TuscolaCounty
asked on
Spyware Problem
I can usually get rid of this kind of stuff, but this one has got me stumped.
I have a windows 2000 machine which is on 24/7 because it serves web pages and ftp. After it's on for 6 hours or so it is frozen up because there are hundreds of IE windows up.
I have ran adaware, spybot, spyware guard, spyware blaster, trend online virus scan, AVG virus scan, they come up with no viru's but do find spyware each time, but it comes back.
I have managed to copy 3 url's of the popup windows at times when the machine is not frozen. Here they are.
http://www.xzoomy.com/stc.php?stid=100
http://69.20.56.3/yyy10.html
http://66.150.55.135/jw/1054.html
Any help is greatly appreciated.
I have a windows 2000 machine which is on 24/7 because it serves web pages and ftp. After it's on for 6 hours or so it is frozen up because there are hundreds of IE windows up.
I have ran adaware, spybot, spyware guard, spyware blaster, trend online virus scan, AVG virus scan, they come up with no viru's but do find spyware each time, but it comes back.
I have managed to copy 3 url's of the popup windows at times when the machine is not frozen. Here they are.
http://www.xzoomy.com/stc.php?stid=100
http://69.20.56.3/yyy10.html
http://66.150.55.135/jw/1054.html
Any help is greatly appreciated.
Have you tried hijackthis?
http://www.tomcoyote.org/hjt/
It's worth a shot, but read carefully before you use it because it finds legit and evil stuff alike...
jb
http://www.tomcoyote.org/hjt/
It's worth a shot, but read carefully before you use it because it finds legit and evil stuff alike...
jb
Hi TuscolaCounty,
Try to run these tools that you know and that are provided in that PAQ given by JamesDS and see if that helps.
Also do this
Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there except Anti-virus.Reboot the machine and check if the error occurs.
If not, then enable one at a time in the same startup tab and find the application that might cause this
at startup
This would prevent the spyware to start at the first place and also you may have to go to specific registry entry to remove them if you find any bad application.
Also save the Hijackthis log and paste it here http://hijackthis.de/index.php?langselect=english to analyze it
If there are files that the website cannot really say whether it is good or bad application/process, post it here .
SR..
Try to run these tools that you know and that are provided in that PAQ given by JamesDS and see if that helps.
Also do this
Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there except Anti-virus.Reboot the machine and check if the error occurs.
If not, then enable one at a time in the same startup tab and find the application that might cause this
at startup
This would prevent the spyware to start at the first place and also you may have to go to specific registry entry to remove them if you find any bad application.
Also save the Hijackthis log and paste it here http://hijackthis.de/index.php?langselect=english to analyze it
If there are files that the website cannot really say whether it is good or bad application/process, post it here .
SR..
Check with HijackThis, like johndeerb already proposed, and post the log here.
Here you can find the latest version:
http://www.majorgeeks.com/download3155.html
Here you can find the latest version:
http://www.majorgeeks.com/download3155.html
ASKER
Hijack this log:
Logfile of HijackThis v1.98.2
Scan saved at 10:09:10 AM, on 9/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\WINNT\system32\spoolsv. exe
C:\PROGRA~1\Grisoft\AVG6\a vgserv.exe
C:\WINNT\System32\svchost. exe
C:\WINNT\system32\hidserv. exe
C:\WINNT\system32\regsvc.e xe
C:\WINNT\system32\MSTask.e xe
C:\WINNT\System32\WBEM\Win Mgmt.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\a vgcc32.exe
C:\PROGRA~1\PANICW~1\POP-U P~1\PSFree .exe
C:\Program Files\a2\a2guard.exe
C:\SnugServer\SnugServer.e xe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\SpywareGuard\sgmain. exe
C:\Program Files\SpywareGuard\sgbhp.e xe
C:\Program Files\Avant Browser\avant.exe
C:\Documents and Settings\Administrator\Des ktop\Hijac kthis\Hija ckThis.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\In ternet Explorer\Toolbar,LinksFold erName =
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\System32\msdxm.oc x
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\a vgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP- UP~1\PSFre e.exe"
O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain. exe
O4 - Global Startup: SnugServer.lnk = C:\SnugServer\SnugServer.e xe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.h tm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackLis t.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dl l
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dl l
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dl l
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dl l
O17 - HKLM\System\CCS\Services\T cpip\..\{2 37D5568-CE 6F-4A1C-97 47-3478CE3 95418}: NameServer = 209.206.136.8,209.206.136. 9
Calsp.dll? that seems questionable
Logfile of HijackThis v1.98.2
Scan saved at 10:09:10 AM, on 9/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\PROGRA~1\Grisoft\AVG6\a
C:\WINNT\System32\svchost.
C:\WINNT\system32\hidserv.
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\WINNT\System32\WBEM\Win
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\a
C:\PROGRA~1\PANICW~1\POP-U
C:\Program Files\a2\a2guard.exe
C:\SnugServer\SnugServer.e
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\SpywareGuard\sgmain.
C:\Program Files\SpywareGuard\sgbhp.e
C:\Program Files\Avant Browser\avant.exe
C:\Documents and Settings\Administrator\Des
R0 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\a
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-
O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.
O4 - Global Startup: SnugServer.lnk = C:\SnugServer\SnugServer.e
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.h
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackLis
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dl
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dl
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dl
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dl
O17 - HKLM\System\CCS\Services\T
Calsp.dll? that seems questionable
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yeah that is A2 or A squared, it's a trojan detector i run. Nice program by the way.
The others i did remove.
I ran winsock fix xp and it reset my tcp/ip stack and now everything is fine.
Somehow the spyware got into the stack like new.net does.
Man i'd like to get just one hand around the neck of someone who writes this crap.
Thanks for all the replies.
The others i did remove.
I ran winsock fix xp and it reset my tcp/ip stack and now everything is fine.
Somehow the spyware got into the stack like new.net does.
Man i'd like to get just one hand around the neck of someone who writes this crap.
Thanks for all the replies.
This link (largely courtesy of COBOLDinosaur) contains everything you need to know about spyware, scumware, adware, hijacked home pages etc and the tools you need to get rid of them:
https://www.experts-exchange.com/questions/20975384/Standard-response-material-re-Spyware-Adware-BHOs-and-other-Malware.html
Cheers
JamesDS