TechSpot

Spyware attack messed my desktop "Help"

By Candy_girl
Oct 24, 2006
Topic Status:
Not open for further replies.
  1. Candy_girl

    Candy_girl TS Rookie Topic Starter Posts: 54

    oh... if only i've seen what mr howard posted

    bcuz now i got another problem. After i did like the previous poster told me and that is to delete all dll's in the log of "LSP-FIX", after i restarted the pc the windows firewall (security system) got disabled and everytime i try to enable it, it automatically disables it self so it resulted in having completley no access to the internet at all (not even by dial up)

    should i just do what's on the lsp site that is to repair winsock file ?
    Help please.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Yes, try repairing the winsock file and see if that helps. Then, post a fresh updated version of HJT as requested in my last post.

    Regards Howard :)

    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Candy_girl

    Candy_girl TS Rookie Topic Starter Posts: 54

    It worked! I finally got my connection back.

    Thank you so much for everything, Mr. Howard.

    I attached you the new log file :)
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    regperf.exe
    dcomcfg.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Policies\Explorer\Run: [wininet.dll] regperf.exe

    O4 - HKLM\..\Policies\Explorer\Run: [dcomcfg.exe] dcomcfg.exe

    O22 - SharedTaskScheduler: ecosystems - {af3fd9a8-1287-4159-9212-9a5b4494af70} - (no file)

    O22 - SharedTaskScheduler: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    regperf.exe
    dcomcfg.exe


    Search your system for the above files and delete all instances found.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. Candy_girl

    Candy_girl TS Rookie Topic Starter Posts: 54

    Something wrong with my internet connection!

    Ok, so today I restarted my computer and suddenly my connection isn't functioning right, sometimes I can access all sites and sometimes I can only access google.

    And I was just checking my network places, I found this this located there;

    Here's a screen shot of it; (see attachment)

    Since I'm on LAN, I asked the man who has the router, if he installed any new routers or something, and he said no, and everything is still the same.

    Could someone have possibly, installed this on my PC, or something? cuz the connection is acting really weird, it doesn't want me to access Yahoo, just google. I got here miraculously, through refreshing dozens of times.

    Here's my hjackthis report, maybe there's something there!

    Thanx in advance.
     
  6. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Have HijackThis fix these entries:
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
    Fix the O17 entries if you do not recognise the domain to be from your ISP.
    O22 - SharedTaskScheduler: ecosystems - {af3fd9a8-1287-4159-9212-9a5b4494af70} - (no file)
    O22 - SharedTaskScheduler: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)

    I require you to post your AVG Antispyware and ComboFix logs in your next reply please. Please also run AVG Anti Rootkit via Step 11 of the instructions HERE. Let me know the results of the scan.

    Regards,
    Your friendly momok =)

    This thread is for the use of Candy_girl only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Candy_girl

    Candy_girl TS Rookie Topic Starter Posts: 54

    Hi, remember me?

    Ok, so since yesterday my connection has been acting really weird - the pages don't fully load, msn disconnects, I can't download anything off rapidshare (it always tells me that my IP address is already downloading that file, which I'm not)

    I connect to the internet via a USB modem. And up until yesterday everything was going fine.

    I ran CCleaner and hijackthis (I've attached my logfile)

    Please help!
     
  8. tomrca

    tomrca TS Rookie Posts: 1,051

    hi candy girl.
    yes there some problems there. go to the forum http://www.techspot.com/vb/topic58138.html follow the instructions, you may also cws shredder. unles you live in egypt there are a couple of IP's that need to be looked at.
     
  9. Candy_girl

    Candy_girl TS Rookie Topic Starter Posts: 54

    Yes, I do live in Egypt. How did you know?

    Yeah, I won't delete those IP items on my hijackthis!
     
  10. tomrca

    tomrca TS Rookie Posts: 1,051

    no dont delete them. the IP address tells where it is from
     
  11. Candy_girl

    Candy_girl TS Rookie Topic Starter Posts: 54

    Ok, so I gotta a new problem - I use a USB drive called Speedtouch 330 to connect to the internet, ok? So since my last post mentioning how I've been experiencing connection problems, something weird have been happening outta no where this message pops up that says ;

    'speedtouch, generic host error something and it needs to be closed. And it gives me these two options either to Send error report or don't send'

    So if I click either or ignore it - my windows skin changes to classic. And I use Style XP.

    And in order to have everything back to normal, I have to restart the computer.

    I'm confused, I don't know what's wrong. I only ran CCleaner, hijackthis, AVG spyware scan, logged into safemode and deleted any suspicious item.

    I attached another hijackthis report.

    Please help!
     
     
  12. tomrca

    tomrca TS Rookie Posts: 1,051

    you can have hijack this fix this: O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
    but before anyone can go any further up date hijack this, the present version is V2.0.2, scan showing hidden folders.
    there seems to be coolwebsearch on your pc but update first.uninstall the old hjt
    click hijackthis in my signature
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.