Author Topic: HAXDOOR-BGN (Found the root problem!)  (Read 17976 times)

0 Members and 1 Guest are viewing this topic.

Fishbomb

  • Guest
HAXDOOR-BGN (Found the root problem!)
« on: March 31, 2005, 08:50:19 AM »
First of all, hi there everyone! I'm new to this forum. I had downloaded Avast just a week before this problem happened and I'm still on the test week before paying the registration fee. I used to just rely on firewalls and online virus scanners before, but I finally decided on this system just because my friends really like it.

So bear in mind that I am not at all familiar with the avast process of doing things.

Anyway, two days ago I changed internet providers. And stupid as I am, this must have meant that my firewalls were down, because I contracted a virus almost immediately. This is nothing new to me, I've had viruses before, and have always managed to root them out, but this time I am stumped.

I am writing this from the computer at work, because I can't use my infected computer at home, so everything I write is from either memory or from my set of itty bitty notes. So forgive any confusion.

---

I use windows XP-pro

What happened was: On a small fansite for comic books, I must have contracted a virus. I did not accept anything, or click any links (I'm not stupid) but appearantly it snuck in anyway.

It took over my computer. First it changed the wallpaper to one that advertised something called 'smart security' because obviously my computer was infected by trojans and viruses. All my shortcuts were erased and replaced with shortcuts to sites like 'home pharmacy' 'online poker' 'home mortages' and so on. It changed around everything so that it suited itself, task bars, shortcuts and so on. Other things I found was 'allcybersearch' and a program called 124489 which was the first thing that I noted, with a picture of a cute blode as an icon.

I also think it tried to hijack my modem, but since I am not using a modem that did not work.

What it does, is that every three to five minutes, my computer restarts itself. If I try to delete the temporary internet files where the virus lie, the computer restarts itself. If I try to shut down any suspicious system processes, they restart themselves, and then finally the computer restarts itself. If I try to open internet explorer, the computer restarts itself. I can not right click anymore, that has been disabled. Needless to change, i can not make any changes to wallpapers, users, links and so on...

When I run Avast (home user), it first located memory resident trojans (a LOAD of them, but the first one I remember was JS:TrojDnldr-1), mostly in the temporary internet files folder. So it did a boot scan. I was stupid enough to press 'remove' because I didn't know that you were not supposed to do that (I do now after having read this site). Hopefully not much have been damaged since they were temporary files... or the programs that the virus had added.

This did not help.

Yes, when I start Avast, the memory scans clean. But the computer is still obviously infected, because it still restarts after 3-5 minutes, so I have no time to run a through scan. Sometimes it catches a trojan, at other times not. It really haven't much time to do anything, since I have rather many files.

.

So here is my problem. I can't do much on my PC at home since I can't go online with it. My first problem is to find out what makes it restart itself all the time. I had that trouble about half a year ago with the sasser virus (or something like it), but I managed to work that out by going online and see how I should solve it, and worked real fast in the few minutes that I had. It worked out fine. Now I do not have that option.

So please, post what information you need here and I will take notes and go home tonight and try to find them. I have heard people refer to a hijackthis-Log, can anyone please explain what this is, and how it is obtained?

I used to be competent with computers, but that was back when there still was DOS at the heart of everything... I know very little of how windows XP work. Is there some sort of 'simple' failsafe mode when you start up the comptuer? If so, how do you get into in? Maybe that can help.

I miss DOS. I miss autoexec.bat and config.sys. Things felt simpler then *grins*.

I am going to continue searching this board (and the net) for information. Please, if anyone have any suggestions, I will be forever grateful.



« Last Edit: April 02, 2005, 05:58:02 PM by Fishbomb »

Fishbomb

  • Guest
Re: My computer keeps shutting itself down
« Reply #1 on: March 31, 2005, 09:51:16 AM »
Update: Well, found

http://www.blackviper.com

Hopefully it will help me some with the shutdown *grins*

Unfortunately it will not help with the fact that as soon as I try to go on the net, it shuts down. No way for me to download patches then...
« Last Edit: March 31, 2005, 10:00:23 AM by Fishbomb »

Spyros

  • Guest
Re: Explorer keeps shutting itself down
« Reply #2 on: March 31, 2005, 10:45:56 AM »
Quote
So please, post what information you need here and I will take notes and go home tonight and try to find them. I have heard people refer to a hijackthis-Log, can anyone please explain what this is, and how it is obtained?

Your system has definitely been hijacked.
Download Hijackthis from: http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Press “Do a system scan and save a logfile”
Copy/paste it here.

Quote
If I try to shut down any suspicious system processes, they restart themselves, and then finally the computer restarts itself.
You can use ProcX for that (http://www.ghostsecurity.com/index.php?page=procx). But please post the hijackthis log first.

Fishbomb

  • Guest
Re: Explorer keeps shutting itself down
« Reply #3 on: March 31, 2005, 11:44:05 AM »
Thank you, will download it to a disk and take it home.

Meanwhile: More information! I am not the only one.

Check out this link:

http://insight.zdnet.co.uk/internet/security/0,39020457,2125434,00.htm

Read the replies and complaints underneath it, this is EXACTLY what has happened to me. I will try to use some of that advice to remove it.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Explorer keeps shutting itself down
« Reply #4 on: March 31, 2005, 04:01:59 PM »
Hi,

Just came across your posting.

If you go to the viruses and worms board, the first posting is called advice & tools for virus, malware and spyware removal. It's worth a read.

So is http://www.wilderssecurity.com/showthread.php?t=50662: this posting has a very clear step-through guide.

avast! should be part of your clean up procedure of course!

The anti-spyware programs mentioned (Spybot Search & Destroy and Ad-Aware) are also excellent for infections like this. They take care of most things automatically; HijackThis is useful for manual removal of anything remaining, but be careful how you use it.

You can get into safe mode in Windows by tapping F8 while booting.

Good luck

     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Fishbomb

  • Guest
Re: Explorer keeps shutting itself down
« Reply #5 on: March 31, 2005, 10:29:43 PM »
Yep, been reading up like mad on this and printed out a lot at work. Now I am actually able to at least get on the net in safe mode!!

But I am encountering some problems along the way, so first here is my Hijackthingy. Despair at my system *blushes a bit embarrassed* It was fine two days ago! Really!

---

Logfile of HijackThis v1.99.1
Scan saved at 22:26:05, on 2005-03-31
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program\Alwil Software\Avast4\ashSimpl.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\Rar$EX02.328\HijackThis.exe


Fishbomb

  • Guest
Re: Explorer keeps shutting itself down
« Reply #6 on: March 31, 2005, 10:30:23 PM »
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\Program\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\Program\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 buldog-stats.com
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
O1 - Hosts: 127.0.0.3 slutmania.biz
O1 - Hosts: 127.0.0.3 www.slutmania.biz
O1 - Hosts: 127.0.0.3 toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.megapornix.com
O1 - Hosts: 127.0.0.3 megapornix.com
O1 - Hosts: 127.0.0.3 www.sp2fucked.biz
O1 - Hosts: 127.0.0.3 sp2fucked.biz
O1 - Hosts: 127.0.0.3 greg-tut.com
O1 - Hosts: 127.0.0.3 www.greg-tut.com
O1 - Hosts: 127.0.0.3 nylonsexy.com
O1 - Hosts: 127.0.0.3 www.nylonsexy.com
O1 - Hosts: 127.0.0.3 vparivalka.com
O1 - Hosts: 127.0.0.3 www.vparivalka.com

Fishbomb

  • Guest
Re: Explorer keeps shutting itself down
« Reply #7 on: March 31, 2005, 10:30:41 PM »

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {22D1C479-8553-4C97-A52F-E488E41179AE} - C:\WINDOWS\System32\dkfc.dll
O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\webdlg32.dll
O2 - BHO: (no name) - {5327ABC3-425C-4983-2104-6B03F0B0CEBC} - C:\WINDOWS\System32\yum.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {860CE847-8298-4114-B142-14043C2942B1} - C:\WINDOWS\drexinit.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\Program\DELADE~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program\Toolbar\toolbar.dll
O2 - BHO: Pop Class - {A9AEE0DD-89E1-40EE-8749-A18650CC2175} - C:\WINDOWS\winsx.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\webdlg32.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\Program\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [Microsoft Update] lsac.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinTools] C:\Program\DELADE~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\ÄGAREN\LOKALA~1\Temp\keep.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{6BA5ABB1-98C3-4C28-B071-0B83967B72E6}\SVCHOST.EXE
O4 - HKLM\..\Run: [TBPS] C:\Program\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [Oip] C:\WINDOWS\System32\Sbr.exe
O4 - HKLM\..\Run: [Svd] C:\WINDOWS\System32\Fau.exe
O4 - HKLM\..\Run: [Ost] C:\WINDOWS\System32\Crk.exe
O4 - HKLM\..\Run: [Jjj] C:\WINDOWS\System32\Rrj.exe
O4 - HKLM\..\Run: [Unm] C:\WINDOWS\System32\Rol.exe
O4 - HKLM\..\Run: [Tpp] C:\WINDOWS\System32\Cmt.exe
O4 - HKLM\..\Run: [Fhn] C:\WINDOWS\Bar.exe
O4 - HKLM\..\Run: [Ojv] C:\WINDOWS\Lgm.exe
O4 - HKLM\..\Run: [Hag] C:\WINDOWS\Hmk.exe
O4 - HKLM\..\Run: [Iuv] C:\WINDOWS\Tic.exe
O4 - HKLM\..\Run: [Kfj] C:\WINDOWS\System32\Rjn.exe
O4 - HKLM\..\Run: [Ckf] C:\WINDOWS\System32\Aue.exe
O4 - HKLM\..\Run: [Hgf] C:\WINDOWS\System32\Tnc.exe
O4 - HKLM\..\Run: [Vfk] C:\WINDOWS\System32\Nlt.exe
O4 - HKLM\..\Run: [Itp] C:\WINDOWS\System32\Qlt.exe
O4 - HKLM\..\Run: [Lgj] C:\WINDOWS\System32\Maa.exe
O4 - HKLM\..\Run: [Htk] C:\WINDOWS\System32\Qqu.exe
O4 - HKLM\..\Run: [Hcl] C:\WINDOWS\System32\Hku.exe
O4 - HKLM\..\Run: [Hsl] C:\WINDOWS\Quc.exe
O4 - HKLM\..\Run: [Ijg] C:\WINDOWS\Afu.exe
O4 - HKLM\..\Run: [Hvd] C:\WINDOWS\System32\Lcu.exe
O4 - HKLM\..\Run: [Kdi] C:\WINDOWS\Hlm.exe
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Mbp] C:\WINDOWS\Nns.exe
O4 - HKLM\..\Run: [Anf] C:\WINDOWS\System32\Gjr.exe
O4 - HKLM\..\Run: [Uea] C:\WINDOWS\System32\Nap.exe
O4 - HKLM\..\Run: [Jgm] C:\WINDOWS\Vfg.exe
O4 - HKLM\..\Run: [Bjo] C:\WINDOWS\System32\Kdo.exe
O4 - HKLM\..\Run: [Lrj] C:\WINDOWS\System32\Vbb.exe
O4 - HKLM\..\Run: [Jjl] C:\WINDOWS\System32\Fbd.exe
O4 - HKLM\..\Run: [Mac] C:\WINDOWS\System32\Kcv.exe
O4 - HKLM\..\Run: [Uci] C:\WINDOWS\System32\Dec.exe
O4 - HKLM\..\Run: [Ssg] C:\WINDOWS\Vui.exe
O4 - HKLM\..\Run: [Kdo] C:\WINDOWS\System32\Ldj.exe
O4 - HKLM\..\Run: [Eoc] C:\WINDOWS\System32\Esv.exe
O4 - HKLM\..\Run: [Evl] C:\WINDOWS\Olk.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [_Cat3] C:\WINDOWS\msmsgrxp.exe
O4 - HKLM\..\Run: [Dcs] C:\WINDOWS\Tof.exe
O4 - HKLM\..\Run: [Fcc] C:\WINDOWS\System32\Jca.exe
O4 - HKLM\..\Run: [Oom] C:\WINDOWS\Hbf.exe
O4 - HKLM\..\Run: [Kqs] C:\WINDOWS\Inf.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [Microsoft Update] lsac.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030523/qtinstall.info.apple.com/drakken/se/win/QuickTimeInstaller.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://iframedollars.biz/tb/loader2.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=2732
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.aftonbladet.se/it/special/command/cod/cabs/cssweb.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\Program\Toolbar\toolbar.dll
O18 - Filter: text/html - {C77494C1-E574-4AF0-8A77-EDD4F56DA050} - C:\WINDOWS\System32\dkfc.dll
O18 - Filter: text/plain - {C77494C1-E574-4AF0-8A77-EDD4F56DA050} - C:\WINDOWS\System32\dkfc.dll
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe


Fishbomb

  • Guest
Re: Explorer keeps shutting itself down
« Reply #8 on: March 31, 2005, 10:46:26 PM »
Phew, took three tries to actually post it all!

Now for the strange problems that I encounter:

For removing the SmartSecurity thingy that locks up everything, I got the following advice from the site I liked to above. I was supposed to go into the screen properties, go to the webtab section and disable the one called 'security'

However, I had no active things in the webtab. Moreso, I am unable to change any settings for my wallpaper. My right click function is disabled, and that part of the customization menu is just locked.

I caught 54 different files with trojans I think when I ran the Avast at startup (booting).  They were Win32:Exdl[Adw], Win32:Trojan-gen{ve}, and Win32:Trojan-gen{other}. I was not able to repair any file and moved them to the chest.

Now however I can not look inside the chest. I get the RPC com failed message.

Also: I can not start the Win XP firewall. Every time I try to enable it, I get the error message that it can not activate shared (struggles for english words since I am swedish)... something. It is error 1060 and it tells me that the service is not installed. But this worked 3 days or so ago, when I had a firewall...

I can not get any logfiles from either Avast or Spybot, just error messages.

When I do a normal scan with Avast I get a whole load of files that avast say that it can not scan because they are password protected. And it is the very same files that I suspect is hiding stuff, since I recognized a few of the names. Hello, sextracker anyone?

...

Right now what worries me the most is where I should start.

Should I start by downloading updated security patches on an infected system?

How can I get a working firewall so I at least does not pick up any more viruses?

Where should I start since the normal ways seems to have been sabotaged for me...

I do not dare to leave the secure mode for now. The PC crashes otherwise, and I am quite confident that I haven't got half the stuff yet.

Please advice, I'll keep reading and trying things, but unfortunately so many of them does not seem to work on this SmartSecurity thing. The only advice I had found so far is in the thread above.

Please, if anyone have more information about that I would be overjoyed. Trojans are one thing, but that hijacking commercial program taking over everything is just plain insulting.

Thanks for the help.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Explorer keeps shutting itself down
« Reply #9 on: March 31, 2005, 11:16:32 PM »
Dealing with the hijackthis log contents first, you have a lot of problems.

The items on hosts (01 items) are these entries that you created if so leave them.

Once you have fixed those mentioned, do another scan and post the log file contents again.

Extract of Eddy's log file analyser:

CHECKING HIJACKTHIS, WINDOWS, INTERNET EXPLORER AND FIREWALL :
--------------------------------------------------------------------------------
Old version of Internet Explorer detected, please update.
Your Operating System is not up-to-date. (Latest service pack not installed)
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.

--------------------------------------------------------------------------------
GENERAL INFORMATION :
--------------------------------------------------------------------------------
All items in the original HijackThis log file which are not shown here need further investigation.

Tutorial on the hijackthislog : http://members.home.nl/edeijl/

Use www.google.com to find out more on items not listed here or if you have doubts.

In addition to this application, you can also analyze the original HijackThis log online at: http://hijackthis.de

--------------------------------------------------------------------------------
THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK WE STRONGLY RECOMMEND TO FIX THEM :
--------------------------------------------------------------------------------
r1 - hklm\software\microsoft\internet explorer\main
r1 - hklm\software\microsoft\internet explorer\main
r1 - hklm\software\microsoft\internet explorer\main
r1 - hklm\software\microsoft\internet explorer\main
r1 - hklm\software\microsoft\internet explorer\main
r1 - hkcu\software\microsoft\internet explorer\search
searchassistant = about:blank
r0 - hklm\software\microsoft\internet explorer\search
searchassistant = about:blank
r0 - hklm\software\microsoft\internet explorer\search
homeoldsp = about:blank
r1 - hklm\software\microsoft\internet explorer\main
homeoldsp = about:blank
r1 - hkcu\software\microsoft\internet connection wizard
r0 - hkcu\software\microsoft\internet explorer\toolbar
r3 - default urlsearchhook is missing
o1 - hosts: 127.0.0.3 n-glx.s-redirect.com
o1 - hosts: 127.0.0.3 x.full-tgp.net
o1 - hosts: 127.0.0.3 counter.sexmaniack.com
o1 - hosts: 127.0.0.3 autoescrowpay.com
o1 - hosts: 127.0.0.3 www.autoescrowpay.com
o1 - hosts: 127.0.0.3 www.awmdabest.com
o1 - hosts: 127.0.0.3 www.sexfiles.nu
o1 - hosts: 127.0.0.3 awmdabest.com
o1 - hosts: 127.0.0.3 sexfiles.nu
o1 - hosts: 127.0.0.3 allforadult.com
o1 - hosts: 127.0.0.3 www.allforadult.com
o1 - hosts: 127.0.0.3 www.iframe.biz
o1 - hosts: 127.0.0.3 iframe.biz
o1 - hosts: 127.0.0.3 www.newiframe.biz
o1 - hosts: 127.0.0.3 newiframe.biz
o1 - hosts: 127.0.0.3 www.vesbiz.biz
o1 - hosts: 127.0.0.3 vesbiz.biz
o1 - hosts: 127.0.0.3 www.pizdato.biz
o1 - hosts: 127.0.0.3 pizdato.biz
o1 - hosts: 127.0.0.3 www.aaasexypics.com
o1 - hosts: 127.0.0.3 aaasexypics.com
o1 - hosts: 127.0.0.3 www.virgin-tgp.net
o1 - hosts: 127.0.0.3 virgin-tgp.net
o2 - bho: adp urlcatcher class - {f4e04583-354e-4076-be7d-ed6a80fd66da} - c:\windows\system32\msbe.dll
o4 - hklm\..\runservices: [microsoft update] lsac.exe
o9 - extra button: related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o9 - extra 'tools' menuitem: show &related links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o16 - dpf: yahoo! chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
o16 - dpf: {41f17733-b041-4099-a042-b518bb6a408c} - http://a1540.g.akamai.net/7/1540/52/20030523/qtinstall.info.apple.com/drakken/se/win/quicktimeinstaller.exe
o16 - dpf: {79849612-a98f-45b8-95e9-4d13c7b6b35c} (loader2 control) - http://iframedollars.biz/tb/loader2.ocx
o16 - dpf: {9eb320ce-be1d-4304-a081-4b4665414bef} (mediaticketsinstaller control) - http://www.mt-download.com/mediaticketsinstaller.cab?refid=2732
o16 - dpf: {b9191f79-5613-4c76-aa2a-398534bb8999} (yaddbook class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
o16 - dpf: {c81b5180-afd1-41a3-97e1-99e8d254db98} (css web installer class) - http://www.aftonbladet.se/it/special/command/cod/cabs/cssweb.cab
« Last Edit: March 31, 2005, 11:24:08 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Explorer keeps shutting itself down
« Reply #10 on: April 01, 2005, 09:24:07 AM »
You might find this interesting: this person seems to have been in the same situation as you, ie wallpaper hijacked by a "security" advertisement and invasion of Trojans.



http://www.pcflank.com/art46_1.htm



     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Fishbomb

  • Guest
Re: Explorer keeps shutting itself down
« Reply #11 on: April 01, 2005, 07:02:44 PM »
Logfile of HijackThis v1.99.1
Scan saved at 19:01:27, on 2005-04-01
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Bra att ha\hijackthis\HijackThis.exe
C:\WINDOWS\System32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {22D1C479-8553-4C97-A52F-E488E41179AE} - C:\WINDOWS\System32\dkfc.dll
O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\webdlg32.dll
O2 - BHO: (no name) - {5327ABC3-425C-4983-2104-6B03F0B0CEBC} - C:\WINDOWS\System32\yum.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {860CE847-8298-4114-B142-14043C2942B1} - C:\WINDOWS\drexinit.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\Program\DELADE~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program\Toolbar\toolbar.dll
O2 - BHO: Pop Class - {A9AEE0DD-89E1-40EE-8749-A18650CC2175} - C:\WINDOWS\winsx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\webdlg32.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\Program\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [Microsoft Update] lsac.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinTools] C:\Program\DELADE~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\ÄGAREN\LOKALA~1\Temp\keep.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{6BA5ABB1-98C3-4C28-B071-0B83967B72E6}\SVCHOST.EXE
O4 - HKLM\..\Run: [TBPS] C:\Program\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [Oip] C:\WINDOWS\System32\Sbr.exe
O4 - HKLM\..\Run: [Svd] C:\WINDOWS\System32\Fau.exe
O4 - HKLM\..\Run: [Ost] C:\WINDOWS\System32\Crk.exe
O4 - HKLM\..\Run: [Jjj] C:\WINDOWS\System32\Rrj.exe
O4 - HKLM\..\Run: [Unm] C:\WINDOWS\System32\Rol.exe
O4 - HKLM\..\Run: [Tpp] C:\WINDOWS\System32\Cmt.exe
O4 - HKLM\..\Run: [Fhn] C:\WINDOWS\Bar.exe
O4 - HKLM\..\Run: [Ojv] C:\WINDOWS\Lgm.exe
O4 - HKLM\..\Run: [Hag] C:\WINDOWS\Hmk.exe
O4 - HKLM\..\Run: [Iuv] C:\WINDOWS\Tic.exe
O4 - HKLM\..\Run: [Kfj] C:\WINDOWS\System32\Rjn.exe
O4 - HKLM\..\Run: [Ckf] C:\WINDOWS\System32\Aue.exe
O4 - HKLM\..\Run: [Hgf] C:\WINDOWS\System32\Tnc.exe
O4 - HKLM\..\Run: [Vfk] C:\WINDOWS\System32\Nlt.exe
O4 - HKLM\..\Run: [Itp] C:\WINDOWS\System32\Qlt.exe
O4 - HKLM\..\Run: [Lgj] C:\WINDOWS\System32\Maa.exe
O4 - HKLM\..\Run: [Htk] C:\WINDOWS\System32\Qqu.exe
O4 - HKLM\..\Run: [Hcl] C:\WINDOWS\System32\Hku.exe
O4 - HKLM\..\Run: [Hsl] C:\WINDOWS\Quc.exe
O4 - HKLM\..\Run: [Ijg] C:\WINDOWS\Afu.exe
O4 - HKLM\..\Run: [Hvd] C:\WINDOWS\System32\Lcu.exe
O4 - HKLM\..\Run: [Kdi] C:\WINDOWS\Hlm.exe
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Mbp] C:\WINDOWS\Nns.exe
O4 - HKLM\..\Run: [Anf] C:\WINDOWS\System32\Gjr.exe
O4 - HKLM\..\Run: [Uea] C:\WINDOWS\System32\Nap.exe
O4 - HKLM\..\Run: [Jgm] C:\WINDOWS\Vfg.exe
O4 - HKLM\..\Run: [Bjo] C:\WINDOWS\System32\Kdo.exe
O4 - HKLM\..\Run: [Lrj] C:\WINDOWS\System32\Vbb.exe
O4 - HKLM\..\Run: [Jjl] C:\WINDOWS\System32\Fbd.exe
O4 - HKLM\..\Run: [Mac] C:\WINDOWS\System32\Kcv.exe
O4 - HKLM\..\Run: [Uci] C:\WINDOWS\System32\Dec.exe
O4 - HKLM\..\Run: [Ssg] C:\WINDOWS\Vui.exe
O4 - HKLM\..\Run: [Kdo] C:\WINDOWS\System32\Ldj.exe
O4 - HKLM\..\Run: [Eoc] C:\WINDOWS\System32\Esv.exe
O4 - HKLM\..\Run: [Evl] C:\WINDOWS\Olk.exe
O4 - HKLM\..\Run: [_Cat3] C:\WINDOWS\msmsgrxp.exe
O4 - HKLM\..\Run: [Dcs] C:\WINDOWS\Tof.exe
O4 - HKLM\..\Run: [Fcc] C:\WINDOWS\System32\Jca.exe
O4 - HKLM\..\Run: [Oom] C:\WINDOWS\Hbf.exe
O4 - HKLM\..\Run: [Kqs] C:\WINDOWS\Inf.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [Microsoft Update] lsac.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\Program\Toolbar\toolbar.dll
O18 - Filter: text/html - {C77494C1-E574-4AF0-8A77-EDD4F56DA050} - C:\WINDOWS\System32\dkfc.dll
O18 - Filter: text/plain - {C77494C1-E574-4AF0-8A77-EDD4F56DA050} - C:\WINDOWS\System32\dkfc.dll
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe


Fishbomb

  • Guest
Re: Explorer keeps shutting itself down
« Reply #12 on: April 01, 2005, 07:07:41 PM »
Well, I read through the Merijin.org guide to Hijack this, and the tips here, and removed some stuff.

However there are still a few issues where I am concerned:

I have a LOT of strange programs in O4. Most of these I am certain is spy related, but I am still not sure which ones I can remove. Any tips?

O15. Trusted IP range? I removed this, because honestly I don't want to trust anything anymore, but it comes back any time. Any tips? Should I be concerned?

O20. Is mine bad? It said to exercise caution with it...

...

I'll go and read up some more now, but PLEASE!! I can still not install amy XP firewall (it refuses me).

Does anyone have a tip on something to do, or a nice free 3rd party firewall I can download in the meantime? I want to surf the net from this infected and unprotected wreck as little as I can.

I am so grateful for this site and you guys...

whocares

  • Guest
Re: Explorer keeps shutting itself down
« Reply #13 on: April 01, 2005, 07:35:07 PM »
Hi,

honestly, you'd be better of if you'd FLATTEN the system and reinstall it PROPERLY (see "VirusRemoval" below as how to do it)
-> you have loads of evil stuff in the startup, most of which are probably worms with BACKDOOR functionality: somebody might have full control over your PC, know all your passwords etc etc..
=> you'll never know if you've removed everything

but, if you want to try anyway:

0) reread the BACKDOOR-section of the link "VirusRemoval" below in my sig

if you still want to try:
1) disable system restore
2) reboot to safeMode (F8-Boot)
3) rescan with hijackthis, and fix everything that's marked red or yellow in this analysis (EXCEPT the avast-stuff):
http://hijackthis.de/logfiles/4c0397ab137ed0e373606129306ff83f.html
4) reboot to safeMode
5) install SPYBOT & AD-AWARE & scan & fix with them several times
6) reboot to safe Mode and do a full/complete/archive Scan with avast; if finds are not repairable, move them to chest
7) reboot to SafeMode and come back with a fresh HJT-Log
8) in the meantime, get the complete package of WIN-XP-SP2 (280MB) on CD (from microsoft-security site, from a CD of a PC-magazine, from a reliable friend with broadband; plus a free firewall, e.g. Kerio, sygate, outpost or ZoneAlarm

 ;)
« Last Edit: April 01, 2005, 07:40:12 PM by whocares »

whocares

  • Guest
Re: Explorer keeps shutting itself down
« Reply #14 on: April 01, 2005, 07:37:22 PM »
P.S.:
O20 - ..drct16.dll ...
=> EVIL !!

Google is your friend:
http://www.google.de/search?hl=de&q=drct16.dll&meta=
 ;)