PDA

View Full Version : Problem with RawSex dialer - my hijack this log

Zidane
November 18th, 2003, 06:30 PM
I have a problem with RawSex dialer - stupid BF of my sis was surfing at some porno sites - I am sure of it, cos he downloaded this bugger - after every reboot it tries to dial some number and connect somewhere, of course it is no use , cos I am not a modem user, so the bugger asks me "Would you like to keep redialing?", I hit NO. It creates an icon named RawSex and drops RawSex.exe into Running processes...

Ad Aware with the newest database finds nothing, SB and SG dont react too...

If I delete the process and the icon, after the next reboot it starts again, so I think there would be some registry entry...

Here is my Hijack This log:

Logfile of HijackThis v1.97.7
Scan saved at 0:18:25, on 19.11.2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mouse Tachometer\Mouse Tachometer.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Overnet\Overnet.exe
C:\Program Files\ICQ\ICQ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Čisticí programy\MRU-Blaster\scheduler.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ABC~1.ABC\LOCALS~1\Temp\Rar$EX00.331\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Mrkvosoft Infernet Exprdel
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.81.156.250:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE Privacy Keeper - Last IE Window Detector - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPKbho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Mouse Tachometer] C:\Program Files\Mouse Tachometer\Mouse Tachometer.exe --hide
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\Overnet.exe -t
O4 - HKLM\..\Run: [explorer] wscript.exe C:\WINDOWS\updates.vbs %
O4 - HKLM\..\Run: [Setting] sysweb.exe
O4 - HKLM\..\RunServices: [Setting] sysweb.exe
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\Čisticí programy\MRU-Blaster\indexcleaner.exe -CC
O4 - Startup: MRU-Blaster Scheduler.lnk = ?
O4 - Startup: MRU-Blaster Silent Clean.lnk = ?
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Avaya Wireless Client Manager.lnk = C:\Program Files\Avaya_Wireless\Client Manager\CmAVA.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetupml.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.5471875
O17 - HKLM\System\CCS\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11
O17 - HKLM\System\CS2\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11
O19 - User stylesheet: C:\Program Files\Internet Explorer\readme.txt


I personally think that suspicious are:
O4 - HKLM\..\Run: [explorer] wscript.exe C:\WINDOWS\updates.vbs %
- this especially, cos the RawSex icon was once named "winupdates" I think, so it is suspicious...

O4 - HKLM\..\Run: [Setting] sysweb.exe
O4 - HKLM\..\RunServices: [Setting] sysweb.exe

This is suspicious for me cos I think I had not seen this in Running processes lately, but I dont know what this is...

O10 - Broken Internet access because of LSP provider 'imon.dll' missing

And this - what does it mean ? What about broken internet access? I have no problems with internet access, so it is weird...

So this is my problem, I hope somebody will find what causes appearing of the RawSex bastard :-)
Zidane
November 18th, 2003, 06:31 PM
And I think I will send a message to Lavasoft, that there is this bastard, so they could add it to the AdAware database :-)
Unzy
November 18th, 2003, 08:26 PM
Hi Zidane,

You already did some clever investigations :)

Can you send the following files to me please, as I think they may be new CWS variants :

C:\WINDOWS\updates.vbs <- this file
sysweb.exe <- this file

unzy @ wilders.org

Thanks!

After doing so have only HijackThis running while staying offline and fix :

R3 - URLSearchHook: (no name) - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - (no file)

O4 - HKLM\..\Run: [explorer] wscript.exe C:\WINDOWS\updates.vbs %
O4 - HKLM\..\Run: [Setting] sysweb.exe
O4 - HKLM\..\RunServices: [Setting] sysweb.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O19 - User stylesheet: C:\Program Files\Internet Explorer\readme.txt

Concerning this entry :

O10 - Broken Internet access because of LSP provider 'imon.dll' missing

I think that one has to do with nod32, I would leave it alone untill someone else gives you more advise about it. In the meantiume I'm digging further to find out more about it.

Start with fixing the above, reboot after doing so and remove :

C:\WINDOWS\updates.vbs <- this file
sysweb.exe <- this file
C:\Program Files\Internet Explorer\readme.txt <- this file, in that folder.

Hope this helps,

Kepp us posted!

Cheers,
Zidane
November 18th, 2003, 08:36 PM
Unzy:

I will send the files ASAP :) Keep me - and the others - informed about what this is about, please :-) For example - CWS variants? What does CWS mean?
¨
The "imon.dll missing" will probably be something about NOD32, you are right, cos the NOD32 scanner name is IMON and AMON, so this can be it, I think - you were right IMHO :-)

Edit: Files sent :-)
Unzy
November 18th, 2003, 08:55 PM
Hi Zidane,

CWS is short for CoolWebSearch, a new hijacker which is really busy lately :(

Check out here for more info , if you're interested :

http://www.spywareinfo.com/~merijn/cwschronicles.html

an here, for a summation of the latest variants (to help out Merijn a bit more, as he's really busy irl at the moment ;) ) :

http://boards.cexx.org/viewtopic.php?t=2293

Thanks Merijn :-*

Cheers,

//EDIT Thanks for the files! i'll get back to you asap.
Unzy
November 18th, 2003, 09:14 PM
Hi Zidane,

I analysed the files you sent to me.

I can tell you this file :

O4 - HKLM\..\Run: [explorer] wscript.exe C:\WINDOWS\updates.vbs %

Was the cause of your rawsex dialing problem. Tries to dial home at shylolitas.com. Uses a Wscript.shell, to setup the rawsex dialing code.

The sysweb entrance, hmmm still investigating that one, did a file monitoring with inctrl, it added :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU:T:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Zvwa qbphzragra\flfjro.rkr"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU"

random named filenames but the clsid stays the same. Also wanted to add two importyant registry keys so it would start with next bootup , but i prevented it with regprot.

I'll let you know asap when i have more.

In the meantime you should just focus on deleting those entries with HijackThis (above) and keep us posted if problems are solved!

Take care,

Cheers,
Pieter_Arntz
November 19th, 2003, 02:23 AM
Excellent job , Unzy. :)

O10 - Broken Internet access because of LSP provider 'imon.dll' missing
is indeed best left alone as it is a part of NOD32.

The Explorer\UserAssist keys are irrelevant. Have a look at the InCtrl report for the installation of Spybot S&D for example: http://www.net-integration.net/reviews/SB10install.html

Regards,

Pieter
Unzy
November 19th, 2003, 04:26 AM
Hi Pieter,

Thanks for the info :)

BTW, TrendMicro detected sysweb.exe as BKDR_SDBOT.GEN, although they normally detect it as BKDR_SDBOT.W , maybe some variant.

TrendMicro BKDR_SDBOT.GEN (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_SDBOT.GEN)

TrendMicro BKDR_SDBOT.W (http://www.google.be/search?q=cache:P7WIz2pVjE0J:be.trendmicro-europe.com/enterprise/security_info/virus_encyclopedia.php%3FVName%3DBKDR_SDBOT.W+sysweb.exe&hl=nl&ie=UTF-8)

Cheers,
Zidane
November 19th, 2003, 01:49 PM
All is OK, files and entries deleted and the bastard is away even after rebooting :)

Shylolitas? Yes, I came to my comp yesterday, it was running, so my sis or her BF were there and there was a SG alert - something tried to change my homepage to shylolitas.com - SG caught the try :-)

I wonder where the stupid bf of my sis downloaded that bastard, but it is irrelevant now ;)

The sysweb.exe was a trojan? Should I know that I sent that to Eset Software too (and maybe to some other AV programmers, they could analyze it and add the bastard to their AV database, but the bastard is gone and I have no intention to search for it again just for sending it to ESET ;D
Unzy
November 19th, 2003, 07:30 PM
lol :)

Good job cleaning up Zizou ;)

Take care,

Cheers,