• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Drewmeister

Please help with res://*.dll hijacking

24 posts in this topic

I've been working at this for about 5 hours trying to follow advice I've found around the web. Used CWShredder which found no infection. Also latest Adaware. Tried 4 times to delete everything with HJT, but the .dll comes back under a different name. Thanks in advance for any help!

 

Drew

 

Logfile of HijackThis v1.97.7

Scan saved at 9:49:33 AM, on 6/15/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\WINDOWS\Mixer.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\WINDOWS\crog.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

C:\WINDOWS\system32\gearsec.exe

C:\WINDOWS\runservice.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\slserv.exe

C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\javamf.exe

C:\Program Files\Messenger\msmsgs.exe

C:\per\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lgprb.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lgprb.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://lgprb.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lgprb.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://lgprb.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lgprb.dll/sp.html#96676

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.r5.attbi.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {A89541F5-7316-156A-44AB-77FBBD4D89D5} - C:\WINDOWS\msny.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [bCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [elph] C:\WINDOWS\System32\elph.exe

O4 - HKLM\..\Run: [ac25_32i] C:\WINDOWS\System32\ac25_32i.exe

O4 - HKLM\..\Run: [cluia] C:\WINDOWS\System32\cluia.exe

O4 - HKLM\..\Run: [crog.exe] C:\WINDOWS\crog.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [shockmachineReminder] C:\Program Files\shockwave.com\Shockmachine\SmReminder.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://63.102.226.240:8000/Java/cfs40300.cab

O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7862.1924537037

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab

O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

Share this post


Link to post
Share on other sites

From this board and another one I've checked out, this particular bugger seems to be spreading like wild fire and is bloody difficult to eliminate.

Share this post


Link to post
Share on other sites

Suggest tring the following... to bad this was after I had done a whole lot of stuff, hind sight being exact and all. If you are running XP, try doing a restore, selecting from the : Start, programs, accessories, system tools, system restore. Then choose the day before the bug hit or occured. Hope this helps.

 

Let me know,

Thanx

Share this post


Link to post
Share on other sites

The bug hit this morning, so I tried to do a system restore to yesterday. However, system restore told me that it could not do so because no changes had been made to the computer.

 

:scratchhead:

Share this post


Link to post
Share on other sites

Could you "Force" a restore, maybe from the day before that?

Might not work, but we don't know untill we tried!

 

 

Click the day before that on the calander.

 

;)

Edited by zeusdude

Share this post


Link to post
Share on other sites

New news: I am wondering if this is a new version or THOR ? As I spotted a problem when having to do a quick restart, the message read that the application it was trying to sutdown was "THOR MAIN WINDOW", This looks quite tragic, so be careful.

 

The next thought was that it might have come in under the radar with the help of the small.6.BA trojan, If this helps.. Let me know please,

 

:wtf:

Share this post


Link to post
Share on other sites

Sorry toblerone,

 

I am still looking fora sure cure. Drewmeister, what was the URL for the other board, just want to make sure we are not missing anything!

 

ZeusDude.. :)

Share this post


Link to post
Share on other sites

Some more data ... Research pasted in...

 

"Basically it's part of the Office Xp/2000 alternate use inputs so if you loaded speech or handwriting recognition options, it's there.

 

Thor's Hammer is made by triCerat Software and is part of the Windows Terminal Server and Citrix MetaFrame systems. It is associated with and loaded with Ctfmon.exe from Citrix Systems, Inc

 

Ctfmon.exe monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.

 

Thor's Hammer is the code that stores all elements in a self-replicating database called desktop2001 code named "Thor’s Hammer."

 

For example, if a virus attempts to run an executable it will fail. In addition, programs that users download from the Internet or receive by e-mail will fail unless they have explicit permission.

 

So it's actually not a bad thing.

 

However if you want to remove it see here

 

http://support.microsoft.com/defaul...&NoWebContent=1

 

For info on the software developer

http://www.tricerat.com/ "

Share this post


Link to post
Share on other sites

The restore suggestion has (I think) solved this problem for me. I've been trying to get rid of this thing for the better part of two days.

 

This is what I think did the trick for me. I ran the HJL and nuked all the ROs, all the O2 BHOs and almost all my O4s (if I wasn't sure it was mine--I dumped it.) This was clearly overkill. If it had a "dll" or a "#" followed by a number on it, I got rid of it.

 

Then a bunch of ROs with numbers and "dlls" all came back anyway, as well as two O4s that had 32 in it. I figured if they kept coming back, they had to be bad. I got rid of way too much, however, and got some really funny pop-ups trying to restore my word program--but that program seemed to be working anyway. And the internet was working at lightning-like speed.

 

Then on one last go-round, I changed my homepage for the millioneth time, did the HJL nuke routine, and then restored my computer to a day before this nastiness started. Now everything seems fine.

 

I have turned my comupter completely off and rebooted and no hijacking of my browers has occcured. But I did an HJL scan and there are several "dll" entries but without any "#s" or numbers. So, I guess this could all start again tomorrow. I am keeping my fingers crossed.

Share this post


Link to post
Share on other sites

Back again,

 

My machine is "Clean", so lets see if I can help some more. :deal:

 

A day from the "School of Hard knox" :cool:

This process was not easy, too much randomity. So here are the "Sure things".

 

Check to see if you have a file called "addmh32.exe" in the windows directory,

So what now??? Well get into safe mode (doing the F8 thing on system startup)

select safe mode! once in it, delete the file. Now in my case this file was read only.

I deleted said file by using the command prompt (run cmd.exe on XP/NT or command.com on other win 95/98), going to the windows directory (CD\WINDOWS), then type: ATTRIB addmh32.exe -r (PRESS ENTER)

That makes the file erasable, then type: DEL addmh32.exe (PRESS ENTER)

 

Now on my pc, something created a service called NETWORK SECURITY SERVICE

If you run "services.msc" from Start, run : you will get a list from the services manager, This refers to a file CRXN32.EXE. I have searched the net, come up with zip, so I disabled this. (Call me paranoid)

 

A list of the services that should be enabled are available at this web address:

http://www.blackviper.com/WinXP/servicecfg.htm

It come with a ton of info that helps. Download the zip file as it contains a PDF file that you can transport on diskette or print. Make relavant changes (checking the files names as well).

 

The initial file that cause this I think is "d3jg32.exe" (Remove this one quick)

 

Please send feedback, as is this helps, Remember, try the restore as above first.

 

Have a good one :wave:

 

ZeusDude

Share this post


Link to post
Share on other sites

neither of the files you talk about are found on my computer (d3jg32.exe or addmh32.exe)- but I still have the problem...

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0