Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winsock Problems


  • This topic is locked This topic is locked
8 replies to this topic

#1 operator0

operator0

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 16 April 2007 - 12:47 PM

Logfile of HijackThis v1.99.1
Scan saved at 12:38:18 PM, on 4/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Jamie\LOCALS~1\Temp\Rar$EX00.500\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\rekgolism.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rekgolism.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rekgolism.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rekgolism.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rekgolism.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rekgolism.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rekgolism.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rekgolism.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rekgolism.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rekgolism.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rekgolism.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rekgolism.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rekgolism.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rekgolism.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rekgolism.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rekgolism.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rekgolism.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

I've already DLed and run the latest versions of Spybot 1.4 and Adaware 1.06r1.
I've also run LSPfix.exe an it detected no problems, but clearly, something is my winsock.

BC AdBot (Login to Remove)

 


#2 operator0

operator0
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 16 April 2007 - 02:36 PM

I was able to fix the winsock problem using this helpfull Microsoft arcticle.

New Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:31:30 PM, on 4/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Jamie\LOCALS~1\Temp\Rar$EX00.532\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe



I hope I didn't waste anyone's time.

#3 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:16 PM

Posted 16 April 2007 - 02:46 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
It looks like you've sorted out your problem, well done. :thumbsup:
However, I'd like you to just run another scan for me to make sure everything malicious has been removed from your computer.
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

From your log it appears that you are missing one important program: an antivirus. This is somewhat suicidal in today's digital world. Without one you are at a high-risk of reinfection; while I can try to sort your problem out, if you have no protection, the infections will keep resurfacing.
Here are some great free antivirus programs:
Antivir, Avast!, AVG, Bitdefender Free
Install one of these, then run a full scan, letting it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

Please download ATF Cleaner.
Don't run it yet.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Double click ATF-Cleaner.exe to run the program.
Under Main choose Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

Click Exit on the main menu to close the program.

Reboot back into Normal Mode again.

Please run Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open, click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan has finished - if anything malicious is found - click the See Report button.
Click Save Report and save the file to your Desktop, so you can post this log in your next reply.

Please post back with the Panda report.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#4 operator0

operator0
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 16 April 2007 - 07:03 PM

OK, it came back.

Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:55:00 PM, on 4/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Jamie\LOCALS~1\Temp\Rar$EX00.297\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\jycvyvj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jycvyvj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jycvyvj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jycvyvj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jycvyvj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jycvyvj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jycvyvj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jycvyvj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jycvyvj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jycvyvj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jycvyvj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jycvyvj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jycvyvj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jycvyvj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jycvyvj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jycvyvj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jycvyvj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jycvyvj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jycvyvj.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


I have attached a copy of the activescan log.

Attached Files



#5 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:16 PM

Posted 17 April 2007 - 01:34 AM

There's still a lot more infections there,
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Download LSP-Fix
Disconnect from the Internet and close all Internet Explorer Windows.
Run the program and check the "I know what I'm doing" box.
Place all listings of jycvyvj.dll into the remove section by highlighting it and clicking on the button that points to the right. When all instances of this dll are in the remove section press the Finish button.

Please download SmitfraudFix (by S!Ri)
Open the file and it will extract the contents (a folder named SmitfraudFix) to your Desktop.

Now, please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.

Once in Safe Mode, open the SmitfraudFix folder again.
Double-click smitfraudfix.cmd.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.

Please include rapport.txt, along with a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#6 operator0

operator0
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 17 April 2007 - 11:02 AM

OK. I ran the lsp fix, which showed none of the problems, just like the first time I ran it. Then I rebooted into safe mode and ran smitfraud. It popped up an error (AUTHZ.DLL not found). It still tried to execute, but failed after I clicked yes to clean the registry. Now the PC wont boot into the OS, either in safe mode or normal mode. In safe mode, I get no errors before the PC tries to reboot. In normal mode, I get a screen telling me that the autochk program cannot load then it reboots.

Also, the Smitfraud link doesn't DL a folder, it Dls a .exe. I did run the .exe.

#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:16 PM

Posted 17 April 2007 - 04:31 PM

There's a major problem with SmitFraudFix at the moment, we've had a few instances of this happening. Please bear with use while we try to find a cure to this problem.
Thanks, and I apologise for the problems it has created.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:16 PM

Posted 19 April 2007 - 09:16 AM

This is the way in which we have found to resolve the problems caused by SmitFraudFix.
This method was made by S!Ri: the author of the tool:

SmitfraudFix 2.169 Bug remove execution permissions from the %SYSTEM% folder.
If your system has been corrupted restore NTFS Permissions with this procedure:

- Install a new Windows version on a different HardDrive or in a different Folder. DO NOT CHOSE TO REINSTALL IN THE SAME FOLDER.
or Plug the harddrive on a working Windows.

- At this time you can boot on a windows system that can deals with NTFS perms.
- To view this security tab on Windows Home computers, download: ftp://ftp.microsoft.com/bussys/winnt/winn...scm/scesp4i.exe
- Double click to extract the content in a folder.
- Right Click on setup.inf. Install. REFUSE ALL FILE REPLACEMENT.

- Browse to the C:\Windows\system32\ folder. (the altered %SYSTEM% folder)
- Right click, properties, security tab
- Select System, click on Authorise Full Control, Apply
- Select Every One, click on Authorise Full Control, Apply
- Ok

- If the disk was plugged in another computer, plug it back to the original box.
- Boot the computer on the original Windows. (if a new system was installed select the original windows when booting).
- Download swxcacls: http://www.xs4all.nl/~fstaal01/downloads/swxcacls.exe
- Save it in the C:\ root folder
- open a CMD windows (WINDOWS+R keys, type cmd, enter)
- type: cd c:\
- type: swxcacls C:\Windows\system32 /GE:F /Reset enable

if a new system was installed you can edit C:\boot.ini:
- Right Click on My computer
- Advanced, Start and restauration parameters button, modify Button.


Edited by rookie147, 19 April 2007 - 09:17 AM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:16 PM

Posted 27 April 2007 - 10:03 AM

Due to lack of feedback, this topic is now closed.

If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter.

Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users