Hi!

Some INFO:
I dont know what kinda Virus this is, but I hope that you can help me.
Some day ago i had CWS Trojan, but got reed of it when I manuel took care of it. So thats gone, atleast that is what adaware says. I still go my IE Hijacked by this res: Homepage. and its kinda enoying. AVG dont get read of it. It only says - Virus Detected. and it always the same map but with changed name. like C:\WINDOWS\syssv.exe or C:\WINDOWS\dj3d.dll. I tryed to take care of it with Hijackerthis. But it just dissipare temporary. I wait 1 min and its back!. I tryed CWR Shredder - nothing found. Spybot find a DSO Exploit that I can´t get reed of. It just disipare temporary, or the programm says that it finishied but it´s still there. I also tryed spy sweeper and couldn´t find anything.

My Hijackerthis LOG:

Logfile of HijackThis v1.97.7
Scan saved at 14:33:46, on 2004-07-05
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Grisoft\AVG7\avgamsvr.exe
C:\Program\Grisoft\AVG7\avgupsvc.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\NORTON~1\navapw32.exe
C:\WINDOWS\winqa32.exe
C:\Program\Grisoft\AVG7\avgcc.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\Valve\Steam\Steam.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\Internet Explorer\iexplore.exe
W:\Anti-virus\Hijackthis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\saqnm.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://saqnm.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://saqnm.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\saqnm.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://saqnm.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\saqnm.dll/sp.html#96676
O2 - BHO: (no name) - {F69AA0DB-F421-F1A5-FE7E-80CCFBC0B008} - C:\WINDOWS\crqg32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Jet Detection] C:\Program\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [winqa32.exe] C:\WINDOWS\winqa32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\Program\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


_________________________________________________________________

I have cleared the homepages serveral times, but they just always come back. i hate this shit and begg u to help me! thx.

Yours Nemii

Recommended Answers

All 14 Replies

  1. Make sure your settings allow you to view "Hidden files" & "hide protected operating system files" is unchecked. Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".
  2. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "winqa32.exe". If you find the files, click on them, and then click End Process => Exit the Task Manager.
  3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.
  4. Scroll down and find the service called "Network Security Service".
  5. When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.
  6. Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\saqnm.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://saqnm.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://saqnm.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\saqnm.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://saqnm.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\saqnm.dll/sp.html#96676

    O2 - BHO: (no name) - {F69AA0DB-F421-F1A5-FE7E-80CCFBC0B008} - C:\WINDOWS\crqg32.dll

    O4 - HKLM\..\Run: [winqa32.exe] C:\WINDOWS\winqa32.exe

  7. Reboot into Safe Mode - How do I boot into "Safe" mode? , and delete the following files:

    C:\WINDOWS\system32\saqnm.dll

    C:\WINDOWS\crqg32.dll

    C:\WINDOWS\winqa32.exe


    Reboot in Normal Mode.
    Download the file attached to this post and rename it to cwsuninst.reg
    Doubleclick it and confirm you want to merge it with the registry.
    Run HijackThis again and post a new log.

    File Attachment

    Extra notes
    If given full internet access this variant will delete:
    - your hosts file (good replacements can be found here or here )
    - Spybot S&D's BHO (download SDHelper.dll, put it in the Spybot folder (default is: C:\Program Files\Spybot - Search & Destroy\) and click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" > OK
    - control.exe: follow instructions here: http://www.spywareinfo.com/~merijn/...es.html#control

omg! such advance things :P. I´ll give it a try. I msg you when iam done. btw, thx for help.

donot give such big logs/

just say what is the name of trojan and say what programs u have installed recently.

that is enough to ensure u to remove it up from the system.

How do I make the File to reg? I can´t find the "button" for it..

oh. i forgot. I didnt find any of the files u told me.

C:\WINDOWS\system32\saqnm.dll

C:\WINDOWS\crqg32.dll

C:\WINDOWS\winqa32.exe

so i think they are gone, am i right?

The link to SDHelper.dll dosent work.. u got any other?

You may have to try a google search for *winfiles.html*

As I mentioned, you need to post a new log after doing the fix.

WebHoststalk, a full log is required in order to correctly diagnose problems. Perhaps you can tell us why not to post the full log??

here u go then!

Logfile of HijackThis v1.97.7
Scan saved at 23:19:19, on 2004-07-07
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\NORTON~1\navapw32.exe
C:\Program\Grisoft\AVG7\avgamsvr.exe
C:\Program\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
W:\Anti-virus\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Jet Detection] C:\Program\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\Program\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


NOTE

My computer have worked better than ever since I fixed that u said.
But, if it anything else. tell me

This is a must.

Please go here & install ALL critical updates required for your system.

XP & IE both need service pack 1.

Okay. u want a log of the new?

No. Based on your last log, you are fine. Just be sure to get the updates.

got em. took a while. but finally got em! :D

Now just keep 'em got!! :)

Thx for everything. Hope my computer stay this way or i will come to you again ;D. Like i said. Thx!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.