Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FIX MY COMPUTER SMART PEOPLE


  • This topic is locked This topic is locked
6 replies to this topic

#1 fcomputer

fcomputer

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 08 October 2004 - 09:34 PM

Logfile of HijackThis v1.97.7
Scan saved at 7:34:18 PM, on 10/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\msmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Wireless-G USB Network Adapter\WLService.exe
C:\Program Files\Wireless-G USB Network Adapter\WUSB54G.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\WINDOWS\system32\mfcfw.exe
c:\program files\warcraft iii\war3.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ayvdq.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ayvdq.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ayvdq.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ayvdq.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ayvdq.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ayvdq.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ayvdq.dll/sp.html#28129
O2 - BHO: (no name) - {29F5CDA5-BEE3-3BFF-4545-58A0B85F3DCC} - C:\WINDOWS\ntnu32.dll
O4 - HKLM\..\Run: [mfcfw.exe] C:\WINDOWS\system32\mfcfw.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O17 - HKLM\System\CCS\Services\Tcpip\..\{A73D7388-EFA6-47A8-BDE7-4250EE731E84}: NameServer = 198.81.16.4

BC AdBot (Login to Remove)

 


m

#2 fcomputer

fcomputer
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 08 October 2004 - 10:50 PM

please help?

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:04:27 PM

Posted 08 October 2004 - 11:03 PM

You'll have to be patient.

A moderator or Administrator will be in contact with you.

The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:09:27 PM

Posted 09 October 2004 - 12:09 AM

Hi,

Having a look.

#5 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:09:27 PM

Posted 09 October 2004 - 12:16 AM

Please do this

Download LSPfix Here

Launch the application, and click the "I know what I'm doing" checkbox.

Check all instances of lspak.dll & calsp.dll (and nothing else), and move them to the "Remove" pane.

Then click Finish.

Next:

You are running hijackthis from your desktop, this is not a good idea because when we do a fix hijackthis will create backups and they will be spread all over your desktop. Can you please create a folder in My Documents and call it Hijack (or something similar) like this C:\HJT\HijackThis.exe. Then extract hijackthis into the folder you have created and run it from there. When you have done that, delete the copy of hijackthis that you have on your desktop.

Next:

Update HijackThis to version 1.98.2
To do that, do this;
• run HijackThis
select config> misc tools and select "update online". then yes.

If that doesn’t work download a new copy Here and then delete your old copy

Run a scan and post a new Hijackthis log after you are done.

#6 fcomputer

fcomputer
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 09 October 2004 - 11:56 AM

Logfile of HijackThis v1.98.2
Scan saved at 9:55:54 AM, on 10/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\msmd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mfcfw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Wireless-G USB Network Adapter\WLService.exe
C:\Program Files\Wireless-G USB Network Adapter\WUSB54G.exe
C:\Program Files\America Online 9.0\waol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\HijackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cuzrh.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cuzrh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cuzrh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cuzrh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cuzrh.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cuzrh.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cuzrh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {97DCBB56-FF7B-D770-38B4-EAF169E5C483} - C:\WINDOWS\ntqb.dll
O4 - HKLM\..\Run: [mfcfw.exe] C:\WINDOWS\system32\mfcfw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O17 - HKLM\System\CCS\Services\Tcpip\..\{A73D7388-EFA6-47A8-BDE7-4250EE731E84}: NameServer = 198.81.16.4

#7 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:09:27 PM

Posted 09 October 2004 - 01:07 PM

1. Download this tool called AboutBuster http://www.downloads.subratam.org/AboutBuster.zip

Unzip it to your Desktop.

Start About:Buster. Then hit update. A new screen should pop up. On that screen, hit Check for Updates. If it says it found an update, hit Download Updates. If it doesnt find an update, it will automatically tell you and exit.

Do nothing more with the program at this time.

2. Click here to download Ad-Aware SE and install. Open the program and click on "check for updates now" to make sure you have the latest reference file. If not, click *ok* and let it download and install the updates by clicking on *Finish* after the update download is completed. Exit the program.

3. Print out these instructions so you have them handy as most of the steps need to be done in Safe Mode and you may not be able to go online.

4. Make sure your PC is configured to show hidden files and folders....

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

5. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

THIS MAY OR MAY NOT SHOW If it doesn't, please continue to step 6

Scroll down and find the service called "Network Security Service." When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and, under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

6. Reboot to Safe Mode

Reboot into safe mode, this way:
Restart the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

7. Scan with Hijack This and put checks next to all the following, then with all other windows closed click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cuzrh.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cuzrh.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cuzrh.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cuzrh.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cuzrh.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cuzrh.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cuzrh.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {97DCBB56-FF7B-D770-38B4-EAF169E5C483} - C:\WINDOWS\ntqb.dll

O4 - HKLM\..\Run: [mfcfw.exe] C:\WINDOWS\system32\mfcfw.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=

O14 - IERESET.INF: START_PAGE_URL=


Now, search for, and delete if found, (some files may not be present after previous steps) the following files or folders:

C:\WINDOWS\system32\msmd.exe
C:\WINDOWS\system32\mfcfw.exe
C:\WINDOWS\ntqb.dll

8. Go to Start->Run and type Regedit then click Ok. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and highlight Services in the left pane. In the right pane, look for any of these entries:

__NS_Service
__NS_Service_2
__NS_Service_3

If any are listed, right-click that entry in the right pane and choose Delete.

Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and highlight Root in the Left Pane. In the right pane, look for these entries (the number at the end should correspond to the first one you deleted above):

LEGACY___NS_Service
LEGACY___NS_Service_2
LEGACY___NS_Service_3

If you find it, right-click it in the right-pane and choose delete.

Remain in Safe Mode....

9. Double click on About:Buster to start the program. Hit Start and then Ok. The program should start scanning. When it's finished, hit Exit and reboot, again in Safe Mode.

Run About:Buster once more to make sure everything is ok. Reboot into Safe Mode when finished.

Save the About:Buster report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

10. Remaining in Safe Mode, configure Ad-aware for a customized scan, and let it remove any bad files found.....

Launch the program, and click on the Gear at the top of the start screen.

Under "General Settings" all available options should be selected.

Click the "Scanning" button.
Under "Drives, Folders and Files," select "Scan within Archives".
Click "Drives and folders to scan" and select your installed hard drives.
Under "Memory & Registry," select all options.

Click the "Advanced" button.
Under "Logfile detail level," select all options.

Click the "Defaults" button.
If you want to keep your current settings for your homepage and searchpage,
select "Read current settings from system." Otherwise, Ad-aware will reset them.

Click the "Tweak" button.
Under "Scanning Engine," select the following:
"Unload recognized processes during scanning."
Under "Cleaning Engine," select the following:
"Always try to unload modules before deletion."
"During removal unload Explorer and IE if necessary."
"Let Windows remove files in use after reboot."
Click on "Proceed" to save these Preferences. then click "Start." Make sure "Activate in-depth scan" is ticked green, then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next." The bad files will be listed. Right click the pane and click "Select all objects" - This will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?"

11. Clean out temporary and TIF files.....

Delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example:

C:\WINDOWS\Temp\

C:\Temp\

C:\Documents and Settings\username\Local Settings\Temp\

Also delete your Temporary Internet Files, be sure to also select "delete all offline content."

Empty your Recycle Bin and reboot into normal mode.

12. Perform online virus scans at Trend Micro and Panda Software (See links below). Allow the programs to delete anything they may find. Reboot after each scan.

13. Download and install this free anti-Trojan program: http://www.emsisoft.com/en/software/free/

Perform a scan and allow the program to remove anything it may find.

14. Go to the Windows Update site (see link below) to download and install ALL critical updates. Reboot when finished.

15. NOTE: Two possibly three files may have been deleted from your computer by the hijacker and may need to be replaced. Check to see if these are missing.

a. Control.exe

b. hosts (with no extension)

c. SDHelper.dll (if you are using Spybot Search & Destroy)

If control. exe is missing
Go here: http://www.spywareinfo.com/~merijn/winfiles.html#control
and download the version of control.exe for your operating system. If you are running Windows 95/98/98SE/ME: copy it to C:\WINDOWS
Windows 2000, copy it to c:\winnt\system32\.
For Windows XP, copy it to c:\windows\system32\.

Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

If you have Spybot S&D installed and SDHelper.dll is missing, replace it here:
URL=http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper
and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

16. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here:
http://www.spywareinfo.com/articles/hijacked/prevent.php

ActiveX controls and plug-ins

* Download signed ActiveX controls (Prompt)
* Download unsigned ActiveX controls (Disable)
* Initialize and script ActiveX controls not marked as safe (Disable)
* Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
* Script ActiveX controls marked safe for scripting (Prompt)


17. Scan with HijackThis and post a fresh log into this same thread along with your About:Buster log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users