Jump to content


Photo

Please help with res://*.dll hijacking


  • Please log in to reply
23 replies to this topic

#1 Drewmeister

Drewmeister

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 15 June 2004 - 08:57 AM

I've been working at this for about 5 hours trying to follow advice I've found around the web. Used CWShredder which found no infection. Also latest Adaware. Tried 4 times to delete everything with HJT, but the .dll comes back under a different name. Thanks in advance for any help!

Drew

Logfile of HijackThis v1.97.7
Scan saved at 9:49:33 AM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\crog.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\javamf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\per\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lgprb.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lgprb.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://lgprb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lgprb.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://lgprb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lgprb.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.r5.attbi.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A89541F5-7316-156A-44AB-77FBBD4D89D5} - C:\WINDOWS\msny.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [elph] C:\WINDOWS\System32\elph.exe
O4 - HKLM\..\Run: [ac25_32i] C:\WINDOWS\System32\ac25_32i.exe
O4 - HKLM\..\Run: [cluia] C:\WINDOWS\System32\cluia.exe
O4 - HKLM\..\Run: [crog.exe] C:\WINDOWS\crog.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ShockmachineReminder] C:\Program Files\shockwave.com\Shockmachine\SmReminder.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://63.102.226.24...va/cfs40300.cab
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7862.1924537037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

#2 toblerone

toblerone

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 15 June 2004 - 12:08 PM

bumpin' this, 'cause I think we got the same problem :techsupport:

#3 Drewmeister

Drewmeister

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 15 June 2004 - 12:10 PM

From this board and another one I've checked out, this particular bugger seems to be spreading like wild fire and is bloody difficult to eliminate.

#4 zeusdude

zeusdude

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 15 June 2004 - 12:46 PM

:techsupport: This one's got me too. Any ideas how to "FIX" the problem?

#5 zeusdude

zeusdude

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 15 June 2004 - 12:52 PM

Suggest tring the following... to bad this was after I had done a whole lot of stuff, hind sight being exact and all. If you are running XP, try doing a restore, selecting from the : Start, programs, accessories, system tools, system restore. Then choose the day before the bug hit or occured. Hope this helps.

Let me know,
Thanx

#6 Drewmeister

Drewmeister

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 15 June 2004 - 01:11 PM

The bug hit this morning, so I tried to do a system restore to yesterday. However, system restore told me that it could not do so because no changes had been made to the computer.

:scratchhead:

#7 zeusdude

zeusdude

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 15 June 2004 - 01:14 PM

Could you "Force" a restore, maybe from the day before that?
Might not work, but we don't know untill we tried!


Click the day before that on the calander.

;)

Edited by zeusdude, 15 June 2004 - 01:16 PM.


#8 zeusdude

zeusdude

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 15 June 2004 - 01:25 PM

New news: I am wondering if this is a new version or THOR ? As I spotted a problem when having to do a quick restart, the message read that the application it was trying to sutdown was "THOR MAIN WINDOW", This looks quite tragic, so be careful.

The next thought was that it might have come in under the radar with the help of the small.6.BA trojan, If this helps.. Let me know please,

:wtf:

#9 toblerone

toblerone

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 15 June 2004 - 01:26 PM

I've tried restoring on about 6 different days and it keeps saying "unable to restore" :scratchhead:

#10 zeusdude

zeusdude

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 15 June 2004 - 01:50 PM

Sorry toblerone,

I am still looking fora sure cure. Drewmeister, what was the URL for the other board, just want to make sure we are not missing anything!

ZeusDude.. :)

#11 zeusdude

zeusdude

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 15 June 2004 - 02:00 PM

Take a look here...

http://www.computerc.../postt7736.html

Now we're starting to cook with gas !

ZeusDude

#12 zeusdude

zeusdude

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 15 June 2004 - 02:03 PM

Some more data ... Research pasted in...

"Basically it's part of the Office Xp/2000 alternate use inputs so if you loaded speech or handwriting recognition options, it's there.

Thor's Hammer is made by triCerat Software and is part of the Windows Terminal Server and Citrix MetaFrame systems. It is associated with and loaded with Ctfmon.exe from Citrix Systems, Inc

Ctfmon.exe monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.

Thor's Hammer is the code that stores all elements in a self-replicating database called desktop2001 code named "Thorís Hammer."

For example, if a virus attempts to run an executable it will fail. In addition, programs that users download from the Internet or receive by e-mail will fail unless they have explicit permission.

So it's actually not a bad thing.

However if you want to remove it see here

http://support.micro...&NoWebContent=1

For info on the software developer
http://www.tricerat.com/ "

#13 zeusdude

zeusdude

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 15 June 2004 - 02:42 PM

:alarm:

http://www.lavasofts...showtopic=30722

Above is anothe cool place with great advise . (Pun Intended)

I am corrently scanning with ADAWARE Gold, to remove the BHO (Browser Helper Objects) that seam more than likely the cause of this fustrating occurance.

Hope this works for yawl,

ZeusDude

:!: :gasp:

Edited by zeusdude, 15 June 2004 - 02:45 PM.


#14 Moretrouble

Moretrouble

    Member

  • New Member
  • Pip
  • 2 posts

Posted 15 June 2004 - 04:13 PM

The restore suggestion has (I think) solved this problem for me. I've been trying to get rid of this thing for the better part of two days.

This is what I think did the trick for me. I ran the HJL and nuked all the ROs, all the O2 BHOs and almost all my O4s (if I wasn't sure it was mine--I dumped it.) This was clearly overkill. If it had a "dll" or a "#" followed by a number on it, I got rid of it.

Then a bunch of ROs with numbers and "dlls" all came back anyway, as well as two O4s that had 32 in it. I figured if they kept coming back, they had to be bad. I got rid of way too much, however, and got some really funny pop-ups trying to restore my word program--but that program seemed to be working anyway. And the internet was working at lightning-like speed.

Then on one last go-round, I changed my homepage for the millioneth time, did the HJL nuke routine, and then restored my computer to a day before this nastiness started. Now everything seems fine.

I have turned my comupter completely off and rebooted and no hijacking of my browers has occcured. But I did an HJL scan and there are several "dll" entries but without any "#s" or numbers. So, I guess this could all start again tomorrow. I am keeping my fingers crossed.

#15 D3hoopsnet

D3hoopsnet

    Member

  • New Member
  • Pip
  • 2 posts

Posted 15 June 2004 - 04:38 PM

I just did th restore...it worked perfectly.
Still we need to find a solution to this.
Thanks guys.

#16 Vae

Vae

    Member

  • New Member
  • Pip
  • 1 posts

Posted 15 June 2004 - 04:45 PM

I can't restore my system to the previous day thing, either.

#17 pantyhose

pantyhose

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 15 June 2004 - 06:23 PM

MMMMMMM

I can restore my system it will not let me ?

It always used too could the attack of done this too ?

#18 NickDrake

NickDrake

    Member

  • New Member
  • Pip
  • 1 posts

Posted 15 June 2004 - 06:29 PM

This thing is serious. It's got me too. I'm going to try system restore.

#19 chrisgaltieri

chrisgaltieri

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 15 June 2004 - 07:20 PM

Surely to God there is a solution to this???

Its been two days now and im still infected

#20 zeusdude

zeusdude

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 15 June 2004 - 07:24 PM

Back again,

My machine is "Clean", so lets see if I can help some more. :deal:

A day from the "School of Hard knox" :cool:
This process was not easy, too much randomity. So here are the "Sure things".

Check to see if you have a file called "addmh32.exe" in the windows directory,
So what now??? Well get into safe mode (doing the F8 thing on system startup)
select safe mode! once in it, delete the file. Now in my case this file was read only.
I deleted said file by using the command prompt (run cmd.exe on XP/NT or command.com on other win 95/98), going to the windows directory (CD\WINDOWS), then type: ATTRIB addmh32.exe -r (PRESS ENTER)
That makes the file erasable, then type: DEL addmh32.exe (PRESS ENTER)

Now on my pc, something created a service called NETWORK SECURITY SERVICE
If you run "services.msc" from Start, run : you will get a list from the services manager, This refers to a file CRXN32.EXE. I have searched the net, come up with zip, so I disabled this. (Call me paranoid)

A list of the services that should be enabled are available at this web address:
http://www.blackvipe.../servicecfg.htm
It come with a ton of info that helps. Download the zip file as it contains a PDF file that you can transport on diskette or print. Make relavant changes (checking the files names as well).

The initial file that cause this I think is "d3jg32.exe" (Remove this one quick)

Please send feedback, as is this helps, Remember, try the restore as above first.

Have a good one :wave:

ZeusDude

#21 ritoun

ritoun

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 15 June 2004 - 07:28 PM

No restore option for me. I have the same issues as described above...
any other ideas?

#22 ritoun

ritoun

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 15 June 2004 - 07:35 PM

neither of the files you talk about are found on my computer (d3jg32.exe or addmh32.exe)- but I still have the problem...

#23 zeusdude

zeusdude

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 15 June 2004 - 07:56 PM

How about helping me here ;)

More info please...

ZeusDude.

#24 zeusdude

zeusdude

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 15 June 2004 - 08:02 PM

Check this out : Join the IRC cat ..

Will be here a while ;)

ZeusDude..




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button