LSP Provide '' missing - hijack log enclosed

Discussion in 'adware, spyware & hijack cleaning' started by Yonder Wanderer, Jun 25, 2004.

Thread Status:
Not open for further replies.
  1. Yonder Wanderer

    Yonder Wanderer Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    2
    I've been having a problem where my internet connection has effectively died - this happened once before and between AdAware and Spybot, I was able to fix it. This seems to be slightly different. Naturally the first things I did when this started occurring were to run VirusScan, AdAware and Spybot. Both AA and SB cleared off a bunch of things. SpyBot found a DSO Exploit error that keeps reappearing everytime I run SB. However, if I interpreted what I read correctly, this is an error with SB's coding, and the DSO Exploit has been removed.

    The piece I can't figure out from the Hijack log is:
    O10 - Broken Internet access because of LSP provider '' missing

    I did a search on LSP Provider missing and everything I found had a .dll file in the quotes. This is coming up without any file information. Any thoughts on what this may be or how to fix it? Any help would be much appreciated!

    Logfile of HijackThis v1.97.7
    Scan saved at 11:41:55 PM, on 6/24/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O10 - Broken Internet access because of LSP provider '' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.co...t/c381/chat.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8116.3102314815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pu...ash/swflash.cab


    For reference, the Spybot log with the DSO exploit came back with this:

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-1715567821-1580436667-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


    --- Spybot - Search && Destroy version: 1.3 ---
    2004-05-25 Includes\Cookies.sbi
    2004-05-29 Includes\Dialer.sbi
    2004-05-28 Includes\Hijackers.sbi
    2004-05-28 Includes\Keyloggers.sbi
    2004-05-12 Includes\LSP.sbi
    2004-05-28 Includes\Malware.sbi
    2004-05-04 Includes\Revision.sbi
    2004-04-12 Includes\Security.sbi
    2004-05-28 Includes\Spybots.sbi
    2004-05-24 Includes\Tracks.uti
    2004-05-28 Includes\Trojans.sbi
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Yonder Wanderer,

    Some spyware programs do put their files in the winsock, as do some legitimate programs, but if removed wrong, then winsock entry also gets removed which can brake the chain. Then you have to repair the Winsock LSP chain to get your internet connection back. Although I have not seen it with no .dll showing before like it is in your Hijackthis log.

    You can try the LSPfix found here: http://www.cexx.org/lspfix.htm

    Read the instructions carefully, then run the application. You will see a list of files in the left hand pane and possibly some in the right hand pane. Do not change any of them, just tick the "I know what I'm doing" box and press "finish" and the program will do what's necessary.

    This thread will help explain about the DSO Exploit when running Spybot S&D and that it is a minor bug that will hopefully be fixed soon: https://www.wilderssecurity.com/showthread.php?t=32387
    Let us know how it works out.

    Regards,

    snap
     
  3. Yonder Wanderer

    Yonder Wanderer Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    2
    I tried running LSPFix and it didn't seem to do anything. On the 'remove' column there was a protocol listed that just appeared as: üP▌

    However, when I click 'Finish' it doesn't seem to do anything. I rebooted and reran LSPFix and the same strange protocol appeared in the 'remove column.'

    I'm fearing my next step's gonna be to format the hard drive and re-install from scratch.
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi

    I have asked some of the others for suggestions, so hopefully someone will be able to figure out why you are seeing that O10 line there. But in the meanwhile, IMM (one of our SpywareFighters) has given me this link for you to try. This winsock fix is for XP. Maybe it will do the trick. :)

    http://danborg.org/spyware/Newnet/winsockxpfix.exe
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
Thread Status:
Not open for further replies.