0

PHello,

I'm a beginner with pC, in that I used to use other people's PC before, so it is the first time I have to deal with a virus.
I apparently have an adware+virus: the Homepage on Internet Explorer is always"res://qcsmj.dll/index.html#37049" (the letters qcsmj change sometimes, I think when I use some kind of antivirus. In the beginning it was esfhg). When I go change the Home Page in the settings, it always come back to this page. Pop-ups appear often.
I have tried crunchie's method from 4-22-2004 ("Re: Virus, ADware, or just explorer causing malfunctions- res://mshp.dll/http_404.htm"), with CWShredded, Ad-aware, Spybot Search and Destroy, and then Spywareblaster. I did exactly as you said, I believe.
But it did nott work, so I launched HiJackThis, and here are the results in attachment.
I would very much appreciate your help. Frankly, I'm lost, I have no clue what to do, if it is serious, or if it will infect my files (word files, powerpoint, etc). Has someone taken control of part of my computer?
Thank you very much for your help.
Cheers,

Nils.

3
Contributors
8
Replies
9
Views
13 Years
Discussion Span
Last Post by crunchie
0

I used HiJackThis from the desktop in the first place, which I understand is not the way to go, so here is a new list of results.
Thank you very much.

PHello,

I'm a beginner with pC, in that I used to use other people's PC before, so it is the first time I have to deal with a virus.
I apparently have an adware+virus: the Homepage on Internet Explorer is always"res://qcsmj.dll/index.html#37049" (the letters qcsmj change sometimes, I think when I use some kind of antivirus. In the beginning it was esfhg). When I go change the Home Page in the settings, it always come back to this page. Pop-ups appear often.
I have tried crunchie's method from 4-22-2004 ("Re: Virus, ADware, or just explorer causing malfunctions- res://mshp.dll/http_404.htm"), with CWShredded, Ad-aware, Spybot Search and Destroy, and then Spywareblaster. I did exactly as you said, I believe.
But it did nott work, so I launched HiJackThis, and here are the results in attachment.
I would very much appreciate your help. Frankly, I'm lost, I have no clue what to do, if it is serious, or if it will infect my files (word files, powerpoint, etc). Has someone taken control of part of my computer?
Thank you very much for your help.
Cheers,

Nils.

0

Ok, so please find the HiJackThis log below.
Now not only do I have pop-ups and this weird homepage, but the PC has really slowed down.
I don't know if it is relevant, but I also have a "resolution assistant" black window (like a unix window, but without prompt) just after login. It quickly disappears.
I also have, a few minutes after login, a "motmon.exe" program (what is this?) that generates errors.By the way, I tried using CWShredder, Adaware, SPybot and Spywareblaster, even in safe mode. DIdn't do any good.
So here is the HiJackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 8:53:27 AM, on 6/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\ntyf32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
C:\WINNT\system32\NWTRAY.EXE
C:\WINNT\System32\dpmw32.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINNT\system32\sysfi32.exe
C:\WINNT\wt\updater\wcmdmgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Nils\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\qcsmj.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qcsmj.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qcsmj.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\qcsmj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qcsmj.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\qcsmj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {569AA196-61D1-0F02-5F53-742C17633A22} - C:\WINNT\sdkji32.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\DELL\RESOLUTION ASSISTANT\COMMON\BIN\LaunchRA.exe -boot
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [sysfi32.exe] C:\WINNT\system32\sysfi32.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINNT\msxml4.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37993.4475115741
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\qcsmj.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qcsmj.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qcsmj.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\qcsmj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qcsmj.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\qcsmj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O2 - BHO: (no name) - {569AA196-61D1-0F02-5F53-742C17633A22} - C:\WINNT\sdkji32.dll

O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [sysfi32.exe] C:\WINNT\system32\sysfi32.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\WINNT\system32\sysfi32.exe< file
C:\WINNT\ntyf32.exe< file

Reboot normally & Go here for an on-line scan & set it to autoclean for you.

0

Thank you very much for your help.
I did exactly what you did. In the end housecall.trendmicro found three trojans that it couldn't clear, so I asked it to delete them:
TROJ SMALL.IQ in WINNT\system32\infamous_downloadr
TROJ STILEN.A in WINNT\system32\silent.exe
TROJ EMT.A in WINNT\CTRegRun.EXE

It is probably too early to say whether or not my PC is finally clear, but I want to thank you very much anyway for your help. I really appreciate what you do.
Thank you very much again.

Nils.

0

Well,

Thank you very much the both of you.
Crunchie your method worked, and I am very grateful.
However I still have a few minor questions:

- Spybot S&D still finds problems when I run it, does that means I still have viruses? (see list below). Also, when I immunize, it says "1692 bad products already blocked, 18 additional protections possible". Should I do something?

- Finally, I seem to have lost SHELL.DLL in the process (or it wasn't there in the first place), so I cannot run a game that I bought a few days ago. Do you know how I can fix this?

Thank you CERY MUCH again.

Nils.


"ValueClick: Tracking cookie (Internet Explorer: Nils) (Cookie, nothing done)


Advertising.com: Tracking cookie (Internet Explorer: Nils) (Cookie, nothing done)


Advertising.com: Tracking cookie (Internet Explorer: Nils) (Cookie, nothing done)


Avenue A, Inc.: Tracking cookie (Internet Explorer: Nils) (Cookie, nothing done)


DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2025429265-1383384898-1060284298-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

TargetNet: Tracking cookie (Internet Explorer: Nils) (Cookie, nothing done)"

0

It looks like only cookies are being found,. No problem there. Unless you set your browser to reject cookies, you will always have some to delete. There appears to be a problem with spybot bringing up the DSO exploit. Your best bet there would be to visit the spybot forums for assistance in that regard. You could also make sure that your Windows system is up to date.
With the shell.dll, try downloading it from here: http://www.dll-files.com/dllindex/dll-files.shtml?shell

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.