Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp


  • Please log in to reply
2 replies to this topic

#1 Masonite

Masonite

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:Florida
  • Local time:05:07 PM

Posted 10 January 2005 - 01:52 PM

Symantec can't delete the fileit keeps telling me that is infected. This is a remote machien and the user can't seem to boot up in safe mode. The WInsock LSP files will not delete from Adaware, Spybot, Windows,and I tried to Unregister the dlls and received an error about the unregisterdll file

Logfile of HijackThis v1.98.0
Scan saved at 12:06:38 PM, on 1/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\Common Files\Intuit\Track-It!\ChannelDeploy.sys
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Windows\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Intuit\Track-It!\PRISMXL.SYS
C:\WINDOWS\TIREMOTE\wuser32.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\ltmsg.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
C:\Program Files\Track-It! Deploy\Client\PTClient.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Windows\System32\rikuug.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\wuauclt.exe
C:\Documents and Settings\SGlasford\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.frontdoor.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aumha.org/a/noads.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.premdor.com:80
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [Track-It! Remote Service Monitor] \\surrey_nt1\shared\trackit\trackit\remoteinstall\TIServiceMonitor.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
O4 - HKLM\..\Run: [Prism Deploy Client] "C:\Program Files\Track-It! Deploy\Client\PTClient.exe" /Subscriber
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Masonite.com
O17 - HKLM\Software\..\Telephony: DomainName = masonite.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Masonite.com

Thank you

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:07 PM

Posted 10 January 2005 - 09:41 PM

Download LSPFix from http://www.cexx.org/LSPFix.exe and run it.

Check the I know what I'm doing box.

In the Keep box you should see one or more instances of the following files.

aklsp.dll
calsp.dll


Select every instance of these files, but no others, and move each one to the Remove box by clicking the >> button.

When you are done click Finish>>.


Reboot and post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Masonite

Masonite
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:Florida
  • Local time:05:07 PM

Posted 11 January 2005 - 07:24 AM

That is a dead link but I have this file already. I forgot about this tool. Thaks I will try it and get back to you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users