In deep doo-doo

Discussion in 'adware, spyware & hijack cleaning' started by buffalo, Nov 27, 2003.

Thread Status:
Not open for further replies.
  1. buffalo

    buffalo Registered Member

    Joined:
    Nov 27, 2003
    Posts:
    9
    Hi all,

    I'm in deep sh*t with this Rawsex thing, pops up every time I start the PC and adds a shortcut ; also adds a link on desktop and changes my homepage to some lolita website :oops:

    Logfile of HijackThis v1.97.6
    Scan saved at 2:10:44, on 28/11/2003
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\RUNSERVICE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\SYSTEM\DVDSH.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\TEMP\TD_0003.DIR\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cyber-lolita.com/cgi-bin/potop.cgi?action=in&ACC=4730
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://193.121.55.225/tt/tt.php?p=101&g=0&s=1&r=0&x=1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://fetew.rug.ac.be/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: @msdxmLC.dll,-1@1043,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [explorer] wscript.exe C:\WINDOWS\updates2.vbs %
    O4 - HKLM\..\Run: [dvdsh] C:\WINDOWS\SYSTEM\dvdsh.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [LicCtrl] runservice.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\SYSTEM\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [IridiumTimeWizard] C:\WINDOWS\Desktop\iridium.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Radio Free Virgin Player (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14





    Thanks in advance
     
  2. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    RawSex? I had the problem myself a few days ago, there should be the RAWSEX DIALER topic in this forum somewhere, where the mods helped me :)
     
  3. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    I will try to give you some advice with that:

    run HijackThis and I think it should be fixed:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cyber-lolita.com/cgi-bin/potop.cgi?action=in&ACC=4730 - this is sure the "lolita site" you talked about

    O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe - I think this is some weirdo too, cos there is the topic about "belt.exe" :)

    O4 - HKLM\..\Run: [explorer] wscript.exe C:\WINDOWS\updates2.vbs % I think this bastard does the "needed" downloading and changing

    Reboot and then delete the file C:\WINDOWS\updates2.vbs % (or maybe there is no %, but delete the file anyway) and C:\WINDOWS\BELT.exe

    I suspect there may be more "good-for-nothing" entries, but I am not a moderator, I am only a newbie who had the same problem a few days ago...
    so if you want, take a look here:
    http://www.wilderssecurity.com/showthread.php?t=16538
    or you can wait until some moderator shows up and helps you :)

    If you want to listen to my advices, you will do it at your own risk, I am not a mod, I am only a newbie :D
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hey zidane

    Here is your post on rawsexdialer.

    http://www.wilderssecurity.com/showthread.php?t=16538

    link fixed - Detox


    Snowbound
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi buffalo,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cyber-lolita.com/cgi-bin/potop.cgi?action=in&ACC=4730
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://193.121.55.225/tt/tt.php?p=101&g=0&s=1&r=0&x=1

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe

    O4 - HKLM\..\Run: [explorer] wscript.exe C:\WINDOWS\updates2.vbs %
    O4 - HKLM\..\Run: [dvdsh] C:\WINDOWS\SYSTEM\dvdsh.exe

    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14

    Then reboot and find:
    C:\WINDOWS\updates2.vbs
    C:\WINDOWS\SYSTEM\dvdsh.exe

    Could you please mail them to the address in my profile.
    I'll keep you updated on their nature, which I suspect to be not good.

    You can delete:
    C:\WINDOWS\BELT.exe
    because that is known malware as Zidane pointed out. I could be necessary to do this insafe mode, because it's known to be quite stubborn.

    Regards,

    Pieter
     
  6. buffalo

    buffalo Registered Member

    Joined:
    Nov 27, 2003
    Posts:
    9
    Thanks for your help guys, I hope it works...

    PS: So you want me to e-mail those two files to you?
    C:\WINDOWS\updates2.vbs
    C:\WINDOWS\SYSTEM\dvdsh.exe
    right?
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi buffalo,

    Yes, those are the ones. :)

    TIA,

    Pieter
     
  8. buffalo

    buffalo Registered Member

    Joined:
    Nov 27, 2003
    Posts:
    9
    Had already deleted Bel.exe apparently o_O
    Anyway, can't find the updates2.vbs file either
    Only one still there is the dvdsh.exe

    BTW after fixing with HiJackThis and rebooting the dialer was gone, so thank you very much :):thup:

    Oh and let me know whether you want that dvdsh.exe file sent to you. Maybe I should just delete it too...
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi buffalo,

    I suspect it is a new one and in that case I would forward it to the developers that want to have it, so they can add it for detection.
    So you would do me a big favor if you mailed it to me.
    But since we don't know what it is, it could be a mistake to delete it.

    Regards,

    Pieter
     
  10. buffalo

    buffalo Registered Member

    Joined:
    Nov 27, 2003
    Posts:
    9
    Sent you the dvdsh.exe file ; please let me know what I should do with it, if anything...
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    OK Will do as fast as I can.

    Pieter
     
  12. buffalo

    buffalo Registered Member

    Joined:
    Nov 27, 2003
    Posts:
    9
    Take your time to do the necessary ... ;)
     
  13. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    Updates2.vbs? I know I had updates.vbs or updates2.vbs, I dont remember, mailed to Unzy some time ago when he was helping me with the RawSex dialer problem, big thanks to him :)
     
  14. buffalo

    buffalo Registered Member

    Joined:
    Nov 27, 2003
    Posts:
    9
    did a search with updates2 and *.vbs but didn't find them, so they were probably removed by Adaware or Spybot (which I already had used).
     
Thread Status:
Not open for further replies.