Jump to content


Photo

CWS


  • Please log in to reply
12 replies to this topic

#1 SirPeter

SirPeter

    Hugging kitties

  • Full Member
  • PipPipPip
  • 224 posts

Posted 17 June 2004 - 06:14 PM

CWSshredder didnt found anything but CWS infected some of the svchosts when i viewed them in dos.
Anyway i hope anyone can help me out ;)


PV log thingy:


Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1019904 D:\WINDOWS\Explorer.EXE 6.00.2800.1106 (xpsp1.020828-1920) Windows Verkenner
ntdll.dll 77f40000 708608 D:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) DLL-bestand voor NT-laag
kernel32.dll 77e40000 983040 D:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL-bestand voor Windows NT BASE API-client
msvcrt.dll 77be0000 339968 D:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
ADVAPI32.dll 77da0000 643072 D:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Geavanceerde Windows 32 basis-API
RPCRT4.dll 78000000 552960 D:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
GDI32.dll 7e180000 266240 D:\WINDOWS\system32\GDI32.dll 5.1.2600.1346 (xpsp2.040109-1800) GDI Client DLL
USER32.dll 77d10000 573440 D:\WINDOWS\system32\USER32.dll 5.1.2600.1255 (xpsp2.030804-1745) DLL-bestand voor Windows XP USER API-client
SHLWAPI.dll 70a70000 413696 D:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1400 Shell lichtgewicht hulpprogrammabibliotheek
SHELL32.dll 77390000 8380416 D:\WINDOWS\system32\SHELL32.dll 6.00.2800.1233 (xpsp2.030604-1804) Gemeenschappelijk DLL-bestand van Windows Shell
ole32.dll 7ccc0000 1196032 D:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE voor Windows
OLEAUT32.dll 770e0000 569344 D:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT™ and Windows 95™ Operating Systems
BROWSEUI.dll 71500000 1036288 D:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1400 Shell Browser-bibliotheek voor gebruikersinterface
SHDOCVW.dll 71700000 1347584 D:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1400 Objecten- en besturingselementenbibliotheek Shell Doc
UxTheme.dll 5b190000 212992 D:\WINDOWS\System32\UxTheme.dll 6.00.2800.1106 (xpsp1.020828-1920) DLL-bestand Microsoft UxTheme
comctl32.dll 78090000 933888 D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library
comctl32.dll 77300000 569344 D:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
appHelp.dll 75ee0000 122880 D:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
CLBCATQ.DLL 7a170000 528384 D:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53
COMRes.dll 77010000 839680 D:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77bd0000 28672 D:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
cscui.dll 765c0000 327680 D:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Gebruikersinterface voor caching aan clientzijde
CSCDLL.dll 765a0000 110592 D:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Off line netwerk-agent
themeui.dll 5ba50000 466944 D:\WINDOWS\System32\themeui.dll 6.00.2800.1106 (xpsp1.020828-1920) Windows Thema-API
Secur32.dll 76f50000 65536 D:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
MSIMG32.dll 76320000 20480 D:\WINDOWS\System32\MSIMG32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDIEXT Client DLL
USERENV.dll 75a10000 679936 D:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
msutb.dll 60070000 196608 D:\WINDOWS\System32\msutb.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL-bestand voor MSUTB-server
MSCTF.dll 746a0000 278528 D:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL-bestand voor MSCTF-server
netapi32.dll 71bb0000 319488 D:\WINDOWS\System32\netapi32.dll 5.1.2600.1343 (xpsp2.040109-1800) Net Win32 API DLL
urlmon.dll 1a400000 499712 D:\WINDOWS\system32\urlmon.dll 6.00.2800.1400 OLE32-extensies voor Win32
LINKINFO.dll 76930000 28672 D:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking
ntshrui.dll 76940000 151552 D:\WINDOWS\System32\ntshrui.dll 5.1.2600.1106 (xpsp1.020828-1920) Shell-uitbreidingen voor delen
ATL.DLL 76ad0000 86016 D:\WINDOWS\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
WINTRUST.dll 76bf0000 176128 D:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) API's voor Microsoft-vertrouwenslijstcontrole
CRYPT32.dll 76260000 561152 D:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto-API32
MSASN1.dll 76240000 65536 D:\WINDOWS\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs
IMAGEHLP.dll 76c50000 139264 D:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper
rsaenh.dll ffd0000 143360 D:\WINDOWS\System32\rsaenh.dll 5.1.2600.1029 (xpsp1.020426-1800) Microsoft Base Cryptographic Provider
MsgPlusH.DLL 10000000 278528 D:\Program Files\Messenger Plus! Extension\MsgPlusH.DLL 1.4.2.0
WININET.dll 63000000 618496 D:\WINDOWS\system32\WININET.dll 6.00.2800.1405 Internet-extensies voor Win32
msi.dll 1200000 2101248 D:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
WINSTA.dll 76300000 61440 D:\WINDOWS\System32\WINSTA.dll 5.1.2600.1106 (xpsp1.020828-1920) Winstation Library
webcheck.dll 74ab0000 270336 D:\WINDOWS\System32\webcheck.dll 6.00.2800.1106 (xpsp1.020828-1920) Website Monitor
stobject.dll 74a80000 131072 D:\WINDOWS\System32\stobject.dll 5.1.2600.1106 (xpsp1.020828-1920) Systray-shellserviceobject
BatMeter.dll 74a70000 36864 D:\WINDOWS\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-1148) DLL-bestand voor helper van accumeter
POWRPROF.dll 74a50000 28672 D:\WINDOWS\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-1148) Power Profile Helper DLL
SETUPAPI.dll 76620000 962560 D:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
WTSAPI32.dll 76f10000 32768 D:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Terminal Server SDK APIs
NETSHELL.dll 75c90000 1658880 D:\WINDOWS\system32\NETSHELL.dll 5.1.2600.1106 (xpsp1.020828-1920) Shell voor Netwerkverbindingen
credui.dll 76bc0000 184320 D:\WINDOWS\system32\credui.dll 5.1.2600.1106 (xpsp1.020828-1920) Gebruikersinterface van referentiebeheer
WS2_32.dll 71a30000 86016 D:\WINDOWS\system32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71a20000 32768 D:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0-helper voor Windows NT
iphlpapi.dll 76d20000 94208 D:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2 (xpsp1.020828-1920) IP-helper-API
SXS.DLL 75e30000 684032 D:\WINDOWS\System32\SXS.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5
a2handler.dll 57800000 114688 J:\Program Files\a2\a2handler.dll
printui.dll 74b00000 544768 D:\WINDOWS\System32\printui.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL-bestand voor gebruikersinterface voor afdrukken
WINSPOOL.DRV 72f70000 143360 D:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.1106 (xpsp1.020828-1920) Windows Spoolerstuurprogramma
ACTIVEDS.dll 76e00000 192512 D:\WINDOWS\System32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) DLL-bestand voor routerlaag van Active Directory
adsldpc.dll 76dd0000 151552 D:\WINDOWS\System32\adsldpc.dll 5.1.2600.1106 (xpsp1.020828-1920) ADs LDAP Provider C DLL-bestand
WLDAP32.dll 76f20000 184320 D:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
CFGMGR32.dll 74a60000 28672 D:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL
MPR.dll 71aa0000 69632 D:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) DLL-bestand voor multiple-providerrouter
WINMM.dll 76af0000 184320 D:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
drprov.dll 75f00000 24576 D:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71ba0000 53248 D:\WINDOWS\System32\ntlanman.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Lan Manager
NETUI0.dll 71c60000 90112 D:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI-klassen
NETUI1.dll 71c20000 245760 D:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71c10000 24576 D:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
SAMLIB.dll 71b80000 69632 D:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL
davclnt.dll 75f10000 36864 D:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client-dll
shdoclc.dll 76110000 573440 D:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-1148) Objecten- en besturingselementenbibliotheek Shell Doc
browselc.dll 723c0000 77824 D:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser-bibliotheek voor gebruikersinterface
DUSER.dll 6c6a0000 278528 D:\WINDOWS\System32\DUSER.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows DirectUser Engine
MSGINA.dll 75910000 995328 D:\WINDOWS\System32\MSGINA.dll 5.1.2600.1343 (xpsp2.040109-1800) Dll-bestand GINA voor Windows NT-aanmelding
ODBC32.dll 2160000 204800 D:\WINDOWS\System32\ODBC32.dll 3.520.9042.0 Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 76350000 286720 D:\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) DLL voor gedeelde dialoogvensters
odbcint.dll 1f850000 98304 D:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC-bronnen
wdmaud.drv 72c90000 36864 D:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72c80000 32768 D:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft-geluidstoewijzing
MSACM32.dll 77bb0000 81920 D:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Audiofilter voor Microsoft Audiocompressiebeheer
midimap.dll 77ba0000 28672 D:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI-mapper
AcroIEHelper.ocx 1b20000 32768 D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx 1, 0, 0, 1 AcroIEHelper Module
SDHelper.dll 1cb0000 765952 J:\PROGRA~1\SPYBOT~2\SDHelper.dll 1, 3, 0, 12 Bad download blocker
olepro32.dll 5f230000 106496 D:\WINDOWS\System32\olepro32.dll 5.0.5014 Microsoft ® OLE Property Support DLL
asfsipc.dll 70f20000 28672 D:\WINDOWS\System32\asfsipc.dll 1.1.00.3917 ASFSipc Object
MSISIP.DLL 60a50000 53248 D:\WINDOWS\System32\MSISIP.DLL 2.0.2600.0 MSI Signature SIP Provider
wshext.dll 74e20000 65536 D:\WINDOWS\System32\wshext.dll 5.6.0.6626 Microsoft ® Shell Extension for Windows Script Host
wshNL.DLL 59100000 57344 D:\WINDOWS\System32\wshNL.DLL 5.6.0.6626 Internationale bronnen van Microsoft ® Windows Script Host

Edited by SirPeter, 17 June 2004 - 06:56 PM.

Cute kitties rule the world

#2 SirPeter

SirPeter

    Hugging kitties

  • Full Member
  • PipPipPip
  • 224 posts

Posted 17 June 2004 - 07:27 PM

edit*
Go away evil text
edit*

Edited by SirPeter, 18 June 2004 - 04:03 PM.

Cute kitties rule the world

#3 SirPeter

SirPeter

    Hugging kitties

  • Full Member
  • PipPipPip
  • 224 posts

Posted 18 June 2004 - 02:57 PM

Update:
Ignonore my second post. I would have eddited that post but the forums wont let me use the edit button.
Internet almost died completely on me.
Cookies arent working, smilies are dead, internet as slow as an 28.8kb modem, Coolwebsearch still bugging me in svchost and internet.

Also im gonna post a hjt log inhere becourse i dont want to hear ppl telling me to post a log when im trying to make 1 single post in 2 hours. (not even kidding here)
Although im certain the log is clean.

Logfile of HijackThis v1.97.7
Scan saved at 20:41:46, on 18-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
J:\PROGRA~1\Grisoft\AVG6\avgserv.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
D:\WINDOWS\Explorer.EXE
J:\Program Files\Anti-Trojan-55\ATWatch.exe
D:\WINDOWS\System32\nvsvc32.exe
J:\Program Files\Grisoft\AVG6\avgcc32.exe
D:\Program Files\Winamp3\winampa.exe
D:\WINDOWS\System32\ctfmon.exe
J:\Program Files\a2\a2guard.exe
J:\Program Files\Spybot - Search & Destroy 13\TeaTimer.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\WINDOWS\System32\devldr32.exe
D:\Program Files\mIRC\mirc.exe
D:\Program Files\Internet Explorer\iexplore.exe
J:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - J:\PROGRA~1\SPYBOT~2\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MessengerPlus] "D:\Program Files\Messenger Plus! Extension\MsgPlus.exe"
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Anti-Trojan-Watch] J:\Program Files\Anti-Trojan-55\ATWatch.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "D:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [TrojanScanner] J:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [AVG_CC] J:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "J:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [a²] "J:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [Verjaardagen] D:\Program Files\Verjaardagen\Verjaardagen.exe auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] J:\Program Files\Spybot - Search & Destroy 13\TeaTimer.exe
O4 - Global Startup: PenCam SD 2Mega Monitor.lnk = D:\Program Files\PenCam SD 2Mega\ICON.exe
O4 - Global User Startup: PenCam SD 2Mega Monitor.lnk = D:\Program Files\PenCam SD 2Mega\ICON.exe
O9 - Extra button: Free Surfer (HKLM)
O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpeg: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .png: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojansca...an/TDECntrl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7577.7981134259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...250/mcfscan.cab
Cute kitties rule the world

#4 SirPeter

SirPeter

    Hugging kitties

  • Full Member
  • PipPipPip
  • 224 posts

Posted 19 June 2004 - 07:50 PM

Update:
Kerio shows this:
Clickerdy click

After that i downloaded TCPView and killed the infected svchost entries and also the "cc115...:1700". After that i think i remover the cws out of active memory until a reboot. Although its not away when i open a browser (no suprise there).

CWS tries to redirect pages to somewere, see link
Clickerdy click
Maybe i know more if i can figger out what those ... actualy should have been when IE can give me the full path of the url that it tries to redirect to. Dont know how to make that happen though.

Ppl on #privacy think CWS is using ADS (alternate data streams).

Also someone adviced me to look in my hosts file to see if there is something in it, but the only thing thats in there is the links that are blocked by Spybot i think
Example:
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 coolwwwsearch.com
127.0.0.1 coolwebsearch.com
etc etc x100

Edited by SirPeter, 19 June 2004 - 07:52 PM.

Cute kitties rule the world

#5 SirPeter

SirPeter

    Hugging kitties

  • Full Member
  • PipPipPip
  • 224 posts

Posted 20 June 2004 - 11:16 AM

12 hour+ bump.

Lets hope CWS isn't gonna spread this thing like wildfire huh. Noone knows how to fix it, comon guys.
Cute kitties rule the world

#6 SirPeter

SirPeter

    Hugging kitties

  • Full Member
  • PipPipPip
  • 224 posts

Posted 21 June 2004 - 05:46 AM

Got firefox now lol atleast i can brows again but still i would like to get CWS out of my memory.
Anyone know if uninstalling IE would work or has it also attached itself to another file?
Cute kitties rule the world

#7 SirPeter

SirPeter

    Hugging kitties

  • Full Member
  • PipPipPip
  • 224 posts

Posted 23 June 2004 - 04:20 PM

Module information for 'iexplore.exe'
MODULE BASE SIZE PATH
iexplore.exe 400000 102400 D:\Program Files\Internet Explorer\iexplore.exe 6.00.2800.1106 (xpsp1.020828-1920) Internet Explorer
ntdll.dll 77f40000 708608 D:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) DLL-bestand voor NT-laag
kernel32.dll 77e40000 983040 D:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL-bestand voor Windows NT BASE API-client
msvcrt.dll 77be0000 339968 D:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
USER32.dll 77d10000 573440 D:\WINDOWS\system32\USER32.dll 5.1.2600.1255 (xpsp2.030804-1745) DLL-bestand voor Windows XP USER API-client
GDI32.dll 7e180000 266240 D:\WINDOWS\system32\GDI32.dll 5.1.2600.1346 (xpsp2.040109-1800) GDI Client DLL
ADVAPI32.dll 77da0000 643072 D:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Geavanceerde Windows 32 basis-API
RPCRT4.dll 78000000 552960 D:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
SHLWAPI.dll 70a70000 413696 D:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1400 Shell lichtgewicht hulpprogrammabibliotheek
SHDOCVW.dll 71700000 1347584 D:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1400 Objecten- en besturingselementenbibliotheek Shell Doc
comctl32.dll 78090000 933888 D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library
SHELL32.dll 77390000 8380416 D:\WINDOWS\system32\SHELL32.dll 6.00.2800.1233 (xpsp2.030604-1804) Gemeenschappelijk DLL-bestand van Windows Shell
comctl32.dll 77300000 569344 D:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
ole32.dll 7ccc0000 1196032 D:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE voor Windows
uxtheme.dll 5b190000 212992 D:\WINDOWS\System32\uxtheme.dll 6.00.2800.1106 (xpsp1.020828-1920) DLL-bestand Microsoft UxTheme
MSCTF.dll 746a0000 278528 D:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL-bestand voor MSCTF-server
BROWSEUI.dll 71500000 1036288 D:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1400 Shell Browser-bibliotheek voor gebruikersinterface
browselc.dll 723c0000 77824 D:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser-bibliotheek voor gebruikersinterface
appHelp.dll 75ee0000 122880 D:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
CLBCATQ.DLL 7a170000 528384 D:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53
OLEAUT32.dll 770e0000 569344 D:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT™ and Windows 95™ Operating Systems
COMRes.dll 77010000 839680 D:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77bd0000 28672 D:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
WININET.dll 63000000 618496 D:\WINDOWS\system32\WININET.dll 6.00.2800.1405 Internet-extensies voor Win32
CRYPT32.dll 76260000 561152 D:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto-API32
MSASN1.dll 76240000 65536 D:\WINDOWS\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs
Secur32.dll 76f50000 65536 D:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
cscui.dll 765c0000 327680 D:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Gebruikersinterface voor caching aan clientzijde
CSCDLL.dll 765a0000 110592 D:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Off line netwerk-agent
SETUPAPI.dll 76620000 962560 D:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
USERENV.dll 75a10000 679936 D:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
AcroIEHelper.ocx 10000000 32768 D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx 1, 0, 0, 1 AcroIEHelper Module
SXS.DLL 75e30000 684032 D:\WINDOWS\System32\SXS.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5
SDHelper.dll 1130000 765952 J:\PROGRA~1\SPYBOT~2\SDHelper.dll 1, 3, 0, 12 Bad download blocker
olepro32.dll 5f230000 106496 D:\WINDOWS\System32\olepro32.dll 5.0.5014 Microsoft ® OLE Property Support DLL
urlmon.dll 1a400000 499712 D:\WINDOWS\system32\urlmon.dll 6.00.2800.1400 OLE32-extensies voor Win32
shdoclc.dll 76110000 573440 D:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-1148) Objecten- en besturingselementenbibliotheek Shell Doc
mlang.dll 746f0000 585728 D:\WINDOWS\System32\mlang.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL
wsock32.dll 71a50000 36864 D:\WINDOWS\System32\wsock32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-bits DLL-bestand
WS2_32.dll 71a30000 86016 D:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71a20000 32768 D:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0-helper voor Windows NT
mswsock.dll 719d0000 245760 D:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service-aanbieder
wshtcpip.dll 71a10000 32768 D:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
RASAPI32.DLL 76ea0000 225280 D:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.1106 (xpsp1.020828-1920) RAS-API
rasman.dll 76e50000 69632 D:\WINDOWS\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager
NETAPI32.dll 71bb0000 319488 D:\WINDOWS\System32\NETAPI32.dll 5.1.2600.1343 (xpsp2.040109-1800) Net Win32 API DLL
TAPI32.dll 76e70000 176128 D:\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL-bestand voor Microsoft® Windows™ TAPI-client
rtutils.dll 76e40000 53248 D:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
WINMM.dll 76af0000 184320 D:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
sensapi.dll 72240000 20480 D:\WINDOWS\System32\sensapi.dll 5.1.2600.1106 (xpsp1.020828-1920) SENS Connectivity API DLL
msi.dll 17a0000 2101248 D:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
DNSAPI.dll 76ee0000 151552 D:\WINDOWS\System32\DNSAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) DNS Client API DLL
winrnr.dll 76f70000 28672 D:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL
WLDAP32.dll 76f20000 184320 D:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
rasadhlp.dll 76f80000 20480 D:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
mshtml.dll 63580000 2818048 D:\WINDOWS\System32\mshtml.dll 6.00.2800.1400 Microsoft ® HTML-viewer

Logfile of HijackThis v1.97.7
Scan saved at 23:24:24, on 23-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
J:\PROGRA~1\Grisoft\AVG6\avgserv.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
D:\WINDOWS\runservice.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
J:\Program Files\Anti-Trojan-55\ATWatch.exe
D:\Program Files\Winamp3\winampa.exe
D:\WINDOWS\System32\ctfmon.exe
J:\Program Files\HJTHotkey\HJTHotkey.exe
D:\WINDOWS\System32\devldr32.exe
D:\Program Files\mIRC\mirc.exe
J:\Program Files\Winamp\Winamp.exe
J:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Documents and Settings\SirPeter\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - J:\PROGRA~1\SPYBOT~2\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Anti-Trojan-Watch] J:\Program Files\Anti-Trojan-55\ATWatch.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "D:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [TrojanScanner] J:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [AVG_CC] J:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp3\winampa.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Verjaardagen] D:\Program Files\Verjaardagen\Verjaardagen.exe auto
O9 - Extra button: Free Surfer (HKLM)
O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpeg: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .png: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7577.7981134259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...250/mcfscan.cab

Edited by SirPeter, 29 June 2004 - 09:03 AM.

Cute kitties rule the world

#8 SirPeter

SirPeter

    Hugging kitties

  • Full Member
  • PipPipPip
  • 224 posts

Posted 29 June 2004 - 09:10 AM

http://members.home....deriet/sigh.jpg
http://members.home....ireFox_pwnd.jpg

First picture showing in and outgoing cws.
Second picture showing FireFox is slowing down becourse of cws.

Beat that.

Tralalalala

Edited by SirPeter, 29 June 2004 - 09:51 AM.

Cute kitties rule the world

#9 SirPeter

SirPeter

    Hugging kitties

  • Full Member
  • PipPipPip
  • 224 posts

Posted 03 July 2004 - 06:25 AM

~100 hour bump ;)
Cute kitties rule the world

#10 SirPeter

SirPeter

    Hugging kitties

  • Full Member
  • PipPipPip
  • 224 posts

Posted 06 July 2004 - 03:41 PM

http://members.home....iet/netstat.jpg
Netstat -a with only mirc open.
Cute kitties rule the world

#11 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 06 July 2004 - 03:45 PM

Could you restart and post a new Hijack This log.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#12 SirPeter

SirPeter

    Hugging kitties

  • Full Member
  • PipPipPip
  • 224 posts

Posted 06 July 2004 - 04:09 PM

Logfile of HijackThis v1.98.0
Scan saved at 23:08:56, on 6-7-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
J:\Program Files\Grisoft\AVG6\avgcc32.exe
D:\Program Files\Winamp3\winampa.exe
D:\WINDOWS\System32\ctfmon.exe
J:\PROGRA~1\Grisoft\AVG6\avgserv.exe
J:\Program Files\DiskeeperLite\DKService.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\devldr32.exe
D:\Program Files\Mozilla Firefox\firefox.exe
J:\Program Files\Agnitum\Tauscan 1.7\tauscan.exe
J:\Program Files\Agnitum\Tauscan 1.7\Taumon.exe
D:\Program Files\mIRC\mirc.exe
D:\Program Files\Mozilla Firefox\firefox.exe
J:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - J:\PROGRA~1\SPYBOT~2\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "D:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [AVG_CC] J:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [THGuard] "J:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [Jammer] J:\PROGRA~1\AGNITUM\JAMMER~1.0\Jammer.exe
O4 - HKLM\..\Run: [Tau Monitor] J:\PROGRA~1\AGNITUM\TAUSCA~1.7\taumon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Verjaardagen] D:\Program Files\Verjaardagen\Verjaardagen.exe auto
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - J:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - J:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .png: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...250/mcfscan.cab
Cute kitties rule the world

#13 SirPeter

SirPeter

    Hugging kitties

  • Full Member
  • PipPipPip
  • 224 posts

Posted 16 July 2004 - 08:17 AM

Format is planned on wednesday. I still got some time left to clean the pc before my dad gets back from holiday and do his own backups for his programs :(

Anymore sugestions?
Cute kitties rule the world




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button