Hijacked! (res: ... .dll/... 37049) My HiJack This log here...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by missives, Jun 20, 2004.

  1. missives

    missives Private E-2

    Hi,

    I seem to have been hijacked, with the home and search pages resetting to some "res" page, with some combination of letters before .dll and then the index.html#37049. (First it was res://rdssh.dll/index.html#37049, then res://degco.dll/index.html#37049, then res://hcmxb.dll/index.html#37049, and now res://ilpte.dll/index.html#37049.)

    In REGEDIT, HKEY_CURRENTUSER\Software\Microsoft\Internet Explorer\Main, the Start page is res://wfbyx.dll/index.html#37049 and the Search page is res://C:\WINDOWS\system32\wfbyx.dll/sp.html#37049. I've tried changing them but they just change back.

    (I found this suspicious file, C:\WINDOWS\system32\syskk32.exe, and thought it might be the problem, so I changed its name... This may have been folly on my part, and it seems to get recreated anyway...)

    I ran Cool Web Shredder and it said I was clean. I deleted My Web Search. And I ran AdAware and Spybot and Hijack This and PV. This is my HijackThis log.

    I've run this before and checked and "fixed" the 37049 files, but back they came,

    Any advice? Thanks so much. I think it's so awesome that you help people out like this, and any help you can offer me would be very, very much appreciated! Thank you!

    Cheers,
    Karen

    Logfile of HijackThis v1.97.7
    Scan saved at 4:16:55 AM, on 6/20/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\syslh.exe
    C:\WINDOWS\system32\wintq32.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
    C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\America Online 9.0a\aoltray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Program Files\AOL COMPANION\COMPANION.EXE
    C:\Documents and Settings\Karen\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ilpte.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ilpte.dll/index.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ilpte.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ilpte.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ilpte.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ilpte.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {B4B127D9-941C-DF50-6E09-19E9881B830A} - C:\WINDOWS\system32\wintq32.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [ntpe.exe] C:\WINDOWS\system32\ntpe.exe
    O4 - HKLM\..\Run: [syslb32.exe] C:\WINDOWS\system32\syslb32.exe
    O4 - HKLM\..\Run: [sdkby.exe] C:\WINDOWS\system32\sdkby.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [syskk32.exe] C:\WINDOWS\system32\syskk32.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [wintq32.exe] C:\WINDOWS\system32\wintq32.exe
    O4 - HKLM\..\RunOnce: [syslh.exe] C:\WINDOWS\syslh.exe
    O4 - HKLM\..\RunOnce: [ieij.exe] C:\WINDOWS\ieij.exe
    O4 - HKLM\..\RunOnce: [iptv.exe] C:\WINDOWS\system32\iptv.exe
    O4 - HKLM\..\RunOnce: [iega.exe] C:\WINDOWS\system32\iega.exe
    O4 - HKLM\..\RunOnce: [winzj.exe] C:\WINDOWS\winzj.exe
    O4 - HKLM\..\RunOnce: [winef.exe] C:\WINDOWS\winef.exe
    O4 - HKLM\..\RunOnce: [netpp32.exe] C:\WINDOWS\system32\netpp32.exe
    O4 - HKLM\..\RunOnce: [iems.exe] C:\WINDOWS\iems.exe
    O4 - HKLM\..\RunOnce: [nethz32.exe] C:\WINDOWS\system32\nethz32.exe
    O4 - HKLM\..\RunOnce: [javack32.exe] C:\WINDOWS\javack32.exe
    O4 - HKLM\..\RunOnce: [d3ap32.exe] C:\WINDOWS\d3ap32.exe
    O4 - HKLM\..\RunOnce: [winxv.exe] C:\WINDOWS\system32\winxv.exe
    O4 - HKLM\..\RunOnce: [addjp.exe] C:\WINDOWS\system32\addjp.exe
    O4 - HKLM\..\RunOnce: [apibn.exe] C:\WINDOWS\system32\apibn.exe
    O4 - HKLM\..\RunOnce: [syszc32.exe] C:\WINDOWS\syszc32.exe
    O4 - HKLM\..\RunOnce: [winna32.exe] C:\WINDOWS\system32\winna32.exe
    O4 - HKLM\..\RunOnce: [addbt32.exe] C:\WINDOWS\addbt32.exe
    O4 - HKLM\..\RunOnce: [winuo32.exe] C:\WINDOWS\system32\winuo32.exe
    O4 - HKLM\..\RunOnce: [wintc.exe] C:\WINDOWS\wintc.exe
    O4 - HKLM\..\RunOnce: [syslg.exe] C:\WINDOWS\syslg.exe
    O4 - HKLM\..\RunOnce: [msxw32.exe] C:\WINDOWS\system32\msxw32.exe
    O4 - HKLM\..\RunOnce: [sdkxo.exe] C:\WINDOWS\sdkxo.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Control Pad (HKLM)
    O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://63.236.66.10/em/images/nocache/funw...etup1.0.0.5.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs8.chat.sc5.yahoo.com/v45/yacscom.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/25410bff5dc612882e06/...ip/RdxIE601.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8157.5593981482
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shock...ash/swflash.cab


    I also ran the PV program as suggested elsewhere, and this is that DLL log:


    Module information for 'iexplore.exe'
    MODULE BASE SIZE PATH
    iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe 6.00.2800.1106 (xpsp1.020828-1920) Internet Explorer
    ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) NT Layer DLL
    kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT BASE API Client DLL
    msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
    USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1255 (xpsp2.030804-1745) Windows XP USER API Client DLL
    GDI32.dll 7e090000 266240 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1346 (xpsp2.040109-1800) GDI Client DLL
    ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API
    RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
    SHLWAPI.dll 70a70000 413696 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1400 Shell Light-weight Utility Library
    SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1400 Shell Doc Object and Control Library
    comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library
    SHELL32.dll 773d0000 8331264 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1233 (xpsp2.030604-1804) Windows Shell Common Dll
    comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
    ole32.dll 771b0000 1196032 C:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE for Windows
    uxtheme.dll 5ad70000 212992 C:\WINDOWS\System32\uxtheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library
    SBHook.dll 10000000 139264 C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\SBHook.dll 05.00.00.asst_classic.smartbridge.20020518_104000 SmartBridge Hook
    VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
    IPHook32.dll 58000000 122880 C:\Program Files\Verizon Online\Visual IP InSight\IPHook32.dll 5.5.100.92 System Hook DLL
    BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1400 Shell Browser UI Library
    browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library
    appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
    CLBCATQ.DLL 7c890000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53
    OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT™ and Windows 95™ Operating Systems
    COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
    WININET.dll 63000000 614400 C:\WINDOWS\system32\WININET.dll 6.00.2800.1400 Internet Extensions for Win32
    CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
    MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs
    Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
    cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI
    CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
    SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
    USERENV.dll 75a70000 675840 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
    AcroIEHelper.ocx 12d0000 32768 C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx 1, 0, 0, 1 AcroIEHelper Module
    SXS.DLL 75e90000 684032 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5
    cryp.dll 1580000 266240 C:\WINDOWS\system32\cryp.dll
    ATL.DLL 76b20000 86016 C:\WINDOWS\system32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
    NavShExt.dll 1830000 114688 C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll 9.00.67 Norton AntiVirusNAVShellExt Module
    ccTrust.dll 1850000 106496 C:\WINDOWS\System32\ccTrust.dll 1.01.08 Common Client ccTrust
    MSVCP60.dll 55900000 397312 C:\WINDOWS\System32\MSVCP60.dll 6.00.8972.0 Microsoft ® C++ Runtime Library
    urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1400 OLE32 Extensions for Win32
    shdoclc.dll 76170000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Doc Object and Control Library
    mshtml.dll 63580000 2818048 C:\WINDOWS\System32\mshtml.dll 6.00.2800.1400 Microsoft ® HTML Viewer
    MLANG.dll 74770000 585728 C:\WINDOWS\System32\MLANG.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL
    RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Remote Access API
    rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager
    WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
    WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
    NETAPI32.dll 71c20000 319488 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.1343 (xpsp2.040109-1800) Net Win32 API DLL
    TAPI32.dll 76eb0000 176128 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Windows™ Telephony API Client DLL
    rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
    WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
    rsaenh.dll ffd0000 143360 C:\WINDOWS\System32\rsaenh.dll 5.1.2600.1029 (xpsp1.020426-1800) Microsoft Base Cryptographic Provider
    wsock32.dll 71ad0000 32768 C:\WINDOWS\System32\wsock32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL
    msi.dll 1f20000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
    msimtf.dll 746f0000 155648 C:\WINDOWS\System32\msimtf.dll 5.1.2600.1106 (xpsp1.020828-1920) Active IMM Server DLL
    MSCTF.dll 74720000 278528 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) MSCTF Server DLL
    MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
    IMM32.DLL 76390000 114688 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL
    msohev.dll 32520000 73728 C:\Program Files\Microsoft Office\Office10\msohev.dll 10.0.2609 Microsoft Office XP component
    scrauth.dll 2130000 110592 C:\Program Files\Common Files\Symantec Shared\Script Blocking\scrauth.dll 1, 1, 0, 126 ScriptBlocking Authenticator
    ScrBlock.dll 2250000 122880 C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrBlock.dll 1, 1, 0, 126 ScriptBlocking
    wintrust.dll 76c30000 176128 C:\WINDOWS\System32\wintrust.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
    IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper
    mswsock.dll 71a50000 241664 C:\WINDOWS\System32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider
    cryptnet.dll 73d50000 65536 C:\WINDOWS\System32\cryptnet.dll 5.131.2600.0 (xpclient.010817-1148) Crypto Network Related API
    WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
    DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) DNS Client API DLL
    jscript.dll 6b700000 589824 c:\windows\system32\jscript.dll 5.6.0.8513 Microsoft ® JScript
    wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
    idleproc.dll 67f00000 28672 C:\Program Files\America Online 9.0a\idleproc.dll 9.00.000 IDLEPROC DLL
    winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL
    rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
     
    missives, Jun 20, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Search these forums, this is a new variant and is being discussed constantly.
     
    Major Attitude, Jun 20, 2004
    #2
  3. missives

    missives Private E-2

    Hi,

    Thanks for your reply. I certainly have been reading through all the similar threads. And as I noted, I ran all the suggested programs. Now I'm at the point where I need help analyzing what to delete from my Hijack This log, and what else to do. My impression from reading this board was that someone here would be able to advise me on that. That's why I posted the logs. Please let me know if that's an unrealistic expectation. Thank you!

    Additional info: I too have been getting pop ups on IE from Only The Best. And I'm running Windows XP.

    It seems that everyone's problem with the res: *** .dll is similar but a bit different..That's part of why the people here suggest folks start their own threads...

    Thanks again!

    ~Karen
     
    missives, Jun 20, 2004
    #3
  4. missives

    missives Private E-2

    Problem seems to be fixed. AdAware update...

    Well after running all my anti spyware programs several times and then getting their updates and running them again, AdAware found Cool Web Search (that Cool Web Shredder had NOT found) on my computer. After deleting those, and running Norton and Spybot and Cool Web Shredder and XCleaner again, the problem has been gone after two hours and several reboots.

    So I've got my fingers crossed for me and everyone else with this problem.

    Thanks anyway, everyone!
     
    missives, Jun 21, 2004
    #4
  5. missives

    missives Private E-2

    This is a log of what AdAware removed from my machine when it found Cool Web Search. So these files may be part of what are causing problems for other people here too...

    After these were deleted all my problems went away...


    ArchiveData(auto-quarantine- 20-06-2004 22-31-20.bckp)
    ======================================================

    CLEARSEARCH
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[2]=Folder : c:\docume~1\karen\locals~1\temp\ClrSch
    obj[69]=File : c:\windows\system32\cs4p028.exe

    POSSIBLE BROWSER HIJACK ATTEMPT
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[3]=RegData : Software\Microsoft\Internet Explorer\Main
    obj[4]=RegData : Software\Microsoft\Internet Explorer\Main
    obj[5]=RegData : Software\Microsoft\Internet Explorer\Main
    obj[33]=RegKey : Software\XCleaner

    COOLWEBSEARCH
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[6]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[7]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[8]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[9]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[10]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[11]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[12]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[13]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[14]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[15]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[16]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[17]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[18]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[19]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[20]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[21]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[22]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[23]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[24]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[25]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[26]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[27]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[28]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[29]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[30]=RegValue : Software\Microsoft\Windows\CurrentVersion\RunOnce
    obj[31]=RegValue : Software\Microsoft\Windows\CurrentVersion\Run
    obj[35]=RegKey : SYSTEM\CurrentControlSet\Services\__NS_Service_3
    obj[38]=File : c:\windows\ieij.exe
    obj[39]=File : c:\windows\system32\iptv.exe
    obj[40]=File : c:\windows\system32\iega.exe
    obj[41]=File : c:\windows\winzj.exe
    obj[42]=File : c:\windows\winef.exe
    obj[43]=File : c:\windows\system32\netpp32.exe
    obj[44]=File : c:\windows\iems.exe
    obj[45]=File : c:\windows\system32\nethz32.exe
    obj[46]=File : c:\windows\javack32.exe
    obj[47]=File : c:\windows\d3ap32.exe
    obj[48]=File : c:\windows\system32\winxv.exe
    obj[49]=File : c:\windows\system32\addjp.exe
    obj[50]=File : c:\windows\system32\apibn.exe
    obj[51]=File : c:\windows\syszc32.exe
    obj[52]=File : c:\windows\system32\winna32.exe
    obj[53]=File : c:\windows\addbt32.exe
    obj[54]=File : c:\windows\system32\winuo32.exe
    obj[55]=File : c:\windows\wintc.exe
    obj[56]=File : c:\windows\syslg.exe
    obj[57]=File : c:\windows\system32\msxw32.exe
    obj[58]=File : c:\windows\sdkxo.exe
    obj[59]=File : c:\windows\system32\apigr32.exe
    obj[60]=File : c:\windows\system32\d3zr32.exe
    obj[61]=File : c:\windows\system32\d3gs.exe
    obj[63]=File : c:\windows\system32\addla.dll
    obj[64]=File : c:\windows\system32\apimz.dll
    obj[65]=File : c:\windows\system32\apiun32.exe
    obj[66]=File : c:\windows\system32\atlpd.exe
    obj[67]=File : c:\windows\system32\badsyskk32.exe
    obj[68]=File : c:\windows\system32\cryp.dll
    obj[70]=File : c:\windows\system32\ezgkn.dll
    obj[71]=File : c:\windows\system32\ilpte.dll
    obj[72]=File : c:\windows\system32\ipjf32.dll
    obj[73]=File : c:\windows\system32\iprp.dll
    obj[74]=File : c:\windows\system32\iprp.exe
    obj[75]=File : c:\windows\system32\javaht32.dll
    obj[76]=File : c:\windows\system32\javask.exe
    obj[77]=File : c:\windows\system32\ksqps.dll
    obj[78]=File : c:\windows\system32\lftxc.dll
    obj[79]=File : c:\windows\system32\mfchn.exe
    obj[80]=File : c:\windows\system32\mssb32.dll
    obj[81]=File : c:\windows\system32\msye.dll
    obj[82]=File : c:\windows\system32\msye.exe
    obj[83]=File : c:\windows\system32\netfb32.dll
    obj[84]=File : c:\windows\system32\ntdg32.exe
    obj[85]=File : c:\windows\system32\ntrs.exe
    obj[86]=File : c:\windows\system32\ooiom.dll
    obj[87]=File : c:\windows\system32\sdkby.dll
    obj[88]=File : c:\windows\system32\sdkby.exe
    obj[89]=File : c:\windows\system32\syskk32.dll
    obj[90]=File : c:\windows\system32\syskk32.exe
    obj[91]=File : c:\windows\system32\syslb32.dll
    obj[92]=File : c:\windows\system32\syslb32.exe
    obj[93]=File : c:\windows\system32\sysnq.dll
    obj[94]=File : c:\windows\system32\wfbyx.dll
    obj[95]=File : c:\windows\system32\wintq32.dll
    obj[96]=File : c:\windows\system32\wintq32.exe

    WIN32.ADVERTS.TROJANDOWNLOADER
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[32]=RegKey : CLSID\{4A8DADD4-5A25-4d41-8599-CB7458766220}
    obj[34]=RegKey : PROTOCOLS\Handler\icoo
    obj[36]=RegKey : Software\Adverts
    obj[37]=RegKey : icoo

    VX2.BETTERINTERNET
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[62]=File : c:\windows\system32\0021-bdl94126.exe
     
    missives, Jun 21, 2004
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds