Something CW Shredder and HIJACKTHIS can't remove -> Hijack log

[soni]

Hi there, yo guys have been helping me out last time. Many thanks for that. I was able to remove some trash by myself because of your nice tips. But somehow, I encountered a nasty one. It directs to a search engine called searchx.cc. Sometimes, it just pops up. I can't remove it with CW shredder or Hijack this (it comes back all the time). Hopefully you guys can help me. Many thanks in advance!!

Logfile of HijackThis v1.97.7
Scan saved at 1:29:13, on 7-4-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Software\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mockp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mockp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mockp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mockp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mockp.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mockp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {50642A3F-8DEE-4FBB-BC50-F87573F6FBAC} - C:\WINDOWS\System32\mockp.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [brcxhdc] "C:\WINDOWS\System32\brcxhdc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [rundl.exe] C:\WINDOWS\System32\rundl.exe
O4 - HKLM\..\RunServices: [rundl.exe] C:\WINDOWS\System32\rundl.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [rundl.exe] C:\WINDOWS\System32\rundl.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/nl/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2228053-328D-4BDF-8316-98BEBD6189DC}: NameServer = 194.134.5.5 194.134.5.55

 

[Flrman1]

CWShredder should remove this. First make sure you have the latest version. Open CWShredder and make sure you have version 1.55.0. If that is not the version you have click on the "Check for update" button and download the updated version and run it.

 

[soni]

Thanks for the fast reply. I have the lastest version (15.5 as you said). That's the strange thing, it can detect it, there are 6 internet pages restored and fixed (should be the first 6 things in my hijackthis log). But whenever I open a new IE Browser, it pops up again. Should reset me PC or something?

 

[Flrman1]

You have to restart your computer after running CWShredder. If you didn't do that you need to run CWShredder again and restart your computer. After you've done that if they're still there we will remove it manually.

 

[soni]

Okay, I did what you said. Closed all my browsers and ran it again. Then restarted my PC. It's still here! Can you tell me how to remove it manually? Thanks in advance. It's quite late now, if you can tell me the instructions to remove it, I will post the results later this day. Tnx a lot again!

 

[Flrman1]

First please do this:

Navigate to the C:\WINDOWS\system32 folder and locate the mockp.dll file. Right click it and choose "Send to compressed (zipped) folder". The zipped folder will appear there in the System32 folder. Now do the same with the C:\WINDOWS\System32\rundl.exe file. Attach copies of those zipped folders and send them to me here. Please include a link to this thread so I'll remember where they came from.

These files may be hidden so click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mockp.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mockp.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mockp.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mockp.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mockp.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mockp.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

O2 - BHO: (no name) - {50642A3F-8DEE-4FBB-BC50-F87573F6FBAC} - C:\WINDOWS\System32\mockp.dll

O4 - HKLM\..\Run: [brcxhdc] "C:\WINDOWS\System32\brcxhdc.exe"

O4 - HKLM\..\Run: [rundl.exe] C:\WINDOWS\System32\rundl.exe

O4 - HKLM\..\RunServices: [rundl.exe] C:\WINDOWS\System32\rundl.exe

O4 - HKCU\..\RunServices: [rundl.exe] C:\WINDOWS\System32\rundl.exe

O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab

Restart to safe mode.

How to start your computer in safe mode

Now find and delete:

The C:\WINDOWS\System32\rundl.exe file
The C:\WINDOWS\System32\brcxhdc.exe file
The C:\WINDOWS\System32\mockp.dll file

IMPORTANT!: To help prevent this from happening again, I strongly recommend you install the patches for the vulnerabilities that this hijacker exploits.

The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates and Service Packs"

 

[soni]

Hi hi there. I think everything worked, coz it doesn't pop up anymore. For now it's solved! Many thanks for that. Currently, I am installing the windows update packs. Tnx for the advice!

 

[Flrman1]

My pleasure!

Thanks for sending the files.

Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.


I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".

 

[Flrman1]

I reopened your thread since you posted in the other one and I believe you insinuated that CWS had returned.

There was another new version of CWShredder that was released this afternoon. Let's see if it will remove this. Open CWShredder and click on the "Check for update" button. Download and run the new version.

 

[soni]

Hi there flrman. As Khaom I tried everything. I downloaded PV, like you said in post #52, I have the log. Can you please tell me with files I should edit with killswitch? Thanks a lot.


Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1015808 C:\WINDOWS\Explorer.EXE 6.00.2600.0000 (xpclient.010817-1148) Windows Verkenner
ntdll.dll 77f40000 716800 C:\WINDOWS\System32\ntdll.dll 5.1.2600.0 (xpclient.010817-1148) DLL-bestand voor NT-laag
kernel32.dll 77e40000 978944 C:\WINDOWS\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-1148) DLL-bestand voor Windows NT BASE API-client
msvcrt.dll 77be0000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL
ADVAPI32.dll 77da0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Geavanceerde Windows 32 basis-API
RPCRT4.dll 77c90000 479232 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.0 (XPClient.010817-1148) Remote Procedure Call Runtime
GDI32.dll 77c40000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.0 (xpclient.010817-1148) GDI Client DLL
USER32.dll 77d10000 577536 C:\WINDOWS\system32\USER32.dll 5.1.2600.0 (xpclient.010817-1148) DLL-bestand voor Windows XP USER API-client
SHLWAPI.dll 77290000 405504 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2600.0000 (xpclient.010817-1148) Shell lichtgewicht hulpprogrammabibliotheek
SHELL32.dll 77390000 8388608 C:\WINDOWS\system32\SHELL32.dll 6.00.2600.0000 (xpclient.010817-1148) Gemeenschappelijk DLL-bestand van Windows Shell
ole32.dll 77170000 1155072 C:\WINDOWS\system32\ole32.dll 5.1.2600.0 (XPClient.010817-1148) Microsoft OLE voor Windows
OLEAUT32.dll 770e0000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
BROWSEUI.dll 75f20000 1032192 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser-bibliotheek voor gebruikersinterface
SHDOCVW.dll 76970000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2600.0000 (xpclient.010817-1148) Objecten- en besturingselementenbibliotheek Shell Doc
UxTheme.dll 5b190000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2600.0000 (xpclient.010817-1148) DLL-bestand Microsoft UxTheme
IMM32.DLL 76330000 106496 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.0 (xpclient.010817-1148) Windows XP IMM32 API Client DLL
LPK.DLL 62e40000 32768 C:\WINDOWS\System32\LPK.DLL 5.1.2600.0 (xpclient.010817-1148) Language Pack
USP10.dll 72f10000 368640 C:\WINDOWS\System32\USP10.dll 1.0407.2600.0 (xpclient.010817-1148) Uniscribe Unicode script processor
resblkc.dll 61c00000 61440 c:\windows\system32\resblkc.dll
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-1148) User Experience Controls Library
comctl32.dll 77300000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpclient.010817-1148) Common Controls Library
appHelp.dll 75ee0000 118784 C:\WINDOWS\system32\appHelp.dll 5.1.2600.0 (xpclient.010817-1148) Application Compatibility Client Library
CLBCATQ.DLL 76f90000 491520 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.42
COMRes.dll 77010000 839680 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77bd0000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
cscui.dll 765c0000 327680 C:\WINDOWS\System32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Gebruikersinterface voor caching aan clientzijde
CSCDLL.dll 765a0000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Off line netwerk-agent
themeui.dll 5ba50000 462848 C:\WINDOWS\System32\themeui.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Thema-API
Secur32.dll 76f50000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface
MSIMG32.dll 76320000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.0 (xpclient.010817-1148) GDIEXT Client DLL
USERENV.dll 75a10000 671744 C:\WINDOWS\system32\USERENV.dll 5.1.2600.0 (xpclient.010817-1148) Userenv
msutb.dll 60070000 221184 C:\WINDOWS\System32\msutb.dll 5.1.2600.0 (xpclient.010817-1148) DLL-bestand voor MSUTB-server
MSCTF.dll 746a0000 307200 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.0 (xpclient.010817-1148) DLL-bestand voor MSCTF-server
netapi32.dll 71bb0000 323584 C:\WINDOWS\System32\netapi32.dll 5.1.2600.0 (xpclient.010817-1148) Net Win32 API DLL
LINKINFO.dll 76930000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking
ntshrui.dll 76940000 151552 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.0 (xpclient.010817-1148) Shell-uitbreidingen voor delen
ATL.DLL 76ad0000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)
RASAPI32.dll 76ea0000 225280 C:\WINDOWS\System32\RASAPI32.dll 5.1.2600.0 (xpclient.010817-1148) RAS-API
rasman.dll 76e50000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access Connection Manager
WS2_32.dll 1440000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 1460000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0-helper voor Windows NT
TAPI32.dll 76e70000 172032 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) DLL-bestand voor Microsoft® Windows(TM) TAPI-client
rtutils.dll 76e40000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
WINMM.dll 76af0000 184320 C:\WINDOWS\System32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL
serwvdrv.dll 5d1a0000 28672 C:\WINDOWS\System32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Serial Wave-stuurprogramma
umdmxfrm.dll 5b4c0000 28672 C:\WINDOWS\System32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module
wininet.dll 761a0000 622592 C:\WINDOWS\system32\wininet.dll 6.00.2600.0000 (xpclient.010817-1148) Internet-extensies voor Win32
CRYPT32.dll 76260000 569344 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.0 (xpclient.010817-1148) Crypto-API32
MSASN1.dll 76240000 61440 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.0 (XPClient.010817-1148) ASN.1 Runtime APIs
msi.dll 763a0000 2076672 C:\WINDOWS\System32\msi.dll 2.0.2600.0 Windows Installer
WINSTA.dll 76300000 61440 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.0 (xpclient.010817-1148) Winstation Library
webcheck.dll 74ab0000 270336 C:\WINDOWS\System32\webcheck.dll 6.00.2600.0000 (xpclient.010817-1148) Website Monitor
stobject.dll 74a80000 131072 C:\WINDOWS\System32\stobject.dll 5.1.2600.0 (xpclient.010817-1148) Systray-shellserviceobject
BatMeter.dll 74a70000 36864 C:\WINDOWS\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-1148) DLL-bestand voor helper van accumeter
POWRPROF.dll 74a50000 28672 C:\WINDOWS\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-1148) Power Profile Helper DLL
SETUPAPI.dll 76620000 950272 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows Setup API
WTSAPI32.dll 76f10000 32768 C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Terminal Server SDK APIs
NETSHELL.dll 75c90000 1654784 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.0 (xpclient.010817-1148) Shell voor Netwerkverbindingen
credui.dll 76bc0000 184320 C:\WINDOWS\system32\credui.dll 5.1.2600.0 (xpclient.010817-1148) Gebruikersinterface van referentiebeheer
iphlpapi.dll 76d20000 86016 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2 (xpclient.010817-1148) IP-helper-API
netman.dll 76da0000 155648 C:\WINDOWS\system32\netman.dll 5.1.2600.0 (xpclient.010817-1148) Netwerkverbindingsbeheer
MPRAPI.dll 76d00000 90112 C:\WINDOWS\system32\MPRAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT MP Router Administration DLL
ACTIVEDS.dll 76e00000 192512 C:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) DLL-bestand voor routerlaag van Active Directory
adsldpc.dll 76dd0000 147456 C:\WINDOWS\system32\adsldpc.dll 5.1.2600.0 (xpclient.010817-1148) ADs LDAP Provider C DLL-bestand
WLDAP32.dll 76f20000 184320 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL
SAMLIB.dll 71b80000 69632 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.0 (xpclient.010817-1148) SAM Library DLL
WZCSvc.DLL 76d60000 196608 C:\WINDOWS\system32\WZCSvc.DLL 5.1.2600.0 (xpclient.010817-1148) Wireless Zero Configuration-service
WMI.dll 76cf0000 16384 C:\WINDOWS\system32\WMI.dll 5.1.2600.0 (XPClient.010817-1148) WMI DC and DP functionality
DHCPCSVC.DLL 76d40000 106496 C:\WINDOWS\system32\DHCPCSVC.DLL 5.1.2600.0 (xpclient.010817-1148) DHCP Client-service
DNSAPI.dll 76ee0000 151552 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL
nView.dll 10000000 1204224 C:\WINDOWS\System32\nView.dll 6.14.10.5303 NVIDIA nView Desktop and Window Manager 53.03
PSAPI.DLL 76bb0000 45056 C:\WINDOWS\System32\PSAPI.DLL 5.1.2600.0 (XPClient.010817-1148) Process Status Helper
printui.dll 74b00000 544768 C:\WINDOWS\System32\printui.dll 5.1.2600.0 (XPClient.010817-1148) DLL-bestand voor gebruikersinterface voor afdrukken
WINSPOOL.DRV 72f70000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.0 (XPClient.010817-1148) Windows Spoolerstuurprogramma
CFGMGR32.dll 74a60000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL
MPR.dll 71aa0000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) DLL-bestand voor multiple-providerrouter
RASDLG.dll 754d0000 663552 C:\WINDOWS\System32\RASDLG.dll 5.1.2600.0 (xpclient.010817-1148) API voor algemene dialoogvensters van RAS
nvwddi.dll 1d60000 53248 C:\WINDOWS\System32\nvwddi.dll 6.14.10.5303 NVIDIA nView Display Driver Interface Lib, Version 53.03
drprov.dll 75f00000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71ba0000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Lan Manager
NETUI0.dll 71c60000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI-klassen
NETUI1.dll 71c20000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71c10000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
davclnt.dll 75f10000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client-dll
wdmaud.drv 72c90000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72c80000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft-geluidstoewijzing
MSACM32.dll 77bb0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Audiofilter voor Microsoft Audiocompressiebeheer
midimap.dll 77ba0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI-mapper
SXS.DLL 75e30000 659456 C:\WINDOWS\System32\SXS.DLL 5.1.2600.0 (xpclient.010817-1148) Fusion 2.5
shdoclc.dll 76110000 573440 C:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-1148) Objecten- en besturingselementenbibliotheek Shell Doc
browselc.dll 723c0000 77824 C:\WINDOWS\System32\browselc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser-bibliotheek voor gebruikersinterface
jccatch.dll 1ad0000 65536 C:\PROGRA~1\FlashGet\jccatch.dll 1, 1, 4, 0 jccatch Module
urlmon.dll 76090000 491520 C:\WINDOWS\system32\urlmon.dll 6.00.2600.0000 (xpclient.010817-1148) OLE32-extensies voor Win32
DUSER.dll 6c6a0000 274432 C:\WINDOWS\System32\DUSER.dll 5.1.2600.0 (xpclient.010817-1148) Windows DirectUser Engine
MSGINA.dll 75910000 991232 C:\WINDOWS\System32\MSGINA.dll 5.1.2600.0 (xpclient.010817-1148) Dll-bestand GINA voor Windows NT-aanmelding
ODBC32.dll 1f7b0000 200704 C:\WINDOWS\System32\ODBC32.dll 3.520.7713.0 Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 76350000 286720 C:\WINDOWS\system32\comdlg32.dll 6.00.2600.0000 (xpclient.010817-1148) DLL voor gedeelde dialoogvensters
odbcint.dll 1f850000 98304 C:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC-bronnen
NTMARTA.DLL 76ca0000 126976 C:\WINDOWS\System32\NTMARTA.DLL 5.1.2600.0 (xpclient.010817-1148) Windows NT MARTA-provider
mstask.dll 73540000 262144 C:\WINDOWS\System32\mstask.dll 4.71.2600.1 (xpclient.010817-1148) DLL-interfacebestand voor Taakplanner
OLEPRO32.DLL 5f230000 106496 C:\WINDOWS\System32\OLEPRO32.DLL 5.0.5014 Microsoft (R) OLE Property Support DLL
WZSHLSTB.DLL 16200000 24576 C:\PROGRA~1\WINZIP\WZSHLSTB.DLL 4.1 (32-bit) WinZip Shell Extension DLL
AcroIEHelper.ocx b40000 32768 C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx 1, 0, 0, 1 AcroIEHelper Module
msohev.dll 32520000 73728 C:\Program Files\Microsoft Office\Office10\msohev.dll 10.0.2609 Microsoft Office XP component
WINTRUST.dll 76bf0000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) API's voor Microsoft-vertrouwenslijstcontrole
IMAGEHLP.dll 76c50000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.0 (XPClient.010817-1148) Windows NT Image Helper
rsaenh.dll ffd0000 139264 C:\WINDOWS\System32\rsaenh.dll 5.1.2518.0 (main.010714-2114) Microsoft Base Cryptographic Provider
asfsipc.dll 70f20000 28672 C:\WINDOWS\System32\asfsipc.dll 1.1.00.3917 ASFSipc Object
MSISIP.DLL 60a50000 53248 C:\WINDOWS\System32\MSISIP.DLL 2.0.2600.0 MSI Signature SIP Provider
wshext.dll 74e20000 65536 C:\WINDOWS\System32\wshext.dll 5.6.0.6626 Microsoft (r) Shell Extension for Windows Script Host
wshNL.DLL 59100000 57344 C:\WINDOWS\System32\wshNL.DLL 5.6.0.6626 Internationale bronnen van Microsoft (r) Windows Script Host
MCPS.DLL 365a0000 86016 C:\PROGRA~1\MICROS~2\Office10\MCPS.DLL 10.0.2625 Media Catalog Proxy/Stub
MSVCP60.DLL 76020000 397312 C:\WINDOWS\System32\MSVCP60.DLL 6.00.8972.0 Microsoft (R) C++ Runtime Library

 

[$teve]

c:\windows\system32\resblkc.dll

 

[Flrman1]

I reopened this thread for you several days ago when I got your PM so you could continue this here. I have split your post off from khaom's thread and moved it here with your original thread. Please continue this here.

 

[Flrman1]

If you do not already have it Click here to download CWShredder. UnZip the file, but do not run it yet.

Now download TheKillbox from here:

http://download.broadbandmedic.com/VbStuff/KillBox.zip

Unzip the files to the folder of your choice.

Now go offline and Do Not go back online until these procedures are completed.

Double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

c:\windows\system32\resblkc.dll

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The c:\windows\system32\resblkc.dll listing should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to restart, go ahead and restart.


Finally run CWShredder. Just click on the cwshredder.exe and then click "Fix" (Not "Scan only") and let it do it's thing.

When it is finished restart your computer.


When you're back in windows, check to see if there's any change in the search problem and report back. Please also post a new Hijack This log. along with a new runme.bat log.

 

[$teve]

That really does your eyes in Mark dont it?

 

[Flrman1]

That really does your eyes in Mark dont it?

Yes it does!