IWETHEY v. 0.3.0 | TODO
1,095 registered users | 1 active user | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Windows vX.X Forum / OK, Continuing on...
Post #178,746
by jb4
Picture of jb4
10/11/04 9:26:15 AM
Reply
New OK, Continuing on...
With regards to the thread started by this post:[link|http://z.iwethey.org/forums/render/content/show?contentid=172220| Any ideas as to WTF is going on?]:

I have installed W2K SP4 as everybody says I should. I also found my paper copy of the Register's article on how to shut off Micros~1's "phone home worm". Everything's jake...

...well, not quite. It seems that SP4 basically had no effect. I still get TFTP attempts (which my firewall intercepts), and after about 10-15 minutes on the 'net, one of the two instances of svchost crashes, taking the clipboard with it (after the crash, I cannot cut or copy anything to the clipboard, and drag-n-drop also disappears.

Any other ideas? They would sure be appreciated! And is there a way to determine which DLL svchost is hosting? If I could get that small piece of info, perhaps I could reload or delete the offending DLL (it is my opinion that the DLL that eventually hoses itself is also the one trying the surreptitious TFTP attempts).

thanx-
jb4
shrub\ufffdbish (Am., from shrub + rubbish, after the derisive name for America's 43 president; 2003) n. 1. a form of nonsensical political doubletalk wherein the speaker attempts to defend the indefensible by lying, obfuscation, or otherwise misstating the facts; GIBBERISH. 2. any of a collection of utterances from America's putative 43rd president. cf. BULLSHIT
Post #178,747
by deSitter
Picture of deSitter
10/11/04 9:32:17 AM
Reply
New Did you run AV?
-drl
Post #178,749
by jb4
Picture of jb4
10/11/04 10:18:57 AM
Reply
New Re: Did you run AV?
Ran Ad-Aware and AVG. Have downloaded SpyBot, and will install and run tonight.
jb4
shrub\ufffdbish (Am., from shrub + rubbish, after the derisive name for America's 43 president; 2003) n. 1. a form of nonsensical political doubletalk wherein the speaker attempts to defend the indefensible by lying, obfuscation, or otherwise misstating the facts; GIBBERISH. 2. any of a collection of utterances from America's putative 43rd president. cf. BULLSHIT
Post #178,748
by hnick
10/11/04 9:32:42 AM
Reply
New Check SystemInternals
They have a "listdlls.exe" program which lists the path of dlls and who is running them

[link|http://www.sysinternals.com/ntw2k/utilities.shtml|http://www.sysintern...k/utilities.shtml]

The outlook looks like this:

ListDLLs V2.23 - DLL lister for Win9x/NT
Copyright (C) 1997-2000 Mark Russinovich
[link|http://www.sysinternals.com|http://www.sysinternals.com]

-----------------------------------------------------------------------------
System pid: 8
Command line: <no command line>
-----------------------------------------------------------------------------
SMSS.EXE pid: 164
Command line: \\SystemRoot\\System32\\smss.exe

Base Size Version Path
0x48580000 0xe000 \\SystemRoot\\System32\\smss.exe
0x77f80000 0x7d000 5.00.2195.6899 C:\\WINNT\\system32\\ntdll.dll
0x68010000 0xf0000 5.00.2195.6894 C:\\WINNT\\System32\\sfcfiles.dll
-----------------------------------------------------------------------------
CSRSS.EXE pid: 188
Command line: C:\\WINNT\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSect
=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll
nsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitializatio
ProfileControl=Off MaxRequestThreads=16

Base Size Version Path
0x5fff0000 0x4000 \\??\\C:\\WINNT\\system32\\csrss.exe

0x77f80000 0x7d000 5.00.2195.6899 C:\\WINNT\\system32\\ntdll.dll
0x5ff90000 0xc000 5.00.2195.6601 C:\\WINNT\\system32\\CSRSRV.dll
0x5ffa0000 0xd000 5.00.2195.6824 C:\\WINNT\\system32\\basesrv.dll
0x5ffb0000 0x3f000 5.00.2195.6826 C:\\WINNT\\system32\\winsrv.dll
0x77e10000 0x65000 5.00.2195.6897 C:\\WINNT\\system32\\USER32.dll
0x7c570000 0xb8000 5.00.2195.6897 C:\\WINNT\\system32\\KERNEL32.DLL
0x77f40000 0x3e000 5.00.2195.6898 C:\\WINNT\\system32\\GDI32.DLL
-----------------------------------------------------------------------------
WINLOGON.EXE pid: 184
Command line: winlogon.exe

Base Size Version Path
0x01000000 0x2e000 \\??\\C:\\WINNT\\system32\\winlogon.exe
0x77f80000 0x7d000 5.00.2195.6899 C:\\WINNT\\system32\\ntdll.dll
0x78000000 0x45000 6.01.9844.0000 C:\\WINNT\\system32\\MSVCRT.DLL
0x7c570000 0xb8000 5.00.2195.6897 C:\\WINNT\\system32\\KERNEL32.dll
0x7c2d0000 0x62000 5.00.2195.6876 C:\\WINNT\\system32\\ADVAPI32.DLL
0x77d30000 0x71000 5.00.2195.6904 C:\\WINNT\\system32\\RPCRT4.DLL
0x77f40000 0x3e000 5.00.2195.6898 C:\\WINNT\\system32\\GDI32.DLL
0x77e10000 0x65000 5.00.2195.6897 C:\\WINNT\\system32\\USER32.DLL
0x7c0f0000 0x61000 5.00.2195.6794 C:\\WINNT\\system32\\USERENV.DLL
0x769a0000 0x7000 5.00.2195.6661 C:\\WINNT\\system32\\NDDEAPI.DLL
0x76980000 0x1b000 5.00.2195.6673 C:\\WINNT\\system32\\SFC.DLL
0x68010000 0xf0000 5.00.2195.6894 C:\\WINNT\\system32\\sfcfiles.dll
-- More --
Post #178,750
by jb4
Picture of jb4
10/11/04 10:20:30 AM
Reply
New Cool! Will try tonight.
jb4
shrub\ufffdbish (Am., from shrub + rubbish, after the derisive name for America's 43 president; 2003) n. 1. a form of nonsensical political doubletalk wherein the speaker attempts to defend the indefensible by lying, obfuscation, or otherwise misstating the facts; GIBBERISH. 2. any of a collection of utterances from America's putative 43rd president. cf. BULLSHIT
     OK, Continuing on... - (jb4) - (4) - Oct. 11, 2004, 09:26:15 AM EDT
         Did you run AV? -NT - (deSitter) - (1) - Oct. 11, 2004, 09:32:17 AM EDT
             Re: Did you run AV? - (jb4) - Oct. 11, 2004, 10:18:57 AM EDT
         Check SystemInternals - (hnick) - (1) - Oct. 11, 2004, 09:32:42 AM EDT
             Cool! Will try tonight. -NT - (jb4) - Oct. 11, 2004, 10:20:30 AM EDT

But don't get all fretty-pants on us.
49 ms