RebateMonger
Elite Member
- Dec 24, 2005
- 11,586
- 0
- 0
This won't fix everything, but it can help prevent future crapware from getting on your system: modify your HOSTS file.
I got a friend's machine a few months ago that was so far beyond repair that I had to format. I even did surgery on the registry, and when i thought it was clean, two boots later it started showing symptoms again. I spent way too much time trying to fix it, and up until a year ago I thought I was getting pretty good at repairing heavily compromised machines.
FlyingPenguin knows his stuff. But even he gets stumped once in awhile. The crapware authors are getting better at avoiding the standard tools and hiding in the registry. But a HOSTS file will at least add another level of protection that stops them cold.
There are little hiding places for their EXEs, too. For example, go to C:\WINDOWS\SoftwareDistribution\Download: everything in that folder can be deleted.
But a hijack this log would help. Also check msconfig, and be sure everything there has a purpose.
I got a friend's machine a few months ago that was so far beyond repair that I had to format. I even did surgery on the registry, and when i thought it was clean, two boots later it started showing symptoms again. I spent way too much time trying to fix it, and up until a year ago I thought I was getting pretty good at repairing heavily compromised machines.
FlyingPenguin knows his stuff. But even he gets stumped once in awhile. The crapware authors are getting better at avoiding the standard tools and hiding in the registry. But a HOSTS file will at least add another level of protection that stops them cold.
There are little hiding places for their EXEs, too. For example, go to C:\WINDOWS\SoftwareDistribution\Download: everything in that folder can be deleted.
But a hijack this log would help. Also check msconfig, and be sure everything there has a purpose.
While we're on the topic of backup tips, how about we focus on safe internet surfing? It's a fact that that malware don't appear on our computers *magically*
Originally posted by: Medea
Originally posted by: BadThad
Post a hijackthis log for us to look over, maybe we can help.
:thumbsup:
Ok, here you all go.
Logfile of HijackThis v1.99.1
Scan saved at 5:47:27 PM, on 2/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Aspire Arcade\PCMService.exe
C:\Program Files\CRW\shwicon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\WDC\SetIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\NIKOLA~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://law.gmu.edu/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: LNHelper.BarHelper - {05A34600-8920-479b-92A9-68FACF7BB8FA} - mscoree.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: LexisNexis Toolbar - {86BE1CDA-4F72-4c2f-9526-8E6A22DF46ED} - mscoree.dll (file missing)
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Aspire Arcade\PCMService.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ShowIcon_Chander_CRW Series Driver v1.17r019] "C:\Program Files\CRW\shwicon.exe" -t"Chander\CRW Series Driver v1.17r019"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Z62myY] c:\documents and settings\nikolas uhlir\local settings\temp\Z62myY.exe
O4 - HKLM\..\Run: [Create A Monster] "C:\Program Files\Kudd.com\createAMonster.exe" -run
O4 - HKLM\..\Run: [Ebcbymb] C:\WINDOWS\uaazki.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v...86/client/wuweb_site.cab?1097717140062
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
Appears you have a virus or malware:
O4 - HKLM\..\Run: [Z62myY] c:\documents and settings\nikolas uhlir\local settings\temp\Z62myY.exe
O4 - HKLM\..\Run: [Ebcbymb] C:\WINDOWS\uaazki.exe
Anything that executes from a temp folder location at boot is BAD.
Possible traces of VX2 malware:
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
I've seen malware like this. If you simply delete the keys above, it will put them right back and possibly rename the executable's. More than likely, it's a rootkit and if you use windows explorer, I bet you won't even see the uaazki.exe file in the Windows folder.
First off, clean ALL the files in your profiles temp directory, that's where it all started. Uncheck these keys in hijackthis and reboot into safemode. Run the battery of anti-malware applications in safemode and pray.
O4 - HKLM\..\Run: [Z62myY] c:\documents and settings\nikolas uhlir\local settings\temp\Z62myY.exe
O4 - HKLM\..\Run: [Ebcbymb] C:\WINDOWS\uaazki.exe
Anything that executes from a temp folder location at boot is BAD.
Possible traces of VX2 malware:
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
I've seen malware like this. If you simply delete the keys above, it will put them right back and possibly rename the executable's. More than likely, it's a rootkit and if you use windows explorer, I bet you won't even see the uaazki.exe file in the Windows folder.
First off, clean ALL the files in your profiles temp directory, that's where it all started. Uncheck these keys in hijackthis and reboot into safemode. Run the battery of anti-malware applications in safemode and pray.
hardcandy2 -
You did a search for the .dll file on his O10 entry and found that site. Be careful about assuming a particular infection because of one entry.
BTW - Here at my office, when someone has spyware, I run no less than 4 diff anti-spyware progs - MS, Adaware, Spybot, and Dr. Spyware....as NOT A SINGLE ONE OF THEY WILL FIND EVERYTHING. So you could run 20 different ones, and sometimes, spyware will evade them all. Quit being a dink and hammering us "IT Guys". If you don't want FREE help, then go facking PAY someone to do it for you.
Also, since you're looking at patent law - change it where patents don't suck and 1 man companies with a lawyer wait for some schmoe to come across and sue some dude who wrote something useful, because he infringed on some vague patent that has no practical application other than to be the flypaper to catch people trying to be useful. Thanks!
Also, since you're looking at patent law - change it where patents don't suck and 1 man companies with a lawyer wait for some schmoe to come across and sue some dude who wrote something useful, because he infringed on some vague patent that has no practical application other than to be the flypaper to catch people trying to be useful. Thanks!
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
If possible, get everyone onto Limited / Restricted-User accounts. The power to install spyware should not be present in the first place if it doesn't have to be. I don't go grocery shopping with a loaded semiautomatic in my hand with the safety off, and I don't run my system at Admin level when I just need to browse the Internet and answer email.
Hey, sorry if I offended you, my comments were really directed at one guy in particular. Sorry if I painted with too broad a brush.
As for your comments re: patents, any time you want to talk patent law let me know. I realize that there are good and bad sides to the current system, but that doesn;t mean all patents suck. What you referred to is primarily an issue in software patents, which I personally feel should not be patentable. Definitely copyrightable, but not patentable. The federal circuit and supreme court disagree with me, however.
And while we're throwing mud at each other over things we have no control over, I'll "fix" the patent system" when you find someone to write an easy to use, bug free, spyware impervious OS for which people actually write a large amount of software.
To the others who posted useful comments, thanks!
Not yet. Haven;t had a chance to follow the suggestions in this thread yet . I work fuill time and go to school at night, so my time is at a premium to say the least.
RebateMonger
Elite Member
- Dec 24, 2005
- 11,586
- 0
- 0
1) Bedtime: Go to Microsoft.com/downloads and download XP SP2 patch. Go to bed. Time: 5 minutes.
2) Morning: Tell PC to burn XP SP2 patch to a CD or copy it to a USB hard drive. Go to school. Time: 5 minutes.
3) Bedtime: Run FAST Wizard in XP and tell XP to back up all your files and settings to another PC or to a USB hard drive. Go to bed. Time: 5 minutes.
4) Next morning: Insert the XP Install CD and tell XP to re-install. Go to school. Time: 30 minutes.
5) Evening: Arrive home and XP is installed. Doubleclick on the XP SP2 patch to install SP2. You can use the PC in the meantime if you want. Time: 5 minutes.
Run FAST Wizard in XP and tell XP to put all your files and settings back on your new system. Time: 5 minutes.
Total time invested: Less than an hour, plus any re-intalls of applications you need to re-install. Plus, you end up with a recent backup of your important files.
Total computer downtime: Less than an hour.
I don't think you understand what a day in my life is like. Maybe this will help:
average week day for me:
530am: Wake up; shower shave, put on suit
615 am: drive to metro
615-7am: ride metro to work while reading for law school
7am-4pm: work (I work in a law firm, so I am busy for 99% of the day)
4pm-5pm: leave work, walk to metro, read for lawschool while riding metro; drive to school
5pm-6pm: eat dinner while reading/prepping for class
6pm-10pm: class
10pm-1030pm: drive home
1030pm-1040 pm: talk to wife before she goes to bed, if she is awake (she has the patience of a saint)
1040pm until 130am: read or write papers for school
130am-530am: sleep
total free time during day: ~5 minutes.
wash rinse repeat
I do the above at least 5 days a week for 8 months out of the year. I wasn't kidding when I said time was at a premium. Try my schedule for a week and see if you still think its unreasonable for me to say I'm gonna wait, I highly doubt you will. Besides, if I somehow manage to scrounge together a free hour over the course of a day, you better beleive I'm gonna spend that with my wife and not in front of my computer.
Oh, and in addition: risk of screwing up my computer at this stage during the semester: infinitely bad. Hence, I will wait until I have some time to deal with a possible screwup, should one happen. Right now that looks like it will be ~March 11.
BTW, I backup my "important" files every night to a removable harddrive.
Jeff7
Lifer
- Jan 4, 2001
- 41,596
- 20
- 81
Have you tried CWShredder yet? It's good at either removing, or at least crippling, infestations of CoolWebSearch, one of the more insidious spyware packages out there.
Seriously though, if you've got the time to make these long posts, you might just have to suck it up and do a reinstall. I know, I hate reinstallations myself, because I love tweaking everything, and after a reinstall, I have to do it all again. The installation on this PC right now is over a year old - lots of nice little utilities in there, and everything's just the way I want it.
But if your computer is nearly useless now, you're losing time to the popups and other problems. Might as well put that time into remedying the solution completely in one swoop.
Other option: Use a Knoppix CD and a USB thumbdrive to save files to.
Seriously though, if you've got the time to make these long posts, you might just have to suck it up and do a reinstall. I know, I hate reinstallations myself, because I love tweaking everything, and after a reinstall, I have to do it all again. The installation on this PC right now is over a year old - lots of nice little utilities in there, and everything's just the way I want it.
But if your computer is nearly useless now, you're losing time to the popups and other problems. Might as well put that time into remedying the solution completely in one swoop.
Other option: Use a Knoppix CD and a USB thumbdrive to save files to.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 23K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter