Jump to content


Photo

dll files that won't go away


  • Please log in to reply
5 replies to this topic

#1 ctm1

ctm1

    Member

  • New Member
  • Pip
  • 4 posts

Posted 24 June 2004 - 03:02 AM

I've read the FAQ and done it all - am at a loss.

Log from HijackThis below. (I've deleted the R0 and R1 entries, but they keep returning.)

ogfile of HijackThis v1.97.7
Scan saved at 09:53:17, on 6/24/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ADDUS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\CRIC32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMME\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAMME\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\EIGENE DATEIEN\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qqsmr.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qqsmr.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qqsmr.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qqsmr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qqsmr.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qqsmr.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\WINDOWS\ANWENDUNGSDATEN\MSUB\MSUB.DLL (file missing)
O2 - BHO: (no name) - {87399116-4F8B-2283-16A7-16BA2B2E75F0} - C:\WINDOWS\SDKZA32.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [CRIC32.EXE] C:\WINDOWS\CRIC32.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ADDUS.EXE] C:\WINDOWS\SYSTEM\ADDUS.EXE
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

#2 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 24 June 2004 - 09:42 AM

Ctm1

Download About:Buster and unzip it to a folder.

Take a note of the exact (hijacked) URL you get when you open Internet Explorer.

Then fix from Hijack This:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qqsmr.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qqsmr.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qqsmr.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qqsmr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qqsmr.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qqsmr.dll/sp.html#37049
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\WINDOWS\ANWENDUNGSDATEN\MSUB\MSUB.DLL (file missing)
O4 - HKLM\..\Run: [CRIC32.EXE] C:\WINDOWS\CRIC32.EXE
O4 - HKLM\..\RunServices: [ADDUS.EXE] C:\WINDOWS\SYSTEM\ADDUS.EXE

Do this by closing all browser windows, placing a checkmark in front of the above items and clicking the Fix-button.

Do not open any browser windows until the reboot further in these instructions (print this post).

Run About:Buster and in the appropriate box paste the hijacker URL. Then hit OK.
Save the log that appears.

Then fix from HJT:
O2 - BHO: (no name) - {87399116-4F8B-2283-16A7-16BA2B2E75F0} - C:\WINDOWS\SDKZA32.DLL

Reboot, do a fix with CWShredder and post a new Hijack This log here, along with the About:Buster log.
_______
Wiskonst

#3 ctm1

ctm1

    Member

  • New Member
  • Pip
  • 4 posts

Posted 24 June 2004 - 01:23 PM

THANK YOU for posting.

Followed your instructions. For some reason, the 04 line with CRIC32.EXE wasn't listed in HJT. Deleted the others, though, then ran About:Buster. The URL was not accepted ("The URL is incorrect.") so I got no log. (I entered the URL in several ways, including just "search-to-find.com").

The URL is:
http://search-to-find.com/ which is followed by the query I have just entered in google, for ex:
http://search-to-fin... show&pin=37049

This is one of two URL's I get (couldn't record the other's name yet), which look like search engines. They always appear after I've entered a google query.

The latest from HJT after following your instructions:

Logfile of HijackThis v1.97.7
Scan saved at 08:15:13, on 6/25/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAMME\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\EIGENE DATEIEN\HIJACKTHIS.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

Haven't checked yet to see if I the URL has gone away. Will do so now and post again if it has.

#4 ctm1

ctm1

    Member

  • New Member
  • Pip
  • 4 posts

Posted 24 June 2004 - 01:28 PM

Just did several queries with google and no strange URL's popped up - seems to be ok.

Thanks. You've just earned a donation for spywareinfo.com.

#5 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 24 June 2004 - 03:11 PM

Ctm1

For certainty you may do a scan with Ad Aware with the latest reference file.
Also clean out the temporary folders:
- C:\Windows\Temp
- C:\Documents and Settings\<name>\Local Settings\Temp
Empty the internet cache: in IE menu Tools, Options, tab General, button Delete Files.

Please keep an eye on the hijack returning and post here again if that is the case.

As this is a fairly new infection may I ask you a favour: could you zip up the following files and send them to the adress I will PM you (if you have no objection):
- C:\WINDOWS\qqsmr.dll
- C:\WINDOWS\SDKZA32.DLL
- C:\WINDOWS\CRIC32.EXE
Not all of them may be found.
We will use them for analysis.

Thereafter delete these files.

Thank you in advance.
_______
Wiskonst

Donate to Spywareinfo

#6 ctm1

ctm1

    Member

  • New Member
  • Pip
  • 4 posts

Posted 25 June 2004 - 12:54 AM

Thanks. Did everything. The - C:\WINDOWS\SDKZA32.DLL file was gone, but the other two are zipped. Where should I send them?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button