Can't fix spad/myexexex

tcoltrane · Jun 9, 2004

I have read several threads on this problem and have tried everything that has been suggested but I am still getting redirected to myexexex.com. It only happens twice a day, when I first get online. I can make it happen more by changing the system date. Also , when the redirect happens a program named with 4 random letters and a .dat extension shows up in my temp directory (jghj.dat for example). It in turn creates a .bat file also named with 4 random letters and opens a cmd.exe process that continuously calls the .bat file. I have fixed everything obvious with hijackthis and deleted the spad folder from my C: drive which stopped the home page reset, but I am still getting redirected while surfing, usually when I hit the back button. I have also run the posted registry fix and rebooted into safe mode to search for c_10230.dll and HPCMDTY.dll. My system did not find either of these dlls. I have set it to show hidden and protected files. I am including the logs form hijack this, pv and dllfix as well as the contents of the .bat file that the .dat file is calling. I would appreciate any help with this.

Logfile of HijackThis v1.97.7
Scan saved at 11:15:44 AM, on 06/09/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mnmsrvc.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\QuickTime\qttask.exe
C:\OfficeScan NT\pccntmon.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINNT\system32\HPJETDSC.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Documents and Settings\tcoltrane\Desktop\spyware\procexp.exe
C:\DOCUME~1\TCOLTR~1\LOCALS~1\Temp\eilb.dat
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\tcoltrane\Desktop\spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wral.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.wral.com/index.html"); (C:\Documents and Settings\tcoltrane\Application Data\Mozilla\Profiles\default\keawwu16.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\tcoltrane\Application Data\Mozilla\Profiles\default\keawwu16.slt\prefs.js)
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O15 - Trusted Zone: http://cbc2-245.cbc-raleigh.com
O15 - Trusted Zone: http://cbcnt10.cbc-raleigh.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {020f6116-407b-11d3-a3bb-00c04fa32518} - http://cbcnt10.cbc-raleigh.com/jinit11718.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=www.viewpoint.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.0_02) - http://webnt03.cbc-raleigh.com/Analyzer6_Server/j2re-1_3_0_02-win-i.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38079.3004282407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6FBD92F-CD22-4B6C-9DD8-531F88978E93}: Domain = fis0002.cbc-raleigh.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cbc-raleigh.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cbc-raleigh.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cbc-raleigh.com

pv log

Module information for 'IEXPLORE.EXE'
MODULE BASE SIZE PATH
IEXPLORE.EXE 400000 102400 C:\Program Files\Internet Explorer\IEXPLORE.EXE 6.00.2800.1106 Internet Explorer
ntdll.dll 77f80000 499712 C:\WINNT\system32\ntdll.dll 5.00.2195.6685 NT Layer DLL
msvcrt.dll 78000000 286720 C:\WINNT\system32\msvcrt.dll 6.10.8924.0 Microsoft (R) C Runtime Library
KERNEL32.dll 7c570000 733184 C:\WINNT\system32\KERNEL32.dll 5.00.2195.6794 Windows NT BASE API Client DLL
USER32.dll 77e10000 389120 C:\WINNT\system32\USER32.dll 5.00.2195.6799 Windows 2000 USER API Client DLL
GDI32.dll 77f40000 233472 C:\WINNT\system32\GDI32.dll 5.00.2195.6762 GDI Client DLL
SHLWAPI.dll 70bd0000 413696 C:\WINNT\system32\SHLWAPI.dll 6.00.2800.1106 Shell Light-weight Utility Library
ADVAPI32.dll 77db0000 372736 C:\WINNT\system32\ADVAPI32.dll 5.00.2195.5992 Advanced Windows 32 Base API
RPCRT4.dll 77d30000 450560 C:\WINNT\system32\RPCRT4.dll 5.00.2195.6802 Remote Procedure Call Runtime
SHDOCVW.dll 71000000 1347584 C:\WINNT\system32\SHDOCVW.dll 6.00.2800.1106 Shell Doc Object and Control Library
comctl32.dll 71710000 540672 C:\WINNT\system32\comctl32.dll 5.81 Common Controls Library
SHELL32.dll 782f0000 2355200 C:\WINNT\system32\SHELL32.dll 5.00.3502.4718 Windows Shell Common Dll
ole32.dll 77a50000 966656 C:\WINNT\system32\ole32.dll 5.00.2195.6810 Microsoft OLE for Windows
BROWSEUI.dll 71160000 1036288 C:\WINNT\system32\BROWSEUI.dll 6.00.2800.1106 Shell Browser UI Library
browselc.dll 71960000 73728 C:\WINNT\system32\browselc.dll 6.00.2800.1106 Shell Browser UI Library
CLBCATQ.DLL 775a0000 544768 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3471.1
OLEAUT32.dll 779b0000 634880 C:\WINNT\system32\OLEAUT32.dll 2.40.4517
WININET.dll 70200000 610304 C:\WINNT\system32\WININET.dll 6.00.2800.1106 Internet Extensions for Win32
CRYPT32.dll 77440000 483328 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6072 Crypto API32
MSASN1.dll 77430000 65536 C:\WINNT\system32\MSASN1.dll 5.00.2195.6823 ASN.1 Runtime APIs
googletoolbar1.dll 10000000 786432 c:\program files\google\googletoolbar1.dll 2, 0, 111, 0 Google IE Client Toolbar
SETUPAPI.dll 77880000 577536 C:\WINNT\system32\SETUPAPI.dll 5.00.2195.2663 Windows Setup API
USERENV.DLL 7c0f0000 397312 C:\WINNT\system32\USERENV.DLL 5.00.2195.6794 Userenv
urlmon.dll 702b0000 499712 C:\WINNT\system32\urlmon.dll 6.00.2800.1106 OLE32 Extensions for Win32
VERSION.dll 77820000 28672 C:\WINNT\system32\VERSION.dll 5.00.2134.1 Version Checking and File Installation Libraries
LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2134.1 LZ Expand/Compress API DLL
WSOCK32.dll 75050000 32768 C:\WINNT\system32\WSOCK32.dll 5.00.2195.2871 Windows Socket 32-Bit DLL
WS2_32.DLL 75030000 77824 C:\WINNT\system32\WS2_32.DLL 5.00.2195.2780 Windows Socket 2.0 32-Bit DLL
WS2HELP.DLL 75020000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT
WINTRUST.dll 76930000 176128 C:\WINNT\system32\WINTRUST.dll 5.131.2195.2779 Microsoft Trust Verification APIs
IMAGEHLP.dll 77920000 143360 C:\WINNT\system32\IMAGEHLP.dll 5.00.2195.2778 Windows NT Image Helper
WINMM.dll 77570000 196608 C:\WINNT\system32\WINMM.dll 5.00.2161.1 MCI API DLL
serwvdrv.dll 681a0000 28672 C:\WINNT\system32\serwvdrv.dll 5.00.2134.1 Unimodem Serial Wave driver
umdmxfrm.dll 66740000 28672 C:\WINNT\system32\umdmxfrm.dll 5.00.2134.1 Unimodem Tranform Module
rsaenh.dll 7ca00000 143360 C:\WINNT\system32\rsaenh.dll 5.00.2195.2228 Microsoft Enhanced Cryptographic Provider (US/Canada Only, Not for Export)
RASAPI32.DLL 774e0000 204800 C:\WINNT\system32\RASAPI32.DLL 5.00.2195.4983 Remote Access API
rasman.dll 774c0000 69632 C:\WINNT\system32\rasman.dll 5.00.2195.4983 Remote Access Connection Manager
TAPI32.dll 77530000 139264 C:\WINNT\system32\TAPI32.dll 5.00.2182.1 Microsoft® Windows(TM) Telephony API Client DLL
RTUTILS.DLL 77830000 57344 C:\WINNT\system32\RTUTILS.DLL 5.00.2168.1 Routing Utilities
sensapi.dll 75ab0000 20480 C:\WINNT\system32\sensapi.dll 5.00.2163.1 SENS Connectivity API DLL
netapi32.dll 75170000 323584 C:\WINNT\system32\netapi32.dll 5.00.2195.5979 Net Win32 API DLL
Secur32.dll 77be0000 61440 C:\WINNT\system32\Secur32.dll 5.00.2195.2862 Security Support Provider Interface
NETRAP.dll 751c0000 24576 C:\WINNT\system32\NETRAP.dll 5.00.2134.1 Net Remote Admin Protocol DLL
SAMLIB.dll 75150000 65536 C:\WINNT\system32\SAMLIB.dll 5.00.2195.2780 SAM Library DLL
WLDAP32.dll 77950000 163840 C:\WINNT\system32\WLDAP32.dll 5.00.2195.5944 Win32 LDAP API DLL
DNSAPI.dll 77980000 147456 C:\WINNT\system32\DNSAPI.dll 5.00.2195.6012 DNS Client API DLL
rsabase.dll 1560000 139264 C:\WINNT\system32\rsabase.dll 5.00.2195.2228 Microsoft Base Cryptographic Provider (Export Version)
SnagItBHO.dll 15c0000 49152 C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll 1.0.1 SnagIt Browser Helper Object for Internet Explorer
MSVCR71.dll 7c340000 352256 C:\Program Files\TechSmith\SnagIt 7\MSVCR71.dll 7.10.3052.4 Microsoft® C Runtime Library
AcroIEHelper.ocx 15e0000 32768 C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx 1, 0, 0, 1 AcroIEHelper Module
SDHelper.dll 1630000 765952 C:\PROGRA~1\SPYBOT~1\SDHelper.dll 1, 3, 0, 12 Bad download blocker
olepro32.dll 695e0000 167936 C:\WINNT\system32\olepro32.dll 5.0.4517
adobemain.dll 1c10000 196608 C:\WINNT\System32\adobemain.dll
shdoclc.dll 718c0000 540672 C:\WINNT\system32\shdoclc.dll 6.00.2800.1106 Shell Doc Object and Control Library
mlang.dll 70440000 585728 C:\WINNT\system32\mlang.dll 6.00.2800.1106 Multi Language Support DLL
msafd.dll 74fd0000 126976 C:\WINNT\system32\msafd.dll 5.00.2195.2779 Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 75010000 28672 C:\WINNT\System32\wshtcpip.dll 5.00.2195.2104 Windows Sockets Helper DLL
rnr20.dll 785c0000 49152 C:\WINNT\System32\rnr20.dll 5.00.2195.2871 Windows Socket2 NameSpace DLL
iphlpapi.dll 77340000 77824 C:\WINNT\system32\iphlpapi.dll 5.00.2173.2 IP Helper API
ICMP.DLL 77520000 20480 C:\WINNT\system32\ICMP.DLL 5.00.2134.1 ICMP DLL
MPRAPI.DLL 77320000 94208 C:\WINNT\system32\MPRAPI.DLL 5.00.2181.1 Windows NT MP Router Administration DLL
ACTIVEDS.DLL 773b0000 188416 C:\WINNT\system32\ACTIVEDS.DLL 5.00.2195.2778 ADs Router Layer DLL
ADSLDPC.DLL 77380000 139264 C:\WINNT\system32\ADSLDPC.DLL 5.00.2195.5781 ADs LDAP Provider C DLL
DHCPCSVC.DLL 77360000 102400 C:\WINNT\system32\DHCPCSVC.DLL 5.00.2195.2778 DHCP Client Service
winrnr.dll 777e0000 32768 C:\WINNT\System32\winrnr.dll 5.00.2160.1 LDAP RnR Provider DLL
rasadhlp.dll 777f0000 20480 C:\WINNT\system32\rasadhlp.dll 5.00.2168.1 Remote Access AutoDial Helper
mshtml.dll 70c50000 2805760 C:\WINNT\system32\mshtml.dll 6.00.2800.1106 Microsoft (R) HTML Viewer
IMM32.DLL 75e60000 106496 C:\WINNT\system32\IMM32.DLL 5.00.2195.2821 Windows 2000 IMM32 API Client DLL
jscript.dll 6b700000 589824 C:\WINNT\System32\jscript.dll 5.6.0.8513 Microsoft (r) JScript
MSLS31.DLL 75ac0000 163840 C:\WINNT\system32\MSLS31.DLL 3.10.337.0 Microsoft Line Services library file
actxprxy.dll 703d0000 110592 C:\WINNT\system32\actxprxy.dll 6.00.2800.1106 ActiveX Interface Marshaling Library
wdmaud.drv 77560000 36864 C:\WINNT\system32\wdmaud.drv 5.00.2195.2669 WDM Audio driver mapper
msacm32.drv 77400000 32768 C:\WINNT\system32\msacm32.drv 5.00.2134.1 Microsoft Sound Mapper
MSACM32.dll 77410000 77824 C:\WINNT\system32\MSACM32.dll 5.00.2134.1 Microsoft ACM Audio Filter
ddrawex.dll 727f0000 36864 C:\WINNT\System32\ddrawex.dll 5.00.2134.1 Direct Draw Ex
DDRAW.dll 51000000 278528 C:\WINNT\System32\DDRAW.dll 5.1.2600.881 built by: Lab06_N(mmbuild) Microsoft DirectDraw
DCIMAN32.dll 728a0000 24576 C:\WINNT\System32\DCIMAN32.dll 5.00.2180.1 DCI Manager
corpol.dll 6d380000 32768 C:\WINNT\system32\corpol.dll 1998.03.6074.0 Microsoft COM Runtime Execution Engine
SOFTPUB.DLL 75740000 20480 C:\WINNT\system32\SOFTPUB.DLL 5.131.2134.1 Softpub Forwarder DLL
cryptnet.dll 75a20000 57344 C:\WINNT\system32\cryptnet.dll 5.131.2157.1 Crypto Network Related API
riched32.dll 76b20000 20480 C:\WINNT\system32\riched32.dll 5.00.2134.1 Wrapper Dll for Richedit 1.0
RICHED20.dll 772b0000 442368 C:\WINNT\system32\RICHED20.dll 5.30.23.1205 Rich Text Edit Control, v3.0
javacypt.dll 6d5a0000 192512 C:\WINNT\system32\javacypt.dll 5.00.3802 MS Crypt Dll for Java
msjava.dll 6b050000 958464 C:\WINNT\system32\msjava.dll 5.00.3802 Microsoft® VM
VMHELPER.DLL 66130000 294912 C:\WINNT\system32\VMHELPER.DLL 5.00.3802 Microsoft® VM Helper Library
imgutil.dll 70510000 40960 C:\WINNT\system32\imgutil.dll 6.00.2800.1106 IE plugin image decoder support DLL
mshtmled.dll 70f30000 450560 C:\WINNT\system32\mshtmled.dll 6.00.2800.1106 Microsoft (R) HTML Editing Component
MPR.DLL 75090000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.2779 Multiple Provider Router DLL
ntlanman.dll 75160000 49152 C:\WINNT\System32\ntlanman.dll 5.00.2157.1 Microsoft® Lan Manager
NETUI0.DLL 75210000 86016 C:\WINNT\System32\NETUI0.DLL 5.00.2134.1 NT LM UI Common Code - GUI Classes
NETUI1.DLL 751d0000 229376 C:\WINNT\System32\NETUI1.DLL 5.00.2134.1 NT LM UI Common Code - Networking classes
iepeers.dll 70fb0000 241664 C:\WINNT\system32\iepeers.dll 6.00.2800.1106 Internet Explorer Peer Objects
WINSPOOL.DRV 77800000 122880 C:\WINNT\system32\WINSPOOL.DRV 5.00.2195.6032 Windows Spooler Driver
dispex.dll 6d40000 45056 C:\WINNT\System32\dispex.dll 5.6.0.6626 Microsoft (r) DispEx
QuickTimeWebHelper.qtx 62c80000 192512 C:\WINNT\system32\QuickTime\QuickTimeWebHelper.qtx 5.0.2 QuickTime Web Helper
QuickTime.qts 62800000 3960832 C:\WINNT\system32\QuickTime.qts 5.0.2 QuickTime
comdlg32.dll 76b30000 253952 C:\WINNT\system32\comdlg32.dll 5.00.3103.1000 Common Dialogs DLL
dsound.dll 51080000 344064 C:\WINNT\system32\dsound.dll 5.1.2600.881 built by: DShow_Build DirectSound
QuickTimeAuthoring.qtx 62e40000 1310720 C:\WINNT\SYSTEM32\QuickTime\QuickTimeAuthoring.qtx 5.0.2 QuickTime Authoring
QuickTimeEssentials.qtx 631c0000 471040 C:\WINNT\SYSTEM32\QuickTime\QuickTimeEssentials.qtx 5.0.2 QuickTime Essentials
QuickTimeInternetExtras.qtx 62d70000 827392 C:\WINNT\SYSTEM32\QuickTime\QuickTimeInternetExtras.qtx 5.0.1 QuickTime Internet Extras
QuickTimeMusic.qtx 630b0000 442368 C:\WINNT\SYSTEM32\QuickTime\QuickTimeMusic.qtx 5.0.2 QuickTime Music
QuickTimeStreaming.qtx 62bd0000 720896 C:\WINNT\SYSTEM32\QuickTime\QuickTimeStreaming.qtx 5.0.2 QuickTime Streaming
QuickTimeStreamingExtras.qtx 63320000 106496 C:\WINNT\SYSTEM32\QuickTime\QuickTimeStreamingExtras.qtx 5.0.1 QuickTime Streaming Extras
QuickTimeVR.qtx 62cd0000 372736 C:\WINNT\SYSTEM32\QuickTimeVR.qtx 5.0.2 QuickTime VR
wmploc.dll 8110000 2940928 C:\WINNT\System32\wmploc.dll 9.00.00.2980 Windows Media Player
WMASF.DLL 6f80000 233472 C:\WINNT\system32\WMASF.DLL 9.00.00.2980 built by: lab03_dev(bld4act) Windows Media ASF DLL
wmnetmgr.dll 72b0000 1007616 C:\WINNT\System32\wmnetmgr.dll 9.00.00.2980 Windows Media Network Plugin Manager DLL
msv1_0.dll 782d0000 122880 C:\WINNT\system32\msv1_0.dll 5.00.2195.6006 Microsoft Authentication Package v1.0
digest.dll 96f0000 65536 C:\WINNT\system32\digest.dll 6.00.2800.1106 Digest SSPI Authentication Package
pstorec.dll 69000000 49152 C:\WINNT\system32\pstorec.dll 5.00.2134.1 Protected Storage COM interfaces
ATL.DLL 773e0000 73728 C:\WINNT\system32\ATL.DLL 3.00.8449 ATL Module for Windows NT (Unicode)
quartz.dll 35500000 1875968 C:\WINNT\System32\quartz.dll 6.03.01.0886 DirectShow Runtime.
msdmo.dll 9c30000 24576 C:\WINNT\system32\msdmo.dll
KsUser.dll 5ef80000 16384 C:\WINNT\system32\KsUser.dll 5.1.2258.400 built by: Lab06_N(mmbuild) User CSA Library
MSRATING.DLL 70400000 143360 C:\WINNT\system32\MSRATING.DLL 6.00.2800.1106 Internet Ratings and Local User Management DLL
msratelc.dll 30000000 69632 C:\WINNT\system32\msratelc.dll 6.00.2800.1106 Internet Ratings and Local User Management DLL
ntshrui.dll 76fa0000 61440 C:\WINNT\system32\ntshrui.dll 5.00.2134.1 Shell extensions for sharing
plugin.ocx 6e90000 98304 C:\WINNT\system32\plugin.ocx 6.00.2800.1106 ActiveX Plugin OCX

dllfix log

--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Wed 06/09/2004
11:22a

System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "" (24B3:55E1) - FS:NTFS clusters:512
Total: 19 995 622 912 [19G] - Free: 11 688 782 848 [11G]

*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.0.2140.1 C:\WINNT\system32\notepad.exe
5.0.2140.1 C:\WINNT\notepad.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;

Locked or 'Suspect' file(s) found...

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00C6482D-C502-44C8-8409-FCE54AD9C208}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Can't open Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

2 - The system cannot find the file specified.

Contents of the .bat file that the .dat file is calling

@echo off
:start
echo > %1
del %1
if exist %1 goto start
del %0

Pieter_Arntz · Jun 10, 2004

In HijackThis click Config > Misc Tools > Generate Startuplist.
Post the text file it produces.

Regards,

Pieter

tcoltrane · Jun 10, 2004

Here is the hijack this startup list

StartupList report, 06/10/2004, 10:15:22 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\tcoltrane\Desktop\spyware\HijackThis.EXE
Detected: Windows 2000 SP2 (WinNT 5.00.2195)
Detected: Unable to get Internet Explorer version!
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mnmsrvc.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\QuickTime\qttask.exe
C:\OfficeScan NT\pccntmon.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINNT\system32\HPJETDSC.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\tcoltrane\Desktop\spyware\procexp.exe
C:\Documents and Settings\tcoltrane\Desktop\spyware\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
sethook = cmd /c start /min cmd /c c:\dell\src_path.cmd
TCASUTIEXE = TCAUDIAG -off
madexe = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
MULTIMEDIA KEYBOARD = C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
Adaptec DirectCD = C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
OfficeScanNT Monitor = "C:\OfficeScan NT\pccntmon.exe" -HideWindow
NvCplDaemon = RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HP JetDiscovery = HPJETDSC.EXE

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\System32\SSSTARS.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll - {00C6482D-C502-44C8-8409-FCE54AD9C208}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Download Program Files:

[{020f6116-407b-11d3-a3bb-00c04fa32518}]
InProcServer32 = C:\Program Files\Oracle\JInitiator 1.1.7.18\bin\beans.ocx
CODEBASE = http://cbcnt10.cbc-raleigh.com/jinit11718.exe

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[MetaStreamCtl Class]
InProcServer32 = C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
CODEBASE = https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=www.viewpoint.com

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Java Plug-in 1.3.0_02]
InProcServer32 = C:\Program Files\JavaSoft\JRE\1.3.0_02\bin\npjava130_02.dll
CODEBASE = http://webnt03.cbc-raleigh.com/Analyzer6_Server/j2re-1_3_0_02-win-i.exe

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38079.3004282407

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINNT\system32\spool\DRIVERS\W32X86\2\New\EF3X2026.PDD|C:\WINNT\system32\spool\DRIVERS\W32X86\2\EF3X2026.PDD|||

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
SysTray: stobject.dll
WebCheck: C:\WINNT\system32\webcheck.dll

--------------------------------------------------
End of report, 6,686 bytes
Report generated in 0.170 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

tcoltrane · Jun 10, 2004

I checked the "List also minor sections" and "List empty sections" and ran it again. Thanks for looking at this. It really has me stumped.

StartupList report, 06/10/2004, 10:19:17 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\tcoltrane\Desktop\spyware\HijackThis.EXE
Detected: Windows 2000 SP2 (WinNT 5.00.2195)
Detected: Unable to get Internet Explorer version!
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mnmsrvc.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\QuickTime\qttask.exe
C:\OfficeScan NT\pccntmon.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINNT\system32\HPJETDSC.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\tcoltrane\Desktop\spyware\procexp.exe
C:\Documents and Settings\tcoltrane\Desktop\spyware\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\tcoltrane\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
sethook = cmd /c start /min cmd /c c:\dell\src_path.cmd
TCASUTIEXE = TCAUDIAG -off
madexe = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
MULTIMEDIA KEYBOARD = C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
Adaptec DirectCD = C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
OfficeScanNT Monitor = "C:\OfficeScan NT\pccntmon.exe" -HideWindow
NvCplDaemon = RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HP JetDiscovery = HPJETDSC.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\system32\mshta.exe "%1" %*

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\system32\updcrl.exe -e -u %SystemRoot%\system32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry key not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry key not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry key not found*

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\System32\SSSTARS.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll - {00C6482D-C502-44C8-8409-FCE54AD9C208}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[{020f6116-407b-11d3-a3bb-00c04fa32518}]
InProcServer32 = C:\Program Files\Oracle\JInitiator 1.1.7.18\bin\beans.ocx
CODEBASE = http://cbcnt10.cbc-raleigh.com/jinit11718.exe

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[MetaStreamCtl Class]
InProcServer32 = C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
CODEBASE = https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=www.viewpoint.com

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Java Plug-in 1.3.0_02]
InProcServer32 = C:\Program Files\JavaSoft\JRE\1.3.0_02\bin\npjava130_02.dll
CODEBASE = http://webnt03.cbc-raleigh.com/Analyzer6_Server/j2re-1_3_0_02-win-i.exe

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38079.3004282407

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
NameSpace #3: C:\WINNT\System32\nwprovau.dll
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\msafd.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll
Protocol #12: C:\WINNT\system32\msafd.dll
Protocol #13: C:\WINNT\system32\msafd.dll
Protocol #14: C:\WINNT\system32\msafd.dll
Protocol #15: C:\WINNT\system32\msafd.dll
Protocol #16: C:\WINNT\system32\msafd.dll
Protocol #17: C:\WINNT\system32\msafd.dll
Protocol #18: C:\WINNT\system32\msafd.dll
Protocol #19: C:\WINNT\system32\msafd.dll
Protocol #20: C:\WINNT\system32\msafd.dll
Protocol #21: C:\WINNT\system32\msafd.dll
Protocol #22: C:\WINNT\system32\msafd.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

aaatimeo: System32\DRIVERS\aaatimeo.sys (system)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
adpu160m: System32\DRIVERS\adpu160m.sys (system)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
aic78u2: System32\DRIVERS\aic78u2.sys (system)
aic78xx: System32\DRIVERS\aic78xx.sys (system)
Alerter: %SystemRoot%\System32\services.exe (manual start)
Application Management: %SystemRoot%\system32\services.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k BITSgroup (manual start)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
cda1000: System32\DRIVERS\cda1000.sys (system)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINNT\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
cmosa: System32\DRIVERS\cmosa.sys (system)
Crystal SoundFusion(tm) Driver: system32\drivers\cwcspud.sys (manual start)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
3Com EtherLink XL B/C Adapter Driver: System32\DRIVERS\el90xbc5.sys (manual start)
3Com 3C90X-BC Family PCI EtherLink Adapter: System32\DRIVERS\el90Xbc5.SYS (manual start)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
Fd16_700: System32\DRIVERS\fd16_700.sys (system)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FormScape2 Server: "C:\Program Files\FormScape2\Programs\fs2serv.exe" (autostart)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Santa Cruz Game Port: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (autostart)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
Service for AC'97 Driver (WDM): system32\drivers\ichaud.sys (manual start)
idebd: System32\DRIVERS\idebd.sys (system)
intelata: System32\DRIVERS\intelata.sys (system)
IntelIde: System32\DRIVERS\intelide.sys (system)
Microsoft IntelliPoint Features driver: System32\DRIVERS\IPFilter.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
Messenger: %SystemRoot%\System32\services.exe (autostart)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (autostart)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
BDA MPE Filter: System32\DRIVERS\MPE.sys (manual start)
mraid35x: System32\DRIVERS\mraid35x.sys (system)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Sidewinder HID to Joystick Port Enabler: System32\DRIVERS\msgame.sys (manual start)
Multimedia Keyboard Filter Driver: System32\DRIVERS\msikbd2k.sys (system)
Windows Installer: C:\WINNT\System32\MsiExec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
MTsensor: System32\DRIVERS\MTsensor.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (autostart)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Netropa NHK Server: C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
OfficeScanNT RealTime Scan: C:\OfficeScan NT\ntrtscan.exe (autostart)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
nv4: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx.sys (autostart)
NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart)
NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx.sys (autostart)
Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (disabled)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Sparrow: System32\DRIVERS\sparrow.sys (system)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Santa Cruz Driver: system32\drivers\tbcspud.sys (manual start)
Santa Cruz WDM Driver: system32\drivers\tbcwdm.sys (manual start)
tcaicchg: \??\C:\WINNT\System32\tcaicchg.sys (autostart)
TCAITDI Protocol: System32\DRIVERS\TCAITDI.sys (autostart)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)
Trend Micro Filter: \??\C:\OfficeScan NT\TmFilter.sys (autostart)
OfficeScanNT Listener: C:\OfficeScan NT\tmlisten.exe (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Trend Micro VSAPI NT: \??\C:\OfficeScan NT\VSApiNt.sys (autostart)
vsdatant: System32\vsdatant.sys (system)
TrueVector Internet Monitor: C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe -service (manual start)
Windows Time: %SystemRoot%\System32\services.exe (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (manual start)
WMDM PMSP Service: C:\WINNT\System32\mspmspsv.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINNT\system32\spool\DRIVERS\W32X86\2\New\EF3X2026.PDD|C:\WINNT\system32\spool\DRIVERS\W32X86\2\EF3X2026.PDD|||

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
SysTray: stobject.dll
WebCheck: C:\WINNT\system32\webcheck.dll

--------------------------------------------------
End of report, 29,933 bytes
Report generated in 0.200 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Pieter_Arntz · Jun 10, 2004

My eyes are getting blurry and I still can't see it.

Can you send me a copy of such a .dat file?
pieterATwilderssecurity.org (replace AT with @)

Regards,

Pieter

tcoltrane · Jun 15, 2004

Pieter, Did you get the .dat files I sent? I haven't gotten any further with it on my end. So far I have found 3 different types of .dat files that are showing up in my temp directory. One redirects the browser to myexexex.com, one opens a new browser window which goes to casinopallazo.com and puts shortcuts to that site in my favorites and on my desktop and the third one creates a file named winwildapp.exe in my temp directory, but doesn't appear to do anything else. The antivirus software I have on this computer identifies the .dat file that does the casino pallazo stuff as TROJ_DIALER.BH and deletes it. It is still only happening twice a day when I first open the browser, usually after a few clicks. Any help would be greatly appreciated. I have run out of things to try.

Pieter_Arntz · Jun 15, 2004

I did have a loook at the .dat files and sent them on for analysis.
I have not heard anything back. I'll politely send a little reminder.
What I thought was: they looked like dll files to me, so maybe part of the process is they get renamed to dll?

Have a look here and try if the Rootkitdetector finds something: http://bagpuss.swan.ac.uk/comms/hxdef.htm

Regards,

Pieter

tcoltrane · Jun 16, 2004

Pieter,

RootKitDetector didn't find anything, but I have made progress. In reading through the threads about casino pallazo, someone (it might have been you) suggested looking for a file named jsconsole.dll. When I looked I found that file in my c:\windows\system32 and c:\windows folders. I deleted them (I saved a copy just in case) and have not had a problem since - no redirects or .dat files showing up in my temp folder. While thinking about it a few minutes ago it occured to me that something had to be calling that dll. In a different thread you suggested using a Registry Search Tool from http://www.billsway.com/vbspage/ . I downloaded that and ran it for jsconsole.dll. It found 2 registry entries. I'm posting the log below. I'd like to make sure I have completely removed this problem. Do you have any suggestions for other places I should look and would it be wise to delete these registry settings?

REGEDIT4
; REGSRCH.VBS © Bill James

; Registry search results for string "jsconsole.dll" 06/16/2004 3:29:20 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA44CF4B-85C0-4B3F-BD0D-ECE5A069B9E0}\InprocServer32]
@="C:\\WINNT\\system32\\jsconsole.dll"

[HKEY_USERS\S-1-5-21-1287937275-1086259303-1848903544-2085\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU]
"000"="jsconsole.dll"

tcoltrane · Jun 21, 2004

Pieter,

I see that the latest version of CWShredder includes a fix for the jsconsole variant. I've yet to see the problem appear on my machine again so I feel confident that it is fixed. Thank you so much for your help with this. I couldn't have fixed it without this forum. I saved a copy of the jsconsole.dll in case anyone wants it for analysis.

Thanks again.

Pieter_Arntz · Jun 21, 2004

Hi tcoltrane,

I did receive a copy of jsconsole.dll yesterday and registered it on my testcomputer. But nothing happened. I have the feeling there is still one piece of the puzzle missing.

Did you check if there were any other files created around the same time on your computer?

The first registry entry can be deleted, the second one only indicates that you did a find files for that file on your computer.

Regards,

Pieter

tcoltrane · Jun 22, 2004

Pieter,

I can't tell about the time created, but their are several files on my system with an identical time modified.

kernel32.dll C:\WINNT\Driver Cache\I386
winsrv.dll C:\WINNT\Driver Cache\I386
asclictrls.ocx C:\WINNT\SYSTEM32
BASESRV.DLL C:\WINNT\SYSTEM32
GDI32.DLL C:\WINNT\SYSTEM32
KERNEL32.DLL C:\WINNT\SYSTEM32
MSGINA.DLL C:\WINNT\SYSTEM32
swix.ocx C:\WINNT\SYSTEM32
USER32.DLL C:\WINNT\SYSTEM32
USERENV.DLL C:\WINNT\SYSTEM32
WIN32K.SYS C:\WINNT\SYSTEM32
WINSRV.DLL C:\WINNT\SYSTEM32
WWWBar.dll C:\WINNT\SYSTEM32
BASESRV.DLL C:\WINNT\SYSTEM32\dllcache
GDI32.DLL C:\WINNT\SYSTEM32\dllcache
kernel32.dll C:\WINNT\SYSTEM32\dllcache
MSGINA.DLL C:\WINNT\SYSTEM32\dllcache
USER32.DLL C:\WINNT\SYSTEM32\dllcache
USERENV.DLL C:\WINNT\SYSTEM32\dllcache
winsrv.dll C:\WINNT\SYSTEM32\dllcache

I would be happy to send you any or all of these.

Pieter_Arntz · Jun 23, 2004

Hi tcoltrane,

Could you send me these files:
asclictrls.ocx
swix.ocx
WWWBar.dll

Preferably zipped up to pieterATwilderssecurity.org (replace AT with @)

Regards,

Pieter

tcoltrane · Jun 23, 2004

The files have been sent. Let me know if you need anything else.

Thanks for all your help on this.

Pieter_Arntz · Jun 23, 2004

I must have an eye for it.

All three files are upx packed and protected against unpacking.
I will have to send them on to some specialists.
But I will let you know.

Regards,

Pieter

Log in or Sign up

Can't fix spad/myexexex

tcoltrane Registered Member

Pieter_Arntz Spyware Veteran

tcoltrane Registered Member

tcoltrane Registered Member

Pieter_Arntz Spyware Veteran

tcoltrane Registered Member

Pieter_Arntz Spyware Veteran

tcoltrane Registered Member

tcoltrane Registered Member

Pieter_Arntz Spyware Veteran

tcoltrane Registered Member

Pieter_Arntz Spyware Veteran

tcoltrane Registered Member

Pieter_Arntz Spyware Veteran

Log in or Sign up

Can't fix spad/myexexex

tcoltrane Registered Member

Pieter_Arntz Spyware Veteran

tcoltrane Registered Member

tcoltrane Registered Member

Pieter_Arntz Spyware Veteran

tcoltrane Registered Member

Pieter_Arntz Spyware Veteran

tcoltrane Registered Member

tcoltrane Registered Member

Pieter_Arntz Spyware Veteran

tcoltrane Registered Member

Pieter_Arntz Spyware Veteran

tcoltrane Registered Member

Pieter_Arntz Spyware Veteran

Useful Searches