The latest CWS Hijacker, or

Discussion in 'privacy problems' started by dvk01, Mar 19, 2004.

Thread Status:
Not open for further replies.
  1. dvk01

    dvk01 Global Moderator

    Oct 9, 2003
    Loughton, Essex. UK
    Re posted from merijn's site for info as cwshredder doesn't fix this one yet

    If your browser has been hijacked to, or
    We are working on a fix for this one and drawing near to a solution. This is by far the most sophisticated CWS variant seen to date, and it will take some time before CWShredder will be able to remove it automatically.

    So far, the following manual fix should work:
    First download FAR explorer from here:

    Install it, then start FAR.
    Hit Alt-F1 and drive list should come up, go to '0 process list'.

    Scroll to Iexplore.exe in the left panel, highlight it and hit F5.
    Now go to the right pane of FAR and double click 'iexplore.exe.txt', it should open in notepad.

    Look for a file with this size and beginning to it. The filename will always be different:
    61C00000 F000 c:\windows\system32\wingn.dll

    This part indicates the bad file:
    61C00000 F000
    It will always start with that header.
    Write down the filename behind it.

    Now download KillBox:
    Unzip and run it.
    Paste the filename you wrote down into the white kill line, then hit the bottom green arrow button to move the file to the bottom of killbox. Hit the 'remove on reboot' button and reboot. Once it reboots, make sure the file is gone.
  2. ray1980

    ray1980 Registered Member

    May 2, 2004
    Hi my friend, I got the List2004 prefix virus on my XP last month. I have tried a lot of anti-virus programs, but it seemed never be fixed. I am trying the way you said, but the list on the notepad of FAR was a bit confusing. all the files' names are similar, and I did not find one closer to---61C00000 F000 c:\windows\system32\wingn.dll......I put my list here in case if you could help me to find the suspicious file. My name is Ray, fome Montreal, Canada, my email, if you really don't mind. Thanks a lot!!!!!

    email address removed for security and harvesting reasons. Please contact staff member(s) using IM - paul

    --------------------------------------------------------------------------Module: Explorer.EXE
    Full path: C:\WINDOWS\Explorer.EXE
    File version: 6.00.2800.1106 (xpsp1.020828-1920)
    Description: Windows Explorer
    PID: 1480
    Parent PID: 1456
    Priority: 8
    Threads: 11
    Owner: YOUR-W92P4BHLZG\Owner (S-1-5-21-4042608690-4210259494-4108073714-1003)
    Session: 0

    Started at: 2:34:01
    Uptime: 00:03:32

    GDI Objects: 220
    USER Objects: 119

    Processor Time: 00:00:10.109 0%
    Privileged Time: 00:00:08.085 0%
    User Time: 00:00:02.023 0%
    Handle Count: 286
    Page File Bytes: 10579968
    Page File Bytes Peak: 11247616
    Working Set: 18485248
    Working Set Peak: 18702336
    Pool Nonpaged Bytes: 12952
    Pool Paged Bytes: 63084
    Private Bytes: 10579968
    Page Faults: 22133 0/sec
    Virtual Bytes: 66322432
    Virtual Bytes Peak: 76091392
    IO Data Bytes: 1683983 0/sec
    IO Read Bytes: 1682209 0/sec
    IO Write Bytes: 1774 0/sec
    IO Other Bytes: 331313 0/sec
    IO Data Operations: 6058 0/sec
    IO Read Operations: 6046 0/sec
    IO Write Operations: 12 0/sec
    IO Other Operations: 14758 0/sec

    Window title:
    HWND: 00030034
    Extended style: 00000088

    Command Line:

    Current Directory: C:\Documents and Settings\Owner\


    ALLUSERSPROFILE=C:\Documents and Settings\All Users
    APPDATA=C:\Documents and Settings\Owner\Application Data
    CommonProgramFiles=C:\Program Files\Common Files
    HOMEPATH=\Documents and Settings\Owner
    Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program files\PC-Doctor for Windows XP\WINDSAPI
    PROCESSOR_IDENTIFIER=x86 Family 6 Model 11 Stepping 1, GenuineIntel
    ProgramFiles=C:\Program Files
    USERPROFILE=C:\Documents and Settings\Owner

    Base Size Path (version info is not displayed)
    01000000 F8000 C:\WINDOWS\Explorer.EXE
    77F50000 A7000 C:\WINDOWS\System32\ntdll.dll
    77E60000 E6000 C:\WINDOWS\system32\kernel32.dll
    77C10000 53000 C:\WINDOWS\system32\msvcrt.dll
    77DD0000 8D000 C:\WINDOWS\system32\ADVAPI32.dll
    78000000 7E000 C:\WINDOWS\system32\RPCRT4.dll
    77C70000 40000 C:\WINDOWS\system32\GDI32.dll
    77D40000 8C000 C:\WINDOWS\system32\USER32.dll
    70A70000 65000 C:\WINDOWS\system32\SHLWAPI.dll
    773D0000 7F7000 C:\WINDOWS\system32\SHELL32.dll
    771B0000 117000 C:\WINDOWS\system32\ole32.dll
    77120000 8B000 C:\WINDOWS\system32\OLEAUT32.dll
    71500000 FD000 C:\WINDOWS\System32\BROWSEUI.dll
    71700000 149000 C:\WINDOWS\System32\SHDOCVW.dll
    5AD70000 34000 C:\WINDOWS\System32\UxTheme.dll
    76390000 1C000 C:\WINDOWS\System32\IMM32.DLL
    629C0000 8000 C:\WINDOWS\System32\LPK.DLL
    72FA0000 5A000 C:\WINDOWS\System32\USP10.dll
    10000000 F000 C:\WINDOWS\System32\msvsres.dll
    71AB0000 15000 C:\WINDOWS\System32\WS2_32.dll
    71AA0000 8000 C:\WINDOWS\System32\WS2HELP.dll
    71950000 E4000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll
    77340000 8B000 C:\WINDOWS\system32\comctl32.dll
    008E0000 2B000 C:\WINDOWS\System32\msctfime.ime
    75F40000 1F000 C:\WINDOWS\system32\appHelp.dll
    76FD0000 78000 C:\WINDOWS\System32\CLBCATQ.DLL
    77050000 C5000 C:\WINDOWS\System32\COMRes.dll
    77C00000 7000 C:\WINDOWS\system32\VERSION.dll
    76620000 4E000 C:\WINDOWS\System32\cscui.dll
    76600000 1B000 C:\WINDOWS\System32\CSCDLL.dll
    559E0000 71000 C:\WINDOWS\System32\themeui.dll
    76F90000 10000 C:\WINDOWS\System32\Secur32.dll
    76380000 5000 C:\WINDOWS\System32\MSIMG32.dll
    75A70000 A5000 C:\WINDOWS\system32\USERENV.dll
    746F0000 26000 C:\WINDOWS\System32\Msimtf.dll
    74720000 44000 C:\WINDOWS\System32\MSCTF.dll
    703D0000 1B000 C:\WINDOWS\System32\actxprxy.dll
    72430000 12000 C:\WINDOWS\System32\browselc.dll
    5FC10000 30000 C:\WINDOWS\System32\msutb.dll
    71C20000 4E000 C:\WINDOWS\System32\netapi32.dll
    71BF0000 11000 C:\WINDOWS\System32\SAMLIB.dll
    76980000 7000 C:\WINDOWS\System32\LINKINFO.dll
    76990000 24000 C:\WINDOWS\System32\ntshrui.dll
    76B20000 15000 C:\WINDOWS\System32\ATL.DLL
    71B20000 11000 C:\WINDOWS\system32\MPR.dll
    75F60000 6000 C:\WINDOWS\System32\drprov.dll
    71C10000 D000 C:\WINDOWS\System32\ntlanman.dll
    71CD0000 16000 C:\WINDOWS\System32\NETUI0.dll
    71C90000 3C000 C:\WINDOWS\System32\NETUI1.dll
    71C80000 6000 C:\WINDOWS\System32\NETRAP.dll
    75F70000 9000 C:\WINDOWS\System32\davclnt.dll
    76670000 E7000 C:\WINDOWS\System32\SETUPAPI.dll
    1A400000 7A000 C:\WINDOWS\system32\urlmon.dll
    014D0000 201000 C:\WINDOWS\System32\msi.dll
    75CF0000 191000 C:\WINDOWS\system32\NETSHELL.dll
    76C00000 2D000 C:\WINDOWS\system32\credui.dll
    76D60000 17000 C:\WINDOWS\system32\iphlpapi.dll
    70D00000 1A1000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\gdiplus.dll
    63000000 96000 C:\WINDOWS\system32\WININET.dll
    762C0000 88000 C:\WINDOWS\system32\CRYPT32.dll
    762A0000 F000 C:\WINDOWS\system32\MSASN1.dll
    76360000 F000 C:\WINDOWS\System32\WINSTA.dll
    74B30000 41000 C:\WINDOWS\System32\webcheck.dll
    74B00000 20000 C:\WINDOWS\System32\stobject.dll
    74AF0000 9000 C:\WINDOWS\System32\BatMeter.dll
    74AD0000 7000 C:\WINDOWS\System32\POWRPROF.dll
    76F50000 8000 C:\WINDOWS\System32\WTSAPI32.dll
    73BA0000 12000 C:\WINDOWS\System32\sti.dll
    74AE0000 7000 C:\WINDOWS\System32\CFGMGR32.dll
    5A620000 70000 C:\WINDOWS\System32\wiadefui.dll
    76B40000 2C000 C:\WINDOWS\System32\WINMM.dll
    74B80000 82000 C:\WINDOWS\System32\printui.dll
    73000000 23000 C:\WINDOWS\System32\WINSPOOL.DRV
    76E40000 2F000 C:\WINDOWS\System32\ACTIVEDS.dll
    76E10000 25000 C:\WINDOWS\System32\adsldpc.dll
    76F60000 2C000 C:\WINDOWS\system32\WLDAP32.dll
    68DF0000 8C000 C:\WINDOWS\System32\fxsst.dll
    69010000 70000 C:\WINDOWS\System32\FXSAPI.dll
    76CE0000 1F000 C:\WINDOWS\System32\NTMARTA.DLL
    76C30000 2B000 C:\WINDOWS\System32\WINTRUST.dll
    76C90000 22000 C:\WINDOWS\system32\IMAGEHLP.dll
    0FFD0000 23000 C:\WINDOWS\System32\rsaenh.dll
    75E90000 A7000 C:\WINDOWS\System32\SXS.DLL
    Last edited by a moderator: May 2, 2004
  3. dvk01

    dvk01 Global Moderator

    Oct 9, 2003
    Loughton, Essex. UK
    since my original post this parasite hjas cahnged some of it's behaviour and there is no longer any easy way to deinitely identify the file as shown above

    for assistance please do this

    please follow instructions here
    and post a hjt log in the hiajck forum
  4. ray1980

    ray1980 Registered Member

    May 2, 2004
    Thanks Derek. But does that mean it is no way to really get rid of "list2004"?What can I do. Should I trash all of my downloaded IE files and IE itself?
  5. dvk01

    dvk01 Global Moderator

    Oct 9, 2003
    Loughton, Essex. UK
    that won't do any good either with this pest

    follow advice to post a hjt log and we'll see what we can do for you
  6. ray1980

    ray1980 Registered Member

    May 2, 2004
    Thanks, I will try what you advised.
  7. hyper C

    hyper C Guest


    I got rid of it. First i duplicated the files/songs i wanted to keep and put it on my external hard drive, then scanned it, and then i formatted my pc. That is my answer for about everything.
Thread Status:
Not open for further replies.