system
April 21, 2004, 3:22am
1
Originally I got the home page replaced, and I ran CWShredder.exe, and HijackThis.exe, and searchx problem is gone. But whenever I typed a wrong URL, it’s redirected to linklist.cc page. I ran the pv utility as published in other posts, I couldn’t find the suspicious dll. I did a search for linklist for dlls under winnt and winnt\system32, couldn’t find a match either. Any idea how to fix it?
Module information for ‘IEXPLORE.EXE’
MODULE BASE SIZE PATH
IEXPLORE.EXE 400000 102400 C:\Program Files\Internet Explorer\IEXPLORE.EXE
ntdll.dll 77f80000 499712 C:\WINNT\system32\ntdll.dll
msvcrt.dll 78000000 286720 C:\WINNT\system32\msvcrt.dll
KERNEL32.dll 77e80000 724992 C:\WINNT\system32\KERNEL32.dll
USER32.dll 77e10000 389120 C:\WINNT\system32\USER32.dll
GDI32.dll 77f40000 233472 C:\WINNT\system32\GDI32.dll
SHLWAPI.dll 70a70000 413696 C:\WINNT\system32\SHLWAPI.dll
ADVAPI32.dll 77db0000 372736 C:\WINNT\system32\ADVAPI32.dll
RPCRT4.dll 77d30000 450560 C:\WINNT\system32\RPCRT4.dll
SHDOCVW.dll 71700000 1347584 C:\WINNT\System32\SHDOCVW.dll
WS2_32.DLL 75030000 77824 C:\WINNT\System32\WS2_32.DLL
WS2HELP.DLL 75020000 32768 C:\WINNT\System32\WS2HELP.DLL
comctl32.dll 950000 540672 C:\WINNT\system32\comctl32.dll
SHELL32.dll 782f0000 2383872 C:\WINNT\system32\SHELL32.dll
ole32.dll 77a50000 966656 C:\WINNT\system32\ole32.dll
CnsMin.dll 37210000 229376 C:\WINNT\DOWNLO~1\CnsMin.dll
VERSION.dll 77820000 28672 C:\WINNT\system32\VERSION.dll
LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL
helper.dll 53000000 28672 C:\PROGRA~1\3721\helper.dll
SynTPFcs.dll 63000000 81920 C:\WINNT\System32\SynTPFcs.dll
MSCTF.dll 60000000 282624 C:\WINNT\System32\MSCTF.dll
Cjktl32.dll 37f00000 77824 C:\Program Files\Kingsoft\XdictEJC\Cjktl32.dll
BROWSEUI.dll 71500000 1036288 C:\WINNT\System32\BROWSEUI.dll
browselc.dll 71960000 73728 C:\WINNT\System32\browselc.dll
CLBCATQ.DLL 775a0000 544768 C:\WINNT\System32\CLBCATQ.DLL
OLEAUT32.dll 779b0000 634880 C:\WINNT\system32\OLEAUT32.dll
WININET.dll 15b0000 614400 C:\WINNT\system32\WININET.dll
CRYPT32.dll 77440000 483328 C:\WINNT\system32\CRYPT32.dll
MSASN1.dll 77430000 65536 C:\WINNT\system32\MSASN1.dll
cscui.dll 77840000 249856 C:\WINNT\System32\cscui.dll
CSCDLL.DLL 770c0000 143360 C:\WINNT\System32\CSCDLL.DLL
shdoclc.dll 718c0000 540672 C:\WINNT\System32\shdoclc.dll
urlmon.dll 1a400000 499712 C:\WINNT\system32\urlmon.dll
mlang.dll 70440000 585728 C:\WINNT\System32\mlang.dll
mshtml.dll 63580000 2818048 C:\WINNT\System32\mshtml.dll
AcroIEHelper.ocx 10000000 32768 C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
CnsHook.dll 37260000 73728 C:\WINNT\DOWNLO~1\CnsHook.dll
WSOCK32.dll 75050000 32768 C:\WINNT\System32\WSOCK32.dll
SETUPAPI.dll 77880000 577536 C:\WINNT\System32\SETUPAPI.dll
USERENV.DLL 77c10000 380928 C:\WINNT\System32\USERENV.DLL
RASAPI32.dll 774e0000 204800 C:\WINNT\System32\RASAPI32.dll
RASMAN.DLL 774c0000 69632 C:\WINNT\System32\RASMAN.DLL
TAPI32.DLL 77530000 139264 C:\WINNT\System32\TAPI32.DLL
RTUTILS.DLL 77830000 57344 C:\WINNT\System32\RTUTILS.DLL
msafd.dll 74fd0000 118784 C:\WINNT\system32\msafd.dll
wshtcpip.dll 75010000 28672 C:\WINNT\System32\wshtcpip.dll
sensapi.dll 75ab0000 20480 C:\WINNT\System32\sensapi.dll
netapi32.dll 75170000 323584 C:\WINNT\System32\netapi32.dll
Secur32.dll 77be0000 61440 C:\WINNT\System32\Secur32.dll
NETRAP.dll 751c0000 24576 C:\WINNT\System32\NETRAP.dll
SAMLIB.dll 75150000 65536 C:\WINNT\System32\SAMLIB.dll
WLDAP32.dll 77950000 163840 C:\WINNT\system32\WLDAP32.dll
DNSAPI.dll 77980000 147456 C:\WINNT\System32\DNSAPI.dll
rsabase.dll 7ca00000 139264 C:\WINNT\System32\rsabase.dll
msi.dll 770f0000 2084864 C:\WINNT\System32\msi.dll
rnr20.dll 782c0000 49152 C:\WINNT\System32\rnr20.dll
iphlpapi.dll 77340000 77824 C:\WINNT\System32\iphlpapi.dll
ICMP.DLL 77520000 20480 C:\WINNT\System32\ICMP.DLL
MPRAPI.DLL 77320000 94208 C:\WINNT\System32\MPRAPI.DLL
ACTIVEDS.DLL 773b0000 188416 C:\WINNT\System32\ACTIVEDS.DLL
ADSLDPC.DLL 77380000 139264 C:\WINNT\System32\ADSLDPC.DLL
DHCPCSVC.DLL 77360000 102400 C:\WINNT\System32\DHCPCSVC.DLL
msimtf.dll 60280000 176128 C:\WINNT\System32\msimtf.dll
sptip.dll 60180000 241664 C:\WINNT\IME\sptip.dll
SKCHUI.DLL 3210000 372736 C:\Program Files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
OWSCLT.DLL 327f0000 614400 C:\PROGRA~1\MICROS~2\Office10\OWSCLT.DLL
jscript.dll 6b700000 589824 C:\WINNT\System32\jscript.dll
MSLS31.DLL 75ac0000 163840 C:\WINNT\System32\MSLS31.DLL
MPR.dll 76620000 65536 C:\WINNT\system32\MPR.dll
ocltint.dll 32b40000 114688 C:\Program Files\Microsoft Office XP\Office10\1033\ocltint.dll
winrnr.dll 777e0000 32768 C:\WINNT\System32\winrnr.dll
imgutil.dll 70510000 40960 C:\WINNT\System32\imgutil.dll
rasadhlp.dll 777f0000 20480 C:\WINNT\System32\rasadhlp.dll
security.dll 75500000 16384 C:\WINNT\System32\security.dll
msv1_0.dll 782d0000 122880 C:\WINNT\system32\msv1_0.dll
msohev.dll 32520000 73728 C:\Program Files\Microsoft Office XP\Office10\msohev.dll
mshtmled.dll 70f30000 450560 C:\WINNT\System32\mshtmled.dll
CnsMinIO.dll 48f0000 65536 C:\WINNT\DOWNLO~1\CnsMinIO.dll
cnsio.dll 4900000 151552 C:\WINNT\DOWNLO~1\cnsio.dll
CnsMinSV.dll 37250000 28672 C:\WINNT\DOWNLO~1\CnsMinSV.dll
Cabinet.dll 75a00000 77824 C:\WINNT\System32\Cabinet.dll
ccasenp.dll 23400000 45056 C:\Program Files\Rational\ClearCase\bin\ccasenp.dll
ntlanman.dll 75160000 49152 C:\WINNT\System32\ntlanman.dll
NETUI0.DLL 75210000 86016 C:\WINNT\System32\NETUI0.DLL
NETUI1.DLL 751d0000 229376 C:\WINNT\System32\NETUI1.DLL
Danp.dll 4aa0000 139264 C:\WINNT\System32\Danp.dll
dacfg.cpl 4ad0000 229376 C:\WINNT\System32\dacfg.cpl
comdlg32.dll 76b30000 249856 C:\WINNT\system32\comdlg32.dll
LIBATRIANT.dll 21400000 110592 C:\Program Files\Rational\ClearCase\bin\LIBATRIANT.dll
IMM32.dll 75e60000 106496 C:\WINNT\System32\IMM32.dll
iepeers.dll 70fb0000 241664 C:\WINNT\System32\iepeers.dll
WINSPOOL.DRV 77800000 122880 C:\WINNT\System32\WINSPOOL.DRV
MSRATING.DLL 70400000 143360 C:\WINNT\System32\MSRATING.DLL
msratelc.dll 30000000 69632 C:\WINNT\System32\msratelc.dll
actxprxy.dll 703d0000 110592 C:\WINNT\System32\actxprxy.dll
raman
April 21, 2004, 6:54am
2
Two possibilities: A new Variant of linklist with a different filesize or a Variant which does not use this special “trick”, So please post a hijackthis log, to eleminate the second choice
system
April 21, 2004, 9:17pm
3
??? HI can any one help me read this log! I like to get this linklist.cc away 4 ever!
Logfile of HijackThis v1.97.7
Scan saved at 23:07:45, on 2004-04-21
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\Program\NavNT\defwatch.exe
C:\Program\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\ltcm000c.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\RunDll32.exe
C:\Program\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\Program\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program\DELADE~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\qttask.exe
C:\Program\ThinkPad\Utilities\tponscr.exe
C:\WINNT\System32\hpnra.exe
C:\WINNT\system32\internat.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program\SMS Executive\SMS Quicklaunch.exe
C:\Program\FinePixViewer\QuickDCF.exe
C:\Program\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRAM\ERICSSON\COMMUN~1\MOBILE~1\DbgOut.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\Internet Explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.autobytel.se/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = login1.telia.com ;
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.autobytel.se/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM..\Run: [IBMPMSVC] %SystemRoot%\System32\ibmpmsvc.exe -helper
O4 - HKLM..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM..\Run: [Promon.exe] Promon.exe
O4 - HKLM..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [TPTRAY] C:\Program\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM..\Run: [TpHotkey] C:\Program\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM..\Run: [RealTray] C:\Program\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..\Run: [XTNDConnect PC - ErPhn2] C:\Program\DELADE~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM..\Run: [HP Network Registry Agent] C:\WINNT\System32\hpnra.exe
O4 - HKLM..\Run: [REGSHAVE] C:\Program\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM..\Run: [TrojanScanner] C:\Program\Trojan Remover\Trjscan.exe
O4 - HKCU..\Run: [internat.exe] internat.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKLM..\RunOnce: [SpyBotSnD] “C:\Program\Spybot - Search & Destroy\SpybotSD.exe” /autocheck
O4 - HKLM..\RunOnce: [InnoSetupRegFile.0000000001] C:\WINNT\is-IRDEN.exe /REG
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: SMS Quicklaunch.lnk = C:\Program\SMS Executive\SMS Quicklaunch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\Program\MICROS~2\Office\1053\phdintl.dll/phdContext.htm
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{E060A800-0EBD-418C-A4E9-B896EB17E98C}: NameServer = 10.0.0.1,10.0.0.2
raman
April 22, 2004, 3:59am
4
Please fix this:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM..\RunOnce: [InnoSetupRegFile.0000000001] C:\WINNT\is-IRDEN.exe /REG
restart and see if it worked or not.
system
April 22, 2004, 11:17am
5
thanks ralf!
It woork for 10 min. Now its back!
Here is a new log file! Did we miss anything?
Logfile of HijackThis v1.97.7
Scan saved at 13:10:52, on 2004-04-22
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\Program\NavNT\defwatch.exe
C:\Program\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\ltcm000c.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\RunDll32.exe
C:\Program\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\Program\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program\DELADE~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
C:\WINNT\System32\qttask.exe
C:\WINNT\System32\hpnra.exe
C:\WINNT\system32\internat.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program\SMS Executive\SMS Quicklaunch.exe
C:\Program\FinePixViewer\QuickDCF.exe
C:\Program\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program\MICROS~2\Office\OUTLOOK.EXE
C:\PROGRAM\ERICSSON\COMMUN~1\MOBILE~1\DbgOut.exe
C:\PROGRAM\ERICSSON\COMMUN~1\MOBILE~1\EPMWOR~1.EXE
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\npe.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\npe.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\npe.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\npe.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\npe.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\npe.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = login1.telia.com ;
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.autobytel.se/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {D62892B2-FF86-48D8-A38C-9B53BC749F72} - C:\WINNT\system32\npe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM..\Run: [IBMPMSVC] %SystemRoot%\System32\ibmpmsvc.exe -helper
O4 - HKLM..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM..\Run: [Promon.exe] Promon.exe
O4 - HKLM..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [TPTRAY] C:\Program\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM..\Run: [TpHotkey] C:\Program\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM..\Run: [RealTray] C:\Program\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..\Run: [XTNDConnect PC - ErPhn2] C:\Program\DELADE~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM..\Run: [HP Network Registry Agent] C:\WINNT\System32\hpnra.exe
O4 - HKLM..\Run: [REGSHAVE] C:\Program\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM..\Run: [TrojanScanner] C:\Program\Trojan Remover\Trjscan.exe
O4 - HKCU..\Run: [internat.exe] internat.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program\MSN Messenger\MsnMsgr.Exe” /background
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: SMS Quicklaunch.lnk = C:\Program\SMS Executive\SMS Quicklaunch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\Program\MICROS~2\Office\1053\phdintl.dll/phdContext.htm
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{E060A800-0EBD-418C-A4E9-B896EB17E98C}: NameServer = 10.0.0.1,10.0.0.2
system
April 22, 2004, 11:38am
6
Hi,
reboot in safeMode (F8-Boot) and fix everything in R0, R1
also every item with npe.dll
O17 (your nameserver), does this belong to your router/proxy ??
of course you have to update your win, and secure your IE (disable activeX & scripting, except for known, secure sites…)
more info in the board…
raman
April 22, 2004, 12:06pm
7
No we didn´t but now we know what file we need to “kill”!
But before you do that, what whocares recommend, please send Avast ( virusasw.cz ) this file C:\WINNT\system32\npe.dll so they can add it to their Database!
system
April 28, 2004, 3:57am
8
please help me!!! this is upsetting! here’s my hijackthis log:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\msrexe.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxasreg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ASMONTRR.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\iidivinex172ii\Local Settings\Temporary Internet Files\Content.IE5\AUVFOI2H\HijackThis[1].exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lflkdaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lflkdaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\lflkdaa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lflkdaa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lflkdaa.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\lflkdaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6AC9431B-741E-4DAB-8B59-EBD688076A40} - C:\WINDOWS\System32\lflkdaa.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM..\Run: [AdaptecDirectCD] “C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe”
O4 - HKLM..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [DeadAIM] rundll32.exe “C:\Program Files\AIM95\DeadAIM.ocm”,ExportedCheckODLs
O4 - HKLM..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM..\Run: [ASMONTRR] C:\WINDOWS\System32\ASMONTRR.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Windows Messenger (HKLM)
O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
raman
April 28, 2004, 9:41am
9