Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

VX2 pest, NEED HELP


  • Please log in to reply

#1
deadbeat9

deadbeat9

    New Member

  • Member
  • Pip
  • 3 posts
I need some help, i see popups every 5 minutes without the internet open, i cant even move file into the recycle bin without out premetly deleting it, wat eles can i do. I need help, and fast
  • 0

Advertisements


#2
deadbeat9

deadbeat9

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Logfile of HijackThis v1.99.1
Scan saved at 1:35:53 PM, on 3/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\winsystem32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\pap.GR38WEU5QUZD0MV\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {EE9989C3-B454-47DF-8E3F-6EC9681CD0A5} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows_Protect] winsystem32.exe
O4 - HKLM\..\RunServices: [Windows_Protect] winsystem32.exe
O4 - HKCU\..\Run: [Windows_Protect] winsystem32.exe
O4 - HKCU\..\RunServices: [MSN Messenger] ctxcfrw.exe
O4 - HKCU\..\RunServices: [Windows Media Player] qxcgzu.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{27107EDE-843F-4A10-8B53-65FD707B8B0A}: Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{27107EDE-843F-4A10-8B53-65FD707B8B0A}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{8136138D-8BF6-4D8B-85D6-2643E0430FEC}: Domain = sympatico.ca
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: bvgwzgtjeiai (vegzsplw5) - Unknown owner - C:\WINDOWS\System32\dmrskrnp5.exe (file missing)
  • 0

#3
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi and welcome deadbeat9

Need you to do a few things please,

Please Download LSPFix and Run the Program.
Disconnect from the Internet and close all Internet Explorer Windows.
Check the "I know what I'm doing" Button and remove all traces of dolsp.dll ( Nothing else)
Then Reboot.

Next, It is very important to do this,
Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT
Move HJT to this folder please

Next,
Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {EE9989C3-B454-47DF-8E3F-6EC9681CD0A5} - (no file)
O4 - HKLM\..\Run: [Windows_Protect] winsystem32.exe
O4 - HKLM\..\RunServices: [Windows_Protect] winsystem32.exe
O4 - HKCU\..\Run: [Windows_Protect] winsystem32.exe
O4 - HKCU\..\RunServices: [MSN Messenger] ctxcfrw.exe
O4 - HKCU\..\RunServices: [Windows Media Player] qxcgzu.exe
O23 - Service: bvgwzgtjeiai (vegzsplw5) - Unknown owner - C:\WINDOWS\System32\dmrskrnp5.exe (file missing)


Next reboot to safe mode ( By tapping the F8 key on start up) Make sure you can view all Hidden Files/Folders search for and delete the files highlighted in BOLD

C:\WINDOWS\System32\winsystem32.exe
ctxcfrw.exe
qxcgzu.exe

C:\WINDOWS\System32\dmrskrnp5.exe


Restart your computer,

Please download and install Ad-aware.
Setting up Ad-aware- please make sure you update it first

Run a scan with Ad-aware and fix all it finds.
Restart your computer

Please run these two online scans. Make sure they are set to clean automatically:

TrendMicro's HouseCall
ActiveScan

You should try to delete any files that these scanners are unable to clean. Then let us know if its working better and what the scans found.

Then scan again with HijackThis and post another log.
  • 0

#4
Kaz

Kaz

    New Member

  • Member
  • Pip
  • 2 posts
I do not specialize in malware, but shouldn't he also do something about the line Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

If I'm not mistaken, that means that winlogon.exe is being hijacked to maintain the malware, and it's almost impossible to get rid of until that's fixed.

I'm not entirely certain how to remove it, though...I have that problem on my main box, and the line is replaced the instant I remove it. I'm going to try booting from a linux cd and using a linux-based registry editor to get rid of it.
  • 0

#5
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Kaz and welcome
Have a look Here

This one has been removed a lot but shouldn't be,

Have a great day,

Don
  • 0

#6
Kaz

Kaz

    New Member

  • Member
  • Pip
  • 2 posts
Yikes, you're correct, that's not a randomly generated string like mine. On mine, each time I delete the suspect DLL, the worm apparently generates a randomly named new DLL string.

For example, right now it's

O20 - Winlogon Notify: Run- - C:\WINDOWS\system32\porfproc.dll

...which sounds suspiciously like a real file, but I haven't been able to google up any reference to it.

Previously, the dll was called
C:\WINDOWS\system32\k8lq0i35e8.dll
C:\WINDOWS\system32\k4080edueh080.dll
C:\WINDOWS\system32\l2l60c3sef.dll
C:\WINDOWS\system32\enlul1391.dll
  • 0

#7
deadbeat9

deadbeat9

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
THANKS don77 it really helped, im popup free. Heres my latest log



Logfile of HijackThis v1.99.1
Scan saved at 5:57:30 PM, on 3/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: MSProxy Support Dll - {830DE650-EBE7-434F-99AA-8DCBCDACBD7B} - C:\WINDOWS\System32\msprxcore.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c8.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21....es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{27107EDE-843F-4A10-8B53-65FD707B8B0A}: Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{27107EDE-843F-4A10-8B53-65FD707B8B0A}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{8136138D-8BF6-4D8B-85D6-2643E0430FEC}: Domain = sympatico.ca
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: bvgwzgtjeiai (vegzsplw5) - Unknown owner - C:\WINDOWS\System32\dmrskrnp5.exe (file missing)
  • 0

#8
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Looks better deadbeat9, But a bit more to do,

Please Download LSPFix and Run the Program.
Disconnect from the Internet and close all Internet Explorer Windows.
Check the "I know what I'm doing" Button and remove all traces of dolsp.dll ( Nothing else)
Then Reboot.

Next,
[*]Open HijackThis.
[*]Click the Config button.
[*]Click the Misc Tools button.
[*]Select Delete an NT service.
[*]Copy and paste the following into the box:
[bvgwzgtjeiai (vegzsplw5)]
[*]Click Ok

Next,

Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

O2 - BHO: MSProxy Support Dll - {830DE650-EBE7-434F-99AA-8DCBCDACBD7B} - C:\WINDOWS\System32\msprxcore.dll
O23 - Service: bvgwzgtjeiai (vegzsplw5) - Unknown owner - C:\WINDOWS\System32\dmrskrnp5.exe (file missing)

Next Reboot into SAFE MODE Make sure you can view all Hidden Files/Folders search for and delete the files highlighted in BOLD

C:\WINDOWS\System32\msprxcore.dll
C:\WINDOWS\System32\dmrskrnp5.exe

Restart your computer, Post back a fresh log please
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP