Problem with RawSex dialer - my hijack this log

Discussion in 'adware, spyware & hijack cleaning' started by Zidane, Nov 18, 2003.

Thread Status:
Not open for further replies.
  1. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    I have a problem with RawSex dialer - stupid BF of my sis was surfing at some porno sites - I am sure of it, cos he downloaded this bugger - after every reboot it tries to dial some number and connect somewhere, of course it is no use , cos I am not a modem user, so the bugger asks me "Would you like to keep redialing?", I hit NO. It creates an icon named RawSex and drops RawSex.exe into Running processes...

    Ad Aware with the newest database finds nothing, SB and SG dont react too...

    If I delete the process and the icon, after the next reboot it starts again, so I think there would be some registry entry...

    Here is my Hijack This log:

    Logfile of HijackThis v1.97.7
    Scan saved at 0:18:25, on 19.11.2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Mouse Tachometer\Mouse Tachometer.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Overnet\Overnet.exe
    C:\Program Files\ICQ\ICQ.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\GetRight\getright.exe
    C:\Program Files\GetRight\getright.exe
    C:\Program Files\Čisticí programy\MRU-Blaster\scheduler.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\ABC~1.ABC\LOCALS~1\Temp\Rar$EX00.331\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Mrkvosoft Infernet Exprdel
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.81.156.250:3128
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
    R3 - URLSearchHook: (no name) - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: IE Privacy Keeper - Last IE Window Detector - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPKbho.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Mouse Tachometer] C:\Program Files\Mouse Tachometer\Mouse Tachometer.exe --hide
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\Overnet.exe -t
    O4 - HKLM\..\Run: [explorer] wscript.exe C:\WINDOWS\updates.vbs %
    O4 - HKLM\..\Run: [Setting] sysweb.exe
    O4 - HKLM\..\RunServices: [Setting] sysweb.exe
    O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\Čisticí programy\MRU-Blaster\indexcleaner.exe -CC
    O4 - Startup: MRU-Blaster Scheduler.lnk = ?
    O4 - Startup: MRU-Blaster Silent Clean.lnk = ?
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Avaya Wireless Client Manager.lnk = C:\Program Files\Avaya_Wireless\Client Manager\CmAVA.exe
    O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetupml.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.5471875
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11
    O19 - User stylesheet: C:\Program Files\Internet Explorer\readme.txt


    I personally think that suspicious are:
    O4 - HKLM\..\Run: [explorer] wscript.exe C:\WINDOWS\updates.vbs %
    - this especially, cos the RawSex icon was once named "winupdates" I think, so it is suspicious...

    O4 - HKLM\..\Run: [Setting] sysweb.exe
    O4 - HKLM\..\RunServices: [Setting] sysweb.exe

    This is suspicious for me cos I think I had not seen this in Running processes lately, but I dont know what this is...

    O10 - Broken Internet access because of LSP provider 'imon.dll' missing

    And this - what does it mean ? What about broken internet access? I have no problems with internet access, so it is weird...

    So this is my problem, I hope somebody will find what causes appearing of the RawSex bastard :)
     
  2. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    One more thing :)

    And I think I will send a message to Lavasoft, that there is this bastard, so they could add it to the AdAware database :)
     
  3. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Zidane,

    You already did some clever investigations :)

    Can you send the following files to me please, as I think they may be new CWS variants :

    C:\WINDOWS\updates.vbs <- this file
    sysweb.exe <- this file

    unzy @ wilders.org

    Thanks!

    After doing so have only HijackThis running while staying offline and fix :

    R3 - URLSearchHook: (no name) - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - (no file)

    O4 - HKLM\..\Run: [explorer] wscript.exe C:\WINDOWS\updates.vbs %
    O4 - HKLM\..\Run: [Setting] sysweb.exe
    O4 - HKLM\..\RunServices: [Setting] sysweb.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O19 - User stylesheet: C:\Program Files\Internet Explorer\readme.txt

    Concerning this entry :

    O10 - Broken Internet access because of LSP provider 'imon.dll' missing

    I think that one has to do with nod32, I would leave it alone untill someone else gives you more advise about it. In the meantiume I'm digging further to find out more about it.

    Start with fixing the above, reboot after doing so and remove :

    C:\WINDOWS\updates.vbs <- this file
    sysweb.exe <- this file
    C:\Program Files\Internet Explorer\readme.txt <- this file, in that folder.

    Hope this helps,

    Kepp us posted!

    Cheers,
     
  4. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    Unzy:

    I will send the files ASAP :) Keep me - and the others - informed about what this is about, please :) For example - CWS variants? What does CWS mean?
    ¨
    The "imon.dll missing" will probably be something about NOD32, you are right, cos the NOD32 scanner name is IMON and AMON, so this can be it, I think - you were right IMHO :)

    Edit: Files sent :)
     
  5. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Zidane,

    CWS is short for CoolWebSearch, a new hijacker which is really busy lately :(

    Check out here for more info , if you're interested :

    http://www.spywareinfoforum.com/~merijn/cwschronicles.html

    an here, for a summation of the latest variants (to help out Merijn a bit more, as he's really busy irl at the moment ;) ) :

    http://boards.cexx.org/viewtopic.php?t=2293

    Thanks Merijn :-*

    Cheers,

    //EDIT Thanks for the files! i'll get back to you asap.
     
  6. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Zidane,

    I analysed the files you sent to me.

    I can tell you this file :

    O4 - HKLM\..\Run: [explorer] wscript.exe C:\WINDOWS\updates.vbs %

    Was the cause of your rawsex dialing problem. Tries to dial home at shylolitas.com. Uses a Wscript.shell, to setup the rawsex dialing code.

    The sysweb entrance, hmmm still investigating that one, did a file monitoring with inctrl, it added :

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU:T:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Zvwa qbphzragra\flfjro.rkr"

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU"

    random named filenames but the clsid stays the same. Also wanted to add two importyant registry keys so it would start with next bootup , but i prevented it with regprot.

    I'll let you know asap when i have more.

    In the meantime you should just focus on deleting those entries with HijackThis (above) and keep us posted if problems are solved!

    Take care,

    Cheers,
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Excellent job , Unzy. :)

    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    is indeed best left alone as it is a part of NOD32.

    The Explorer\UserAssist keys are irrelevant. Have a look at the InCtrl report for the installation of Spybot S&D for example: http://www.net-integration.net/reviews/SB10install.html

    Regards,

    Pieter
     
  8. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
  9. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    All is OK, files and entries deleted and the bastard is away even after rebooting :)

    Shylolitas? Yes, I came to my comp yesterday, it was running, so my sis or her BF were there and there was a SG alert - something tried to change my homepage to shylolitas.com - SG caught the try :)

    I wonder where the stupid bf of my sis downloaded that bastard, but it is irrelevant now ;)

    The sysweb.exe was a trojan? Should I know that I sent that to Eset Software too (and maybe to some other AV programmers, they could analyze it and add the bastard to their AV database, but the bastard is gone and I have no intention to search for it again just for sending it to ESET :D
     
  10. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    lol :)

    Good job cleaning up Zizou ;)

    Take care,

    Cheers,
     
Thread Status:
Not open for further replies.