> ProcessExplorer: > I only find two dll's that I'm not certain what they do: > - detoured.dll > - wxvault.dll (Embassy Trust Suite by Wave Systems. Apparently > installed > by default by Dell)
Google for both DDL-names, you will get plenty of hits. detoured.dll, I bet that this is the culprit: http://research.microsoft.com/sn/detours/ Detours is a library for intercepting arbitrary Win32 binary functions on x86 machines. Interception code is applied dynamically at runtime. Detours replaces the first few instructions of the target function with an unconditional jump to the user-provided detour function. Instructions from the target function are preserved in a trampoline function. The trampoline function consists of the instructions removed from the target function and an unconditional branch to the remainder of the target function. The detour function can either replace the target function or extend its semantics by invoking the target function as a subroutine through the trampoline. Detours are inserted at execution time. The code of the target function is modified in memory, not on disk, thus facilitating interception of binary functions at a very fine granularity. For example, the procedures in a DLL can be detoured in one execution of an application, while the original procedures are not detoured in another execution .. For instance Messenger Plus! uses detoured.dll If so, remove Messenger Plus! and try again. Messenger Plus! is an add-on for MSN Messenger. Messenger Plus! installs an OPTIONAL adware called C2Media which is also known as LOP.com. %PROGRAM_FILES%\messenger plus! live\detoured.dll Search your HDD for detoured.dll if Messenger Plus! is not installed, try to find the application that use it!!. BTW: Interesting sample: http://www.codeproject.com/internet/DnsHijack.asp Also upload your wxvault.dll for a online check to http://www.virustotal.com/flash/index_en.html and http://www.avira.com/en/support/verdachtige_dateien_und_sonstige_uploads.html --- Arno Garrels [TeamICS] http://www.overbyte.be/eng/overbyte/teamics.html Henrik wrote: > Hi Arno! > > ProcessExplorer: > I only find two dll's that I'm not certain what they do: > - detoured.dll > - wxvault.dll (Embassy Trust Suite by Wave Systems. Apparently > installed > by default by Dell) > > Ethereal: > I only get packages sent the first time. The second time the > application > hangs before anything has been sent... > > Best Regards > Henrik > > -----Ursprungligt meddelande----- > Från: [EMAIL PROTECTED] [mailto:twsocket- > [EMAIL PROTECTED] För > Arno Garrels > Skickat: den 19 december 2006 16:24 > Till: ICS support mailing > Ämne: Re: [twsocket] Freeze when using smtp after recreating > itsparentform > > Henrik wrote: >> Arno, >>> Can you rule out that an application that has set a global hook is >>> actually working correctly? i.e. RealVNC server injects a >>> wm_hook.dll into each process space, if such interception was buggy >>> one can imagine that it would hurt, ICS may be hit especially since >>> TWSocket is being notified about socket events by window messages. >>> View the DLLs linked to a process with ProcessExplorer: >> http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Proc >> essExp >> lorer.mspx >> >> I've downloaded the application above but I don't know how too >> proceed. >> What am I looking for and how do I do to get that information in >> ProcessExplorer? > > At first, my above question has a typo, it should read "Can you rule > out > that an application that has set a global hook is not working > correctly?" > > Ok, start Wilfried's test app., in ProcessExplorer click on the ICS > test > application, the listview at the bottom will either list linked DLLs > or > handles, toggle the view to display DLLs. Take a closer look at any > DLL > that's not from Microsoft, for instance if Sygate personal firewall > was > running you would find a SSSensor.dll from Sygate Technologies, this > is an > injected DLL. Try to find it's parent application or service and stop > it > unless you think that test program's process space is clean (you need > to > restart the test application to make changes visible). > >> >>> It also may help to see a packet dump logged with Ethereal. >> > It's a packet logger/analizer, it shows you exactly any byte that > passes > your nic. I would set a capture filter like "port 25 or port 53" > to only get traffic on ports 25 and 53 logged. Start the capture and > run the > ICS test app. unless the error happens, close the test app., the stop > the > capture and save the log as Ethereal/tcpdump(*.cap,*.pcap), file > format > libpcap to a file, upload the log somewhere and post the link here. > > > --- > Arno Garrels [TeamICS] > http://www.overbyte.be/eng/overbyte/teamics.html > > -- > To unsubscribe or change your settings for TWSocket mailing list > please goto > http://www.elists.org/mailman/listinfo/twsocket > Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
