1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Unknown file in Winsock LSP ? and other probs with Hijack log

Discussion in 'Virus & Other Malware Removal' started by seashell, Sep 18, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. seashell

    seashell Thread Starter

    Joined:
    Jun 22, 2003
    Messages:
    125
    Logfile of HijackThis v1.97.2
    Scan saved at 10:26:05, on 18.09.2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programme\TGTSoft\StyleXP\StyleXPService.exe
    C:\Programme\Sygate\SPF\Smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programme\AVPersonal\AVGUARD.EXE
    C:\Programme\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RunDll32.exe
    C:\Programme\AVPersonal\AVGNT.EXE
    C:\Programme\DeTeWe\TA 33 USB\Capictrl.exe
    C:\Programme\Internet Explorer\IEXPLORE.EXE
    C:\Programme\RegSeeker\RegSeeker.exe
    C:\Dokumente und Einstellungen\********\Eigene Dateien\Zipstore\Tools\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web.de/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.de/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Programme\Net Transport\NTIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
    O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
    O4 - HKLM\..\RunServices: [Microsoft Cvrt] mscvrt32.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Programme\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - Global Startup: CAPIControl.lnk = ?
    O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Net Transport\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Net Transport\NTAddLink.html
    O10 - Unknown file in Winsock LSP: c:\programme\steganos internet anonym 5\sselsp.dll
    O10 - Unknown file in Winsock LSP: c:\programme\steganos internet anonym 5\sselsp.dll
    O10 - Unknown file in Winsock LSP: c:\programme\steganos internet anonym 5\sselsp.dll
    O10 - Unknown file in Winsock LSP: c:\programme\steganos internet anonym 5\sselsp.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.arcor.de
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall...meInstaller.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7477F575-8C3E-472C-8CB5-DCA02461F70C}: NameServer = 145.253.2.139 145.253.2.81

    ok here is the logfile with the recent version of Hijack this.

    give me a hint what can be deletet plz ... and how to repair winsock?

    what about all these entries for IE search engines and start page? i start with web.de and thats the way i want it to do, can i delete the others??
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    They would be associated with something installed from this provider:

    http://www.steganos.com/en/

    Are you currenly using any of those applications? Have they been uninstalled?

    You do have worm showing in the Scanlog:

    O4 - HKLM\..\RunServices: [Microsoft Cvrt] mscvrt32.exe

    The registry entry should be "fixed" and the file itself deleted if it is still present.

    The R1 values in the Scanlog are "created"; that means if you fix them, they should stay deleted. The R0 ones represent "changed" values; that means if you "fix" them a default will be restored.

    You can also remove this:

    R3 - Default URLSearchHook is missing

    And this (of use to developers only):

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k


    =================
    If those Winsock entries remain after uninstalling the associated program (if that's what you want to do), you can repair the Winsock file by using lspfix

    http://www.cexx.org/lspfix.htm

    Have that downloaded and unzipped before you uninstall the program so that you can run the repair if the uninstall does not work right. You might lose internet access otherwise.

    To use lspfix you will have to move those selected protocols to the remove window and tell it you know what you are doing.
     
  3. seashell

    seashell Thread Starter

    Joined:
    Jun 22, 2003
    Messages:
    125
    Thx for all the info,


    do i have to uninstall that Steganos thing before i use ispfix?
    actually i installed it just the other day, i didnt mean to uninstall it again ...
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I would uninstall it if you have no use for it; it won't work without it, I'm sure, and if you were to launch it, it might try to recreate them.

    If you wan't to keep the application and you are not having any internet connectivity problems, you don't need to do anything.

    The HijackThis Scanlog is only reporting on what it doesn't recognize.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/165671

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice