Please help!... My HJT Log...

[vkumar97]

Logfile of HijackThis v1.99.0
Scan saved at 10:51:01 PM, on 2/2/05
Platform: Windows NT 4 SP5 (WinNT 4.00.1381)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\System32\LexStart.Exe
c:\winnt\system32\pstores.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\SysTray.Exe
C:\WINNT\System32\loadwc.exe
C:\WINNT\System32\HPJETDSC.EXE
C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup\FLSHSTAT.exe
C:\WINNT\system32\starter.exe
C:\WINNT\system32\starter.exe
C:\WINNT\System32\ddhelp.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINNT\System32\tsmsetup.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINNT\Profiles\Administrator\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: (no name) - {9DC35253-7586-11D9-BD5C-005043A00977} - C:\WINNT\System32\qwsxp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINNT\System32\iesp2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\RunOnce: [GrpConv] grpconv.exe -o
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - Startup: Starter.lnk = system32\starter.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: FLSHSTAT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: starter.lnk = system32\starter.exe
O12 - Plugin for .mid: C:\PROGRA~1\Plus!\MICROS~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\Plus!\MICROS~1\PLUGINS\npqtplugin.dll
O13 - WWW. Prefix: http://
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O16 - DPF: {11111111-1111-1111-1111-111111111111} - ms-its:mhtml:file://C:\foo.mht!http://195.225.176.25/user6/mstlb.chm::/1/e.exe
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://69.50.166.214/counter/new/x.chm::/update.exe
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = microbio.ucla.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = microbio.ucla.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = microbio.ucla.edu lifesci.ucla.edu psych.ucla.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 164.67.7.17 164.67.7.18
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = microbio.ucla.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = microbio.ucla.edu lifesci.ucla.edu psych.ucla.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 164.67.7.17 164.67.7.18
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = microbio.ucla.edu lifesci.ucla.edu psych.ucla.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 164.67.7.17 164.67.7.18
O18 - Filter: text/html - {F7B6C936-7588-11D9-BD5C-00509F9A69F1} - C:\WINNT\System32\qwsxp.dll
O18 - Filter: tœ†5òÏTÆR - {9DC35252-7586-11D9-BD5C-00502CECACEC} - C:\WINNT\System32\qwsxp.dll
O18 - Filter: tœ†5òþEÆR - {F7B6C936-7588-11D9-BD5C-00509F9A69F1} - C:\WINNT\System32\qwsxp.dll

 

[dvk01]

Read all these instructions carefully, Print them out and download all the things mentioned before starting

WARNING: I have never tried Cwshredder or About:buster on NT4 so I don't guarantee that they will work on that system, but there is NO other known way of fixing this except a complete format and reinstall otherwise

First download CWshredder from http://www.intermute.com/spysubtract/cwshredder_download.html and install it and update it, DO not run it yet
Also
Click here to download AboutBuster created by Rubber Ducky.

Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.

Download pocket killbox from Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.

Now boot into safe mode

How to start your computer in safe mode

Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: (no name) - {9DC35253-7586-11D9-BD5C-005043A00977} - C:\WINNT\System32\qwsxp.dll
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINNT\System32\iesp2.dll

O13 - WWW. Prefix: http://
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O16 - DPF: {11111111-1111-1111-1111-111111111111} - ms-its:mhtml:file://C:\foo.mht!http://195.225.176.25/user6/mstlb.chm::/1/e.exe
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://69.50.166.214/counter/new/x.chm::/update.exe

O18 - Filter: text/html - {F7B6C936-7588-11D9-BD5C-00509F9A69F1} - C:\WINNT\System32\qwsxp.dll
O18 - Filter: tœ†5òÏTÆR - {9DC35252-7586-11D9-BD5C-00502CECACEC} - C:\WINNT\System32\qwsxp.dll
O18 - Filter: tœ†5òþEÆR - {F7B6C936-7588-11D9-BD5C-00509F9A69F1} - C:\WINNT\System32\qwsxp.dll



now run killbox and paste each of these lines into the box, select standard file delete then press the red X button,say yes to the prompt then continue to paste the lines in in turn and follow the above procedure every time,


C:\WINNT\System32\tsmsetup.exe
C:\WINNT\System32\qwsxp.dll
C:\WINNT\System32\iesp2.dll


Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

then Run Cwshredder
Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.

then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

then Go to Start > Run and type %temp% in the Run box, press OK . The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of that Temp folder.

then go to C:\windows\temp and select EVERYTHING except temporary internet files, cookies and history folders and delete all that and then do the same for C:\temp

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then
Run adaware

Download and unzip or install this program/application if you haven't already got it. If you have it, then make sure it is updated and configured as described

AdAware SE from http://www.lavasoft.de/support/download
and while you are at the adaware site download and install http://www.lavasoft.de/software/addons/vx2cleaner.shtml
and run it before the main adaware scan and follow it's directions
Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
the current ref file should read at least SE1R26 25.01.2005 or a higher number/later date

Set up the Configurations as follows:

General Button
Safety:
Check (Green) all three.

Click on "Proceed"

Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

Click on "Scan Now"

Run the scanner using the Full Scan (Perform full system scan) mode.

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

NOW REBOOT

Run an online antivirus check from
http://housecall.trendmicro.com/

Make sure autoclean is ticked

reboot again

These hijackers are known to alter or delete certain files so check this out please:

Download the Hoster from here . UnZip the file and run hoster then press "Restore Original Hosts" and press "OK". Exit Program.

If you have Spybot S&D installed you will also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Check in the System32 folder to be sure you have a file named Shell.dll. If you do not have one, go to System32\dllcache
Find shell.dll and right click on it. Choose Copy from the menu.
Open System32 and right click on an empty space in the window. Choose Paste from the menu.


control.exe may have been deleted.
See if control.exe is present in C:\winnt\system32
( I'm not sure if this file exists in NT4 either)

If control.exe isn't there, go here, and download control.exe per the instructions at the site.

IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.


then post a new hijackthis log to check

 

[vkumar97]

i downloaded cwshredder but when i click on it i get the following error message:

"The procedure entry point Module32First could not be located in the dynamic link library KERNEL32.dll"

how do i correct this?

thanks!

vikas

 

[dvk01]

I did warn you I didn't think it would run on NT4

I suggest you contact intermute support for this and ask their advice

there might be an additional file needed to download but very few security softwares support NT4 as it's well outdated

http://adsubtract.custhelp.com/cgi-...php?p_sid=GwjrpAsh&p_lva=&p_sp=&p_li=&p_srch=

 

[dvk01]

For now ignore the use cwshredder part and carry on and use adaware if that will run

then post a new HJT log so we can see

 

[dvk01]

You may well need to go to SP6a for NT4 to do anything
http://www.microsoft.com/ntworkstation/downloads/