Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

wgf6zxit9os.dll (Resolved)


  • This topic is locked This topic is locked

#1
Kieran

Kieran

    New Member

  • Member
  • Pip
  • 5 posts
Hi, I am in need of some dire help. There is a dll file in my System32 folder called wgf6zxit9os.dll, and Norton Antivirus pops up every 3 seconds (no exaggertaion) telling me its there but can't delete it.

Its also in the registry folder
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>Current Version>Windows

However, I can't acces it, rename it, delete it, modify it or even LOOK at it, without it reappearing 2 seconds later.

In the properties, it's company name is Melkosoft Corporation (Language: Russian)

Date created, apparently 30/10/2004 6:07 pm.

The only trace of it in HijackThis is line O20 - AppInit_DLLs: wgf6zxit9os.dll

Please help if you can!!

Edited by Kieran, 24 April 2005 - 11:37 AM.

  • 0

Advertisements


#2
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Keiran,

Please follow the instructions on this link first.

First steps needed
  • 0

#3
Kieran

Kieran

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Ya, sorry, I forgot to put the HijackThis log, I edited the post ^ ^, and I've tried the rest

Edited by Kieran, 24 April 2005 - 11:40 AM.

  • 0

#4
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Please post a full HJT log, what you have identified is part of a coolweb infection, but we need the full log to identify what else maybe in it before recommending the next course of action
  • 0

#5
Kieran

Kieran

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Logfile of HijackThis v1.98.2
Scan saved at 1:52:04 PM, on 24/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Free Surfer\fs.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\TDS3\tds-3.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Murray\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Murray\Application Data\Mozilla\Profiles\default\5mn99y72.slt\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107618535074
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O20 - AppInit_DLLs: wgf6zxit9os.dll
  • 0

#6
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Kieran,

Firstly, you need to create a new folder on Cdrive for HJT.(example C\HJT) install into that folder and run from there. That way backups can be created if required.

Whilst the dll relates to Coolwebsearch, there is no other evidence to suggest infection.

Run HJT check the entry

O20 - AppInit_DLLs: wgf6zxit9os.dll

ensure no other windows open and click on FIX CHECKED.

Carry out a free online virus scan from the following link.

Kaspersky

Fill in name, for company put anything you want, put email address and then carry out scan

Download the following 14 day free trial.

Ewido

Install it and then double click on the new icon for the program. You can't miss it, it's a big yellow E. It will ask you to upgrade the database. Follow the instructions.
Once it is ready click on the Scanner button, Select C drive if you have more than one and then start.

grab a cup of coffee, sandwiches, book and sleeping bag as this will take some time. Once the first problem is detected ensure you tick the box for all (bottom left) and allow it to continue.

At then end of the scan, it may ask if you would like to delete anything found in archive or zipped files, OK that request, then click on save report. SAVE to the default location, it will then generate a text file. Copy that to post in this thread.

Carry out another HJT scan and post the log back here.
  • 0

#7
Guest_nommork_*

Guest_nommork_*
  • Guest
I might also suggest updating HJT to 1.99.1

Please download Hijackthis 1.99.1
Hijackthis Download



Scan and post a new log

Edited by nommork, 24 April 2005 - 01:06 PM.

  • 0

#8
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi nommork,

Thanks for the headsup, i missed that one :tazz:
  • 0

#9
Guest_nommork_*

Guest_nommork_*
  • Guest
usetobe ;)
I missed it another topic as well :tazz: ;)
  • 0

#10
Kieran

Kieran

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
the dll file seems to be gone now *crossing fingers* but im pretty pissed as to why a free internet scan would detect and delete it, while norton antivirus did little more than tell me what i already knew and wouldn't solve it.

also, i cant seem to remove all parts of the norton/symantic software...but ill figure that out i guess


Logfile of HijackThis v1.99.1
Scan saved at 6:50:04 PM, on 24/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Free Surfer\fs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\Murray\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Murray\Application Data\Mozilla\Profiles\default\5mn99y72.slt\prefs.js)
O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107618535074
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

Edited by Kieran, 24 April 2005 - 04:57 PM.

  • 0

#11
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Keiran,

Just one area of concern left, has system administrator or you set internet explorer restrictions in Spybot S&D?

If not, rescan with HJT check the following

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Ensure no windows open other than HJT, click on Fix Checked.

Once you have sorted that one then

From your log, I see nothing in the ways of trojans, nor any evil entities attempting to possess your computer, except for Windows but it's too late for that one. :tazz:

Congratulations your log now appears to be clean. ;)

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0

#12
Kieran

Kieran

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thank you immensely. Ugh! Finally! that dll is kaput.

It wasn't so much a fear of what it did, but rather not KNOWING what it did but knowing it wasn't supposed to be there that was worse.

Thank you again, for the moment I am safe for another day!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP