In deep doo-doo

Hi all,

I'm in deep sh*t with this Rawsex thing, pops up every time I start the PC and adds a shortcut ; also adds a link on desktop and changes my homepage to some lolita website

Logfile of HijackThis v1.97.6
Scan saved at 2:10:44, on 28/11/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\RUNSERVICE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\DVDSH.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\TEMP\TD_0003.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cyber-lolita.com/cgi-bin/potop.cgi?action=in&ACC=4730
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://193.121.55.225/tt/tt.php?p=101&g=0&s=1&r=0&x=1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://fetew.rug.ac.be/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@1043,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [explorer] wscript.exe C:\WINDOWS\updates2.vbs %
O4 - HKLM\..\Run: [dvdsh] C:\WINDOWS\SYSTEM\dvdsh.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [LicCtrl] runservice.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\SYSTEM\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [IridiumTimeWizard] C:\WINDOWS\Desktop\iridium.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Radio Free Virgin Player (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14





Thanks in advance

 

RawSex? I had the problem myself a few days ago, there should be the RAWSEX DIALER topic in this forum somewhere, where the mods helped me

 

I will try to give you some advice with that:

run HijackThis and I think it should be fixed:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cyber-lolita.com/cgi-bin/potop.cgi?action=in&ACC=4730 - this is sure the "lolita site" you talked about

O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe - I think this is some weirdo too, cos there is the topic about "belt.exe"

O4 - HKLM\..\Run: [explorer] wscript.exe C:\WINDOWS\updates2.vbs % I think this bastard does the "needed" downloading and changing

Reboot and then delete the file C:\WINDOWS\updates2.vbs % (or maybe there is no %, but delete the file anyway) and C:\WINDOWS\BELT.exe

I suspect there may be more "good-for-nothing" entries, but I am not a moderator, I am only a newbie who had the same problem a few days ago...
so if you want, take a look here:
http://www.wilderssecurity.com/showthread.php?t=16538
or you can wait until some moderator shows up and helps you

If you want to listen to my advices, you will do it at your own risk, I am not a mod, I am only a newbie

 

Hey zidane

Here is your post on rawsexdialer.

http://www.wilderssecurity.com/showthread.php?t=16538

link fixed - Detox


Snowbound

 

Hi buffalo,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cyber-lolita.com/cgi-bin/potop.cgi?action=in&ACC=4730
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://193.121.55.225/tt/tt.php?p=101&g=0&s=1&r=0&x=1

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe

O4 - HKLM\..\Run: [explorer] wscript.exe C:\WINDOWS\updates2.vbs %
O4 - HKLM\..\Run: [dvdsh] C:\WINDOWS\SYSTEM\dvdsh.exe

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14

Then reboot and find:
C:\WINDOWS\updates2.vbs
C:\WINDOWS\SYSTEM\dvdsh.exe

Could you please mail them to the address in my profile.
I'll keep you updated on their nature, which I suspect to be not good.

You can delete:
C:\WINDOWS\BELT.exe
because that is known malware as Zidane pointed out. I could be necessary to do this insafe mode, because it's known to be quite stubborn.

Regards,

Pieter

 

Thanks for your help guys, I hope it works...

PS: So you want me to e-mail those two files to you?
C:\WINDOWS\updates2.vbs
C:\WINDOWS\SYSTEM\dvdsh.exe
right?

 

Hi buffalo,

Yes, those are the ones.

TIA,

Pieter

 

Had already deleted Bel.exe apparently
Anyway, can't find the updates2.vbs file either
Only one still there is the dvdsh.exe

BTW after fixing with HiJackThis and rebooting the dialer was gone, so thank you very much :thup:

Oh and let me know whether you want that dvdsh.exe file sent to you. Maybe I should just delete it too...

 

Hi buffalo,

I suspect it is a new one and in that case I would forward it to the developers that want to have it, so they can add it for detection.
So you would do me a big favor if you mailed it to me.
But since we don't know what it is, it could be a mistake to delete it.

Regards,

Pieter

 

Sent you the dvdsh.exe file ; please let me know what I should do with it, if anything...

 

OK Will do as fast as I can.

Pieter

 

Take your time to do the necessary ...

 

Updates2.vbs? I know I had updates.vbs or updates2.vbs, I dont remember, mailed to Unzy some time ago when he was helping me with the RawSex dialer problem, big thanks to him

 

did a search with updates2 and *.vbs but didn't find them, so they were probably removed by Adaware or Spybot (which I already had used).