Infection with hjt log

[swker98]

Hi im working on a fireds computer

I attached the log below

I got adaware,spybot,edwardo,avg,and cwshreder

I also dont wanna hook this thing up to the internet becuase im afred it may atteak the other computers on the network

 

[howard_hopkinso]

The system is infected with quite a few nasties.

download and run LSPFix from http://cexx.org/lspfix.htm

Use these instructions to remove the bad DLL:
1. Run LSPFix.
2. Check 'I know what I'm doing'.
3. Select cwlsp.dll.
4. Click the right-pointing arrow (moves it to the "remove" page).
5. Click 'Finished'.

6. Restart your computer in "Safe Mode" (F5 or F8 when starting Windows).
7. Delete the file: cwlsp.dll. Do NOT delete ANY other files!
8. Restart your computer and bring it up in normal mode.

The, go HERE and follow the instructions exactly.

Post a fresh HJT log, only after doing the above.

Regards Howard

This thread is for the use of swker98 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[swker98]

jsut a quick questions howards

is it safe to hook this computer up to my router or will it infect all of the computers on it

and i only have access to one account on this computer does this matter


edit: im alredy in safe mode, can i use lsp fix while in safe mode?

 

[howard_hopkinso]

I`d say, untill your system is clean, just directly hook it up to the net on it`s own. That way, there`s no chance of anything else getting infected.

I`m not sure whether you can use lsp fix in safe mode, but by all means give it a try.

Regards Howard

 

[swker98]

ok will do thanks howards
will post a hjt log in about a half hour

do you want the log from safemode or regular bootup

 

[howard_hopkinso]

Post a fresh HJT log from normal mode, after you`ve completed the instructions.

Regards Howard

This thread is for the use of swker98 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[swker98]

Post a fresh HJT log from normal mode, after you`ve completed the instructions.

Regards Howard

This thread is for the use of swker98 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

what do you mean delete



6. Restart your computer in "Safe Mode" (F5 or F8 when starting Windows).
7. Delete the file: cwlsp.dll. Do NOT delete ANY other files!
8. Restart your computer and bring it up in normal mode.


where is it located

 

[howard_hopkinso]

This is the full path to the file.

c:\winnt\system32\cwlsp.dll

Regards Howard

 

[swker98]

im getting an acceses dinied message

and yes i am in safe mode and did run the programe in regular mode

 

[howard_hopkinso]

Ok, forget the LSP fix for now and carry on with the rest of the instructions.

Regards Howard

 

[swker98]

will do now

i cannot get on line to update any of the tools

im thinkgs this may be from the infections

with smitfix do i clean the regrity?

 

[howard_hopkinso]

Let`s see if we can get some of your nasties cleaned up a bit.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


Boot into safe mode, under your normal user name. See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Mywebsearch
Viewpoint\Viewpoint Toolbar
Starware
O2Micro\SuperDJ

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ViewMgr.exe
mwsoemon.exe
Monitor.exe

Close task manager.

Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll

O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program Files\Starware\bin\Starware.dll

O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)

O4 - HKLM\..\Run: [O2PLEmonitor] C:\Program Files\O2Micro\SuperDJ\Monitor.exe

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - Global Startup: Digimax Viewer 2.1.lnk = ?

O4 - Global Startup: Event Reminder.lnk = ?

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCYYYYYYYYUS

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?e05859a2e44e420ea32ccf565d44a6 4c

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?e05859a2e44e420ea32ccf565d44a6 4c

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)

O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)

O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB

O16 - DPF: {11111111-1111-1111-1111-111191113457} -

O16 - DPF: {11111111-1111-1111-1111-511111193457} -

O16 - DPF: {11111111-1111-1111-1111-511111193458} -

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitial Setup1.0.0.15.cab

O16 - DPF: {24311111-1111-1121-1111-111191113457} -

O16 - DPF: {33331111-1111-1111-1111-611111193457} -

O16 - DPF: {33331111-1111-1111-1111-611111193458} -

O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINNT\System32\vbsys2.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Viewpoint
C:\PROGRA~1\MYWEBS~1
C:\Program Files\O2Micro
C:\Program Files\Starware

I have done some research on the cwlsp.dll
file and it appears it`s perfectly safe. So no need to use the LSP fix programme.

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log and let me know how your system is running.

Regards Howard

This thread is for the use of swker98 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[swker98]

thanks im working on RBS instructins on running those programs

then ill psot a new hjt log

im tring to get this done i need to ruturne the computer by tommrow

thanks for your help

 

[howard_hopkinso]

Do the above, then post a fresh HJT log and let me know how your system is running.

Regards Howard

 

[swker98]

heres the updated log after i fixed what you posted

 

[howard_hopkinso]

That`s looking quite a lot better. Now follow as many of the instructions as you can in this thread HERE.

Post a fresh HJT log, only after completing the above. Also, let me know how the system is running.

Regards Howard

 

[swker98]

i have done all of those

im also having a problem conectiong to the net
i keep getting limited or no contivity

can this be from a virus or infection?


edit

what else scares me is that when i plug the ethernet in
it gets slower but when i unplug it its better and i only get limited or no contivty error

 

[howard_hopkinso]

Ok, we`ll carry on with the manual fixes.

Boot into safe mode, under your normal user name. See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -3

O4 - Startup: Mavis Beacon Teaches Typing 11.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitial Setup1.0.0.15.cab

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\PROGRA~1\UNINST~1.DLL,O -3

Reboot into normal mode and turn system restore back on.

Run the LSP fix again.

Then click start/run and type cmd into the run box an press the enter key.

When the command window appears type ipconfig /all and press the enter key. Note the space between the ipconfig command and the forward slash. Then type exit and press the enter key.

Post a fresh HJT log and let me know how the system is running.


Regards Howard

 

[swker98]

will do and ill have a new log in 20 minutes

your the best howards

 

[swker98]

when i run lspfix i have 2 things in the remove when i start

cwlsp.dll


and


imslsp.dll

dp i want to remove both???

 

[howard_hopkinso]

No, just the cwlsp.dll.

Regards Howard

 

[swker98]

heres the newest log

 

[howard_hopkinso]

You forgot to attach the HJT log.

Regards Howard

 

[swker98]

i noticed and ive etied my post to include the log. it kept tellnig me it was attached but appretly it wasnt

 

[howard_hopkinso]

Have HJT fix this entry.

O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\cwlsp.dll' missing

Then go and delete this bold file(if there).

c:\winnt\system32\cwlsp.dll

Other than the above, your HJT log looks clean.

Regards Howard