Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The latest Hijackers


  • Please log in to reply
3 replies to this topic

#1 kmasri

kmasri

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 03 January 2005 - 07:17 PM

During the last week of Dec. 2004, I got accidentally invaded with spyware/malware. I have spent many days trying to reverse this personal tragety, but some of the problems persist; here is a list:

1-Computer boots up randomly without my command, about once every few hours;
2-Program shortcuts (like Dating Online and Block Spyware to name a couple) keep appearing on my desktop especially after reboot;
3-When in Internet Explorer, I still get a few annoying popups, but I also get browser redirects after I try a search.

And here is what I have done so far:
1-Ran Spybot S&D and Adaware 6.0 several times, before and after updating them to the latest available free versions;
2-installed a couple of freeware popup blockers, but discovered that those too had spywares built in, and promptly removed them (but I don't know how completely);
3-Installed a purchased copy of Spyware Doctor, and ran it; then I updated it to the newest online version and re-ran it; I clean up in excess of 100 problems found by the software. I also turned the immunization and spyguard utilities on;
4-after all of this work the computer seemed back to normal, but much to my chagrin, the listed problems above persist.

I finally broke down and ran HijackThis after carefully reading an associated tutorial on the subject. Below is the log (I am running a Windows 2000 Professional machine)
---------------

Logfile of HijackThis v1.99.0
Scan saved at 3:15:51 PM, on 1/3/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\owvrig.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\PCI Audio Applications\Bin\VxD\noSPDIF\Mixer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
F3 - REG:win.ini: run=
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup
O4 - HKCU\..\Run: [System Tray] C:\Documents and Settings\Kal.GTSDOMAIN\Desktop\your_details1.pif
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.yahoo.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://my.yahoo.com
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GTS.genetherapysystems.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{322A96E7-1549-4977-A4C4-0961837FAC85}: NameServer = 206.251.228.22,206.251.228.24
O18 - Protocol: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - C:\Program Files\Vector NTI Suite 8\Ncbi.dll
O23 - Service: dcfssvc - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Windows Installer - Unknown - C:\WINNT\Installer\InstMsi0\MsiExec.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)

--------------------

I don't know what the proper way is to request help on this forum, but I do know that my gratitude is offered in advance for any assistance forthcoming.
Sincerely
Kal M.

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:11:15 PM

Posted 04 January 2005 - 08:16 PM

Hi :thumbsup:

You have a Look2Me infection and your recycle bin is damaged. If you delete a file it will be lost forever.


Please Download LSPFix from: LSP-Fix

Disconnect from the Internet and close all Internet Explorer windows. Run then program, check the "I know what I'm doing" button and place all listings of

aklsp.dll

calsp.dll


into the remove section by clicking on the button that points to the right. Do not remove any others. When all instances of this dll are in the Remove section. Press the Finish button.

Reboot your machine.

To see a tutorial on how to use this program click the link below:
Using LSP-Fix to remove LSP Spyware & Hijackers


Download Find It NT-2K-XP.zip.

Unzip the contents of Find It NT-2K-XP.zip to a folder, for example c:\findit

Navigate to the c:\findit folder and double-click on find.bat.
A command prompt will open and it will search your computer for malicious files.

Once it has finished a Notepad window will pop up with output.txt.
Copy the entire contents of output.txt into your next post.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.

My timezone is GMT +2. I think you can run find.bat and post the log tomorrow morning or tomorrow afternoon/evening. It's 3 am now and I'm going to sleep ...

Edited by cryo, 04 January 2005 - 08:18 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 kmasri

kmasri
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 06 January 2005 - 09:13 PM

Hello Cryo ,
Thank you very much for your valuable response, I wanted to implement your recommendations immediately but unfortunately couldn't, and here's why:

On the evening of the day I posted my problem, my 4-year-old computer crashed during an Outlook file backup excercise, so I decided to shut the power off on the back side of my machine and go home. I came in the next morning and flipped the power switch on and as I was waiting, thick white smoke started pouring out of the back! By the time I ran around my desk a small flickering fire had started behind the fan. I immediately shut down the machine and opened it to find that one of the small capacitors/resistors on the power supply board had turned into an ash heap. Boy, I would not be exagerating if I told you that it was the worst smell ever, and it lingered for the whole day in my office!!
Anyhow, after recovering from this ugly surprised, I quickly replaced the "switching power supply" box with a new one, but sadly for me, the hard disk would not boot up; I tried multiple restarts, but no luck. I moved the hard disk into a colleague's win2000 machine, but it failed to detect it. I am now trying to find a way to salvage a few important files and don't know if I will get lucky doing this.

This is all to say that I am truly sorry I cannot give you even the modest satisfaction of confirming that your recommendations worked. In one ironic sense, I am glad I now officially got rid of the pesky hijacker codes, although I curse my luck for having lost 2/3 of my outlook files and a couple of new hard disk files I did not have a chance to backup yet. Like they say, "you win some and you loose some" and I hope that there is also room for "and you recover some" too.

with kind regards. :thumbsup:

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:11:15 PM

Posted 07 January 2005 - 05:32 AM

Sorry to read this. Good luck :thumbsup:
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users