Tech Support Guy banner
Status
Not open for further replies.
1 - 10 of 10 Posts

·
Registered
Joined
·
2,382 Posts
Discussion Starter · #1 ·
Sorry about the post subject, but she swears she never did a thing, yet it was fine before I went to work, and nutz when I get home.

I have a new winsock addition, actually there are four total, and I need a little help on if I should remove the bottom 2.

The files are:
mswsock.dll
winrnr.dll
inetadpt.dll
rsvpsp.dll


I remember the first two before, but the bolded ones are new. My hijack log referrs to a Unknown file in Winsock LSP:c:\windows\system32\inetadpt.dll and I know that one must go. The question is anyone familiar with them, and can they both be deleted?

The highlighted areas in this hijack post are obviously suspicious too, so any help on how to remove them is greatly appreciated. I have tried to remove them and reboot, yet they reappear on bootup.

Logfile of HijackThis v1.97.7
Scan saved at 1:40:54 PM, on 3/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Jason\Local Settings\Temp\LSPFix.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dp-b23011805.exe
D:\Documents and Settings\Jason\My Documents\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ca.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAvTray] C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [PGStub.exe] C:\WINDOWS\system32\dp-b23011805.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...5201273148
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/Shar.../cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup...mAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup...veData.cab

Thanks in advance for your help.
:)
 

·
Registered
Joined
·
2,382 Posts
Discussion Starter · #3 ·
Hello noahdfear, thanks for the reply

I kinda thought they were no good. I have removed them following the removal instructions through your reply
:up:

Now, on to those winsock additions, anyone have any idea on if the last entry can go or not??

Again it is primarily the bottom one now I am wondering about, It is listed as [Protocol Handler]
The top 2 are TCPIP and NTDS so i am 99 percent certain they are fine, and the third one I have removed already from the first reply.

Thanks again.
 

·
Registered
Joined
·
313 Posts
Go to Cexx.org and get LSPfix for the Winsock. SpyBot S & D will also do it.

These can go to....

O4 - HKLM\..\Run: [PGStub.exe] C:\WINDOWS\system32\dp-b23011805.exe

C:\WINDOWS\system32\dp-b23011805.exe

Should you have probs with the PG stub.... C:\WINDOWS\system32\dp-b23011805.exe
 

·
Registered
Joined
·
2,382 Posts
Discussion Starter · #5 ·
Well here it is, I fixed this damn box finally!

This was a result of an activex spyware app called "VX2.BETTERINTERNET"
:mad: and I use that term loosely.

First of all it creates a registry key in HKEY_LOCAL_MACHINE_SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
called Notify\Guardian with a variety of binary data in it.

It then creates 11 extra object handlers in the file
rsvpsp.dll and 5 in inetadpt.dll (so you need to remove them from your computer using LSPfix)

It then creates several strings of .dll's in the users /System32 folder ( I found msg121.dll, msg 135.dll, msg 171.dll, cidrules.dll, wincore.dll, winupd.dll on mine that adaware could not remove but it did log them so just look for the file names in your backup and wirte them down)

It then uses all of this stealth to reapply changes on every boot, if your internet connetion is active such as cable or adsl and it changes or modifies the .dll's (also installed VIRTUMUNDO with the following .dll's - cidrules.dll, wincore.dll, winupd.dll appeared adaware found them, but couldn't remove them)
That is the good news!! Adaware detects it, but it wont remove it! (tried on three seperate occasions, and the spyware changed each time and had to be re-scanned and found)

How did I get rid of it??

Write down the .dll's that ad aware finds but cant delete

To begin removing it, you first need to delete the reg keys HKEY_LOCAL_MACHINE_SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian (the whole string and all subkeys)
and
HKEY_LOCAL_MACHINE_SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
if it exists too

You then need to reboot with your XP cd in and choose repair.
Switch to your system32 folder and delete all the .dll files that
adaware found one by one.
(eg in my case was msg121.dll, msg 135.dll and msg 171.dll)

Oh, and by the way, the wife still denies allowing this to come in, so be careful because Im not sure where she got it from, but she swears she did not see any popups while surfing the net. I had spybot with its immunization running, a popup blocker which she says was on, and a NAT firewall so Please be careful out there, as it seems to be pretty aggressive one, and Im not sure how we got it.
 

·
Registered
Joined
·
2,382 Posts
Discussion Starter · #8 ·
Hello Ron264995 and noahdfear

Yes I did , but she deletes hers on exit in the otions of IE so it did not show anything. Our history is only set for a day, so by the time i got off work the site lists were gone (work nightshift)

Noahdfear, thanks again for your help, you led me in the right direction on this one, so thank you.
 

·
Registered
Joined
·
144 Posts
Glad it helped. You might try running RegSeeker (GREAT reg cleaner IMO) from the histories function. Alot of TIF's that I thought were cleared on my system still show up with it. I assume they were hiding :confused:
 
1 - 10 of 10 Posts
Status
Not open for further replies.
Top