Jump to content


Photo

CWS Problems (IT WONT STOP AHHH)


  • Please log in to reply
12 replies to this topic

#1 moifay

moifay

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 09 June 2004 - 01:08 PM

Hi, I have been having this problem for about a week, I used CWShredder, it worked for a while, then a few days later, it comes back, now in between that time, i have had "Ad-Watch" watching the whole time, yet still, some how, my page loads to "about:blank" can anyone help me? PLEASE? :)


Hijack this Log:

Logfile of HijackThis v1.97.7
Scan saved at 10:57:30 AM, on 09/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Messenger Plus! 2\MsgPlus.exe
D:\WINDOWS\explorer.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp\winamp.exe
D:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\moifay\Desktop\Spyware Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SKOOL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.vc.shawcable.net:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\Program Files\DAP\DAPBHO.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: AOL Instant Messenger ™ (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: d:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\ua_lsp.dll
O15 - Trusted Zone: *.akamai.net
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab27571.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab27571.cab
O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gigex.com...eeddelivery.dll
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {BD9B72E4-DC9C-4922-80E9-2D3315E3AADC} (UAClientControl Control) - http://www.ultimatea...ientControl.ocx
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security1.nor...c/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} - http://sc.communitie...UC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - http://www.microsoft...hy/clearadj.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab27571.cab


im also curious about the one that is repeted many times

O10 - Unknown file in Winsock LSP: d:\windows\system32\ua_lsp.dll


any help would be awesome!

Thanx in advance,
Moifay

#2 moifay

moifay

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 09 June 2004 - 01:31 PM

also, i have updated adaware 6, and it still doesnt catch anything? i dont understand this!!! how does it keep doing it???

#3 moifay

moifay

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 09 June 2004 - 02:26 PM

bump!!!

#4 moifay

moifay

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 09 June 2004 - 06:54 PM

im gunna try this "find all" ap, gimme a few....

Edited by moifay, 09 June 2004 - 07:16 PM.


#5 moifay

moifay

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 09 June 2004 - 07:09 PM

--==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

09/06/2004
05:07 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
D: "MooKazoo" (ECA4:DA51) - FS:NTFS clusters:4k
Total: 15 348 338 688 [14G] - Free: 344 395 776 [328M]


*IE version and Service packs:
6.0.2800.1106 D:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 D:\WINDOWS\system32\notepad.exe
5.1.2600.0 D:\WINDOWS\notepad.exe
*Media Player version :
8.0.0.4490 D:\Program Files\Windows Media Player\wmplayer.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q828750;Q330994;Q824145;Q837009;Q832894;



Locked or 'Suspect' file(s) found...
\\?\D:\WINDOWS\System32\KBDH.DLL +++ File read error
\\?\D:\WINDOWS\System32\KBDH.DLL +++ File read error


Scanning for main Hijacker:


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0000CC75-ACF3-4cac-A0A9-DD3868E06852}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

#6 moifay

moifay

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 09 June 2004 - 08:54 PM

bump

#7 moifay

moifay

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 09 June 2004 - 09:18 PM

Locked or 'Suspect' file(s) found...
\\?\D:\WINDOWS\System32\KBDH.DLL +++ File read error <=== dont even see this file on my computer??? helpppp?

#8 moifay

moifay

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 09 June 2004 - 10:32 PM

bump

#9 moifay

moifay

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 10 June 2004 - 12:23 AM

bump

#10 moifay

moifay

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 10 June 2004 - 12:35 AM

this is so weird, i cant find what is causing it to reinstall but everytime i run cwshredder, its "search.x" ????

#11 moifay

moifay

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 10 June 2004 - 12:54 AM

can no one help me? hahahaha

#12 moifay

moifay

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 10 June 2004 - 01:23 AM

bump

#13 moifay

moifay

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 10 June 2004 - 02:10 AM

wooot, i think i just got rid of it O_O horrah! ill post a fixit thing to help others




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button