TechSpot

infection with hjt log

By swker98
Jul 31, 2006
  1. hi im working on a fireds computer

    i attached the log below

    i got adaware,spybot,edwardo,avg,and cwshreder

    i also dont wanna hook this thing up to the internet becuase im afred it may atteak the other computers on the network
     

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    The system is infected with quite a few nasties.

    download and run LSPFix from http://cexx.org/lspfix.htm

    Use these instructions to remove the bad DLL:
    1. Run LSPFix.
    2. Check 'I know what I'm doing'.
    3. Select cwlsp.dll.
    4. Click the right-pointing arrow (moves it to the "remove" page).
    5. Click 'Finished'.

    6. Restart your computer in "Safe Mode" (F5 or F8 when starting Windows).
    7. Delete the file: cwlsp.dll. Do NOT delete ANY other files!
    8. Restart your computer and bring it up in normal mode.

    The, go HERE and follow the instructions exactly.

    Post a fresh HJT log, only after doing the above.

    Regards Howard :)

    This thread is for the use of swker98 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    jsut a quick questions howards

    is it safe to hook this computer up to my router or will it infect all of the computers on it

    and i only have access to one account on this computer does this matter


    edit: im alredy in safe mode, can i use lsp fix while in safe mode?
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    I`d say, untill your system is clean, just directly hook it up to the net on it`s own. That way, there`s no chance of anything else getting infected.

    I`m not sure whether you can use lsp fix in safe mode, but by all means give it a try.

    Regards Howard :)
     
  5. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    ok will do thanks howards
    will post a hjt log in about a half hour

    do you want the log from safemode or regular bootup
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Post a fresh HJT log from normal mode, after you`ve completed the instructions.

    Regards Howard :)

    This thread is for the use of swker98 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    what do you mean delete



    6. Restart your computer in "Safe Mode" (F5 or F8 when starting Windows).
    7. Delete the file: cwlsp.dll. Do NOT delete ANY other files!
    8. Restart your computer and bring it up in normal mode.


    where is it located
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    This is the full path to the file.

    c:\winnt\system32\cwlsp.dll

    Regards Howard :)
     
  9. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    im getting an acceses dinied message

    and yes i am in safe mode and did run the programe in regular mode
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Ok, forget the LSP fix for now and carry on with the rest of the instructions.

    Regards Howard :)
     
  11. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    will do now

    i cannot get on line to update any of the tools

    im thinkgs this may be from the infections

    with smitfix do i clean the regrity?
     
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Let`s see if we can get some of your nasties cleaned up a bit.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


    Boot into safe mode, under your normal user name. See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Mywebsearch
    Viewpoint\Viewpoint Toolbar
    Starware
    O2Micro\SuperDJ

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ViewMgr.exe
    mwsoemon.exe
    Monitor.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing

    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll

    O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program Files\Starware\bin\Starware.dll

    O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll

    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

    O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)

    O4 - HKLM\..\Run: [O2PLEmonitor] C:\Program Files\O2Micro\SuperDJ\Monitor.exe

    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

    O4 - Global Startup: Digimax Viewer 2.1.lnk = ?

    O4 - Global Startup: Event Reminder.lnk = ?

    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html

    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCYYYYYYYYUS

    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?e05859a2e44e420ea32ccf565d44a6 4c

    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?e05859a2e44e420ea32ccf565d44a6 4c

    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

    O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)

    O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)

    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB

    O16 - DPF: {11111111-1111-1111-1111-111191113457} -

    O16 - DPF: {11111111-1111-1111-1111-511111193457} -

    O16 - DPF: {11111111-1111-1111-1111-511111193458} -

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitial Setup1.0.0.15.cab

    O16 - DPF: {24311111-1111-1121-1111-111191113457} -

    O16 - DPF: {33331111-1111-1111-1111-611111193457} -

    O16 - DPF: {33331111-1111-1111-1111-611111193458} -

    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB

    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB

    O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINNT\System32\vbsys2.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Viewpoint
    C:\PROGRA~1\MYWEBS~1
    C:\Program Files\O2Micro
    C:\Program Files\Starware

    I have done some research on the cwlsp.dll
    file and it appears it`s perfectly safe. So no need to use the LSP fix programme.

    Reboot into normal mode and turn system restore back on.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of swker98 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    thanks im working on RBS instructins on running those programs

    then ill psot a new hjt log

    im tring to get this done i need to ruturne the computer by tommrow

    thanks for your help ;)
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Do the above, then post a fresh HJT log and let me know how your system is running.

    Regards Howard :)
     
  15. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    heres the updated log after i fixed what you posted
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    That`s looking quite a lot better. Now follow as many of the instructions as you can in this thread HERE.

    Post a fresh HJT log, only after completing the above. Also, let me know how the system is running.

    Regards Howard :)
     
  17. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    i have done all of those

    im also having a problem conectiong to the net
    i keep getting limited or no contivity

    can this be from a virus or infection?


    edit

    what else scares me is that when i plug the ethernet in
    it gets slower but when i unplug it its better and i only get limited or no contivty error
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Ok, we`ll carry on with the manual fixes.

    Boot into safe mode, under your normal user name. See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -3

    O4 - Startup: Mavis Beacon Teaches Typing 11.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe

    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitial Setup1.0.0.15.cab

    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\PROGRA~1\UNINST~1.DLL,O -3

    Reboot into normal mode and turn system restore back on.

    Run the LSP fix again.

    Then click start/run and type cmd into the run box an press the enter key.

    When the command window appears type ipconfig /all and press the enter key. Note the space between the ipconfig command and the forward slash. Then type exit and press the enter key.

    Post a fresh HJT log and let me know how the system is running.


    Regards Howard :)
     
  19. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    will do and ill have a new log in 20 minutes

    your the best howards ;)
     
  20. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    when i run lspfix i have 2 things in the remove when i start

    cwlsp.dll


    and


    imslsp.dll

    dp i want to remove both???
     
  21. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    No, just the cwlsp.dll.

    Regards Howard :)
     
  22. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    heres the newest log
     
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You forgot to attach the HJT log.

    Regards Howard :)
     
  24. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    i noticed and ive etied my post to include the log. it kept tellnig me it was attached but appretly it wasnt
     
  25. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Have HJT fix this entry.

    O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\cwlsp.dll' missing

    Then go and delete this bold file(if there).

    c:\winnt\system32\cwlsp.dll

    Other than the above, your HJT log looks clean.

    Regards Howard :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.