Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Spyware Problem

Posted on 2004-09-10
7
Medium Priority
?
237 Views
Last Modified: 2010-04-14
I can usually get rid of this kind of stuff, but this one has got me stumped.
I have a windows 2000 machine which is on 24/7 because it serves web pages and ftp. After it's on for 6 hours or so it is frozen up because there are hundreds of IE windows up.
I have ran adaware, spybot, spyware guard, spyware blaster, trend online virus scan, AVG virus scan, they come up with no viru's but do find spyware each time, but it comes back.
I have managed to copy 3 url's of the popup windows at times when the machine is not frozen. Here they are.

http://www.xzoomy.com/stc.php?stid=100
http://69.20.56.3/yyy10.html
http://66.150.55.135/jw/1054.html

Any help is greatly appreciated.
0
Comment
Question by:TuscolaCounty
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 16

Expert Comment

by:JamesDS
ID: 12025690
TuscolaCounty

This link (largely courtesy of COBOLDinosaur) contains everything you need to know about spyware, scumware, adware, hijacked home pages etc and the tools you need to get rid of them:

http://www.experts-exchange.com/Web/Browser_Issues/Q_20975384.html

Cheers

JamesDS
0
 
LVL 4

Expert Comment

by:johndeerb
ID: 12025700
Have you tried hijackthis?

http://www.tomcoyote.org/hjt/

It's worth a shot, but read carefully before you use it because it finds legit and evil stuff alike...

jb
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 12025941
Hi TuscolaCounty,

Try to run these tools that you know and that are provided in that PAQ given by JamesDS and see if that helps.

Also do this
Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there except Anti-virus.Reboot the machine and check if the error occurs.
If not, then enable one at a time in the same startup tab and find the application that might cause this
at startup

This would prevent the spyware to start at the first place and also you may have to go to specific registry entry to remove them if you find any bad application.

Also save the Hijackthis log and paste it here http://hijackthis.de/index.php?langselect=english to analyze it  
If there are files that the website cannot really say whether it is good or bad application/process, post it here .

SR..
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 21

Expert Comment

by:jvuz
ID: 12026056
Check with HijackThis, like johndeerb already proposed, and post the log here.

Here you can find the latest version:

http://www.majorgeeks.com/download3155.html
0
 

Author Comment

by:TuscolaCounty
ID: 12034363
Hijack this log:

Logfile of HijackThis v1.98.2
Scan saved at 10:09:10 AM, on 9/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\a2\a2guard.exe
C:\SnugServer\SnugServer.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Avant Browser\avant.exe
C:\Documents and Settings\Administrator\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SnugServer.lnk = C:\SnugServer\SnugServer.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{237D5568-CE6F-4A1C-9747-3478CE395418}: NameServer = 209.206.136.8,209.206.136.9

Calsp.dll? that seems questionable
0
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 750 total points
ID: 12034458
Are you aware of what is this

O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe"

If not, remove it from startup..

Remove all these

O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll

0
 

Author Comment

by:TuscolaCounty
ID: 12035275
yeah that is A2 or A squared, it's a trojan detector i run. Nice program by the way.
The others i did remove.
I ran winsock fix xp and it reset my tcp/ip stack and now everything is fine.
Somehow the spyware got into the stack like new.net does.
Man i'd like to get just one hand around the neck of someone who writes this crap.
Thanks for all the replies.
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question