Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winsock Corruption / Philis.bq


  • This topic is locked This topic is locked
9 replies to this topic

#1 crescent222

crescent222

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:05:25 AM

Posted 28 November 2006 - 01:06 PM

Problem: No network/Internet connection

Known: ipconfig comes up with 0.0.0.0; ipconfig /renew or ipconfig /release don't help
ping command : Unable to initialize Windows Sockets Interface, error code 0
netsh command : Initialization function INITHELPERDLL in IPMONTR.DLL failed to start with error code 10107

msinfo32/Components/Network/Protocol has only 2 categories, not the 10 it is supposed to, according to Microsoft page http://support.microsoft.com/kb/811259 (How to recover from Winsock2 corruption)

Attempts to delete Winsock and Winsock2 in registry fail. Winsock goes away, but winsock2 hangs the regedit applicaton. It cannot be renamed either.

Reinitialized ipmontr.dll from copy on c:\i386, but that did not help to run netsh command again.

Running WinSockXPFix did not work.
Running sfc /scannow did not work- it did not ask for any installation CD
Made sure RPC and RPC Locator were running; that did not help sfc /scannow

Still have logo1_.exe roaming my system and it keeps coming back with some registry entry in HKLM/Software on reboot along with richdll.dll - this is the philis.bq virus new in the last 2 weeks, I believe.

Computer is slow on booting; user's name does not come up on Task Manager for a while.

Computer OS: Microsoft Windows XP Service Pack 1

Could not do everything suggested on top post- cannot run online virus scan, Spybot because they need an internet connection. Ran Stinger for philis.bq but the bad files came back on reboot. Running general Stinger now.

Antivirus scans found all kinds of stuff:
cpush.dll adware.sogou from web.sogou.com
ntfis.exe
df5fe689.exe
quartz32.dll
rundl132.exe - w32/Looked-AX
qproecss.exe - alexa
smtpconfs.dll - 8NASCAR
richdll.dll - HLLP.philis.dll
Downloaders
VB.AON
VB.AOL
Hijacker.Agent.A
Istbar.ai
Psyme.cm
Adware.Agent.m
Small.cl
VB.eu
Trojan.Delf.mc
Hijacker.StartPage.amb
Downloader.Agent.yd
c:\windows\system32\drivers\rgwatch.sys
c:\windows\system32\quartz32.dll
downloader.vb.eu
trojan.delf.mc
rundl132.exe

Any suggestions? I am close to saying Windows has to be reinstalled.


Logfile of HijackThis v1.99.1
Scan saved at 1:10:46 AM, on 11/28/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Regedit.exe
C:\WINDOWS\Regedit.exe
C:\WINDOWS\System32\conime.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\Logo1_.exe
C:\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\System32\winsys16_061120.dll start
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {631EDC67-F035-49BA-B8BC-983B474E9BB4} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\bak\McUpdate.exe
O4 - HKLM\..\Run: [load] C:\WINDOWS\uninstall\rundl132.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Broken Internet access because of LSP chain gap (#32 in chain of 32 missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido anti-spyware 4.0 guard - Unknown owner - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod_V\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Unknown owner - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Unknown owner - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:25 AM

Posted 28 November 2006 - 01:27 PM

Hey there, and welcome to Bleeping Computer.

I think that a reinstall might be the best option here,
However I would like you to try one more thing before you do so..

Go to start > run and type cmd
A dos Window will appear.
Type next in the dos window: netsh winsock reset
Hit enter and reboot.

Now let me know if the connection is working.
I am happy to help you, but I honestly think a reformat is the best option here.
I can see a wide variety of malware files, have a look here:

http://vil.nai.com/vil/content/v_130551.htm
http://vil.nai.com/vil/content/v_100735.htm
etc....

The problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show. Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Let me know what you wish to do - I understand that sometimes with this kind of topic, you might wish not to reformat as you want to keep all your files and do not want the inconvenience of starting afresh, but as I said before it's a good idea to start afresh - Don't forget all your files/folders can be backed-up onto a disc/USB drive.

Let me know what you want to do.
David

#3 crescent222

crescent222
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:05:25 AM

Posted 28 November 2006 - 01:33 PM

Thank you David. The netsh command returned the same it has for a while: "Initialization Function InitHelperDLL in IPMONTR.DLL failed to start with error code 10107. The following command was not found: winsock reset." This is despite me reinstalling IPMONTR.DLL from c:\i386.

I need to talk with the regular user of this computer (my wife) but we will probably opt for the reformat. I need a few hours. Could you quickly describe what this entails- is it different from a reinstall of Windows? Will we need our installation CD?

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:25 AM

Posted 28 November 2006 - 01:55 PM

The reformat would be very similar to the reinstatllation of the Windows.
It's pretty self explanitory and you can download some helpful guides off the net.
Let me know if you want me to find one for you.
In simple terms, you delete the old partition, create a new one, and install the OS there.
Then you should have a perfectly new working version of XP, with internet!

Just a quick question before you do reformat,
Did you try all the steps here:
http://support.microsoft.com/kb/811259

If not I recommend you do. Let me know how you advance.

#5 crescent222

crescent222
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:05:25 AM

Posted 28 November 2006 - 04:14 PM

Yes I followed everything in that MSFT page. The big problem is that the winsock2 registry entry cannot be deleted or moved to make way for a new one to be put in automatically on start-up. That also prevents winsockXPFix from working.

We're going for the reformat; we'll look on the web for a guide. Will repost if we need help. As of now, we still need to find our installation CD. Will putting XP Professional on be of any harm?

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:25 AM

Posted 28 November 2006 - 04:24 PM

No, you should be able to install any operating system on a new parition.
Good luck with the reinstall, follow this list and your potential for being infected again will be reduced dramatically on the new PC.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...
David

#7 crescent222

crescent222
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:05:25 AM

Posted 28 November 2006 - 05:29 PM

Quick question- Are all the antivirus programs listed below considered above-board (i.e. they are not actually malicious programs that will make your system even worse)? I have a nagging feeling we made the problem worse by trying all these antivirus programs:

* Ewido 4.0.0.172 (downloaded 8/06)
* SpyHunter (from Enigma Software)
* ScanSpyware
* Stinger from Network Associates

Edited by crescent222, 28 November 2006 - 06:57 PM.


#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:25 AM

Posted 30 November 2006 - 11:46 AM

Ok, a few things to note in response to your question.

Ewido is now out of date and you need to download the newer version instead.
It is now called AVG anti-malware 7.5, and you can download a trial from the link below.
It's a 30 day trial I think, and after that you would have to purchase it if you wished to continue using it:
http://www1.grisoft.com/doc/75/lng/us/tpl/...mw&simple=1

ScanSpyware and SpyHunter are doing now good for your system at the moment.
I would recommend that you uninstall SpyHunter; it's a rouge antispyware.
You can uninstall it from add/remove in the control panel if you wish.
You can also read more information on the following link, where it is listed:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
The same goes for ScanSpyware, which is also listed on the above link.

Stinger is a recommended program, so you can leave that.
I hope this answers your questions..

#9 crescent222

crescent222
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:05:25 AM

Posted 15 December 2006 - 11:37 AM

I did a new installation on the existing partition. Repair did not work and I could not delete the existing partition (something about setup files already being on the drive). This seemed to work; I am still cleaning off .exe files that were infected by this philis.bq virus but it otherwise seems gone. If no one sees a problem in the HJT log, the thread can be closed.

Logfile of HijackThis v1.99.1
Scan saved at 11:28:32 AM, on 12/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\SYSTEM32\SMC2635WMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: SMC2635W 11Mbps WLAN Monitor.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:25 AM

Posted 15 December 2006 - 11:57 AM

I don't see anything wrong here, but you need to reinstall your security programs.
You should do that as soon as you can, to avoid reinfection.

Since this issue appears resolved, this Topic is now closed.

If you need this topic reopened, please request this by sending me
a PM with the address of the thread using the link here. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users