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL

rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper

msi.dll 2440000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer

SXS.DLL 75e90000 684032 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5

DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) DNS Client API DLL

winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL

WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL

mshtml.dll 74810000 2846720 C:\WINDOWS\System32\mshtml.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft ® HTML Viewer

msimtf.dll 746f0000 155648 C:\WINDOWS\System32\msimtf.dll 5.1.2600.1106 (xpsp1.020828-1920) Active IMM Server DLL

MSCTF.dll 74720000 278528 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) MSCTF Server DLL

IMM32.DLL 76390000 114688 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL

jscript.dll 6b700000 589824 c:\windows\system32\jscript.dll 5.6.0.8513 Microsoft ® JScript

MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file

iepeers.dll 66e50000 241664 C:\WINDOWS\System32\iepeers.dll 6.00.2800.1106 (xpsp1.020828-1920) Internet Explorer Peer Objects

WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.1106 (xpsp1.020828-1920) Windows Spooler Driver

mshtmled.dll 74cb0000 454656 C:\WINDOWS\System32\mshtmled.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft ® HTML Editing Component

wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper

msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper

MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter

midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper

Share this post


Link to post
Share on other sites

ok how is it now?

check and fix this one:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

 

Should be all set.

Share this post


Link to post
Share on other sites

The pop-up and hijacker have been quiet for about an hour now, but I think that's becasue I've opened only a limited number of browsers and surfed only to a limited number of new URLs. (The occurrence of the pop-up is random...)

 

As for the blank key you spotted, I suspect I did that myself while manually removing the edited homepage during one of my previous experimental cures.

 

I will hop around as many URLs as I can and report back in this topic within 24hrs to report a definitive all clear or not. Regardless, thank you both (Daemon and Shadowwar) for your help and your persistence. I'll make a donation and buy the bloody t-shirt if you've nailed it.

 

One more quick point; would you mind giving me a quick note on what you think the thing was and how it worked? I took a brief look in the exe with a hex editor and saw that it referred to a 'previous name' of jcconsole.dll and seemed to have legit Microsoft Javascript copyright notices in there, but otherwise I'm flummoxed. I also noticed that if I executed the .exe by clicking on it, it promptly disappeared from that location. Anyway, any explanation appreciated.

 

Thanks,

Dedalus

Share this post


Link to post
Share on other sites

Ok. It was loading from the iextensions key in the registry. The exe fakes the microsoft entries in the log to throw us off. i need to look at the file yet but microsoft i dont think would be too happy. The extensions key is other button in the top bar of internet explorer. So it loads when you load IE. This file contacted somewhere to download the popup and being it ran from temp internet files it would keep clearing itself out and reinstalling itself. Need to investigate the file to see where it was contacting but thats pretty much what happened.

Share this post


Link to post
Share on other sites

There is no icon/smily here for :Hats Off: for shadowwar. Great detective work and help here - Always a pleasure watching you helping others.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0