Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help with this hijacker


  • This topic is locked This topic is locked
5 replies to this topic

#1 ridin4jc2000

ridin4jc2000

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 21 October 2004 - 09:39 PM

I cannot get rid of this hijacker that keeps changing my home page to http://t.swapx.cc/h.php?aid=20009. PLEASE HELP!!!


HJT - Ridin4jc2000
Logfile of HijackThis v1.98.2
Scan saved at 9:34:31 PM, on 10/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\DW8VZN~1.DLL
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O20 - AppInit_DLLs: 9tx4djmsft8df.dll

BC AdBot (Login to Remove)

 


m

#2 CalamityKen

CalamityKen

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Location:Whitby. Ont.
  • Local time:09:14 PM

Posted 22 October 2004 - 05:17 AM

ridin4jc2000, welcome.

Please print this out and follow ALL these directions carefully.

Make sure 'show all files' is enabled:
http://service1.symantec.com/SUPPORT/tsgen...=&osv=&osv_lvl=

Boot into Safe Mode by tapping F8 key repeatedly at bootup.
More detailed instructions here:
http://service1.symantec.com/SUPPORT/tsgen...001052409420406

Find and delete if still present:
9tx4djmsft8df.dll
C:\WINDOWS\System32\DW8VZN~1.DLL
<== files

Start HijackThis and tick the boxes next to all these, then close all browser and explorer windows, and tell HijackThis to "Fix checked" if still present.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\DW8VZN~1.DLL
O20 - AppInit_DLLs: 9tx4djmsft8df.dll


Reboot and Install the prevention protection below and help your friends from being infected on the Internet.

Empty the Recycle Bin.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there.
Index.dat Suite helps with this.
http://support.it-mate.co.uk/?mode=Products&p=index.datsuite

Insure that Index.dat Suite is Setup to empty the Temp folders especially
C:\Documents and Settings\{user}\Local Settings\Temp
then run the Find and create the run.bat and reboot to have it remove what it finds.

{user} is the User Account ID.
Removal of infections and prevention protection should be installed on ALL User Account IDS.

Download and install WinPatrol.
http://www.winpatrol.com

Browser settings for increased security:
http://bshagnasty.home.att.net/browsersettings.htm

Install IE-SPYAD then run the install.bat in the ie-spyad folder and SpywareBlaster then keep them up to date as today's Internet is full of nasty infections.
https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD
http://www.javacoolsoftware.com/spywareblaster.html

Install Windows Service Pack 2 and ALL Critical Updates.

Edited by CalamityKen, 22 October 2004 - 05:22 AM.


#3 ridin4jc2000

ridin4jc2000
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 22 October 2004 - 06:26 AM

OK, It would not let me delete the .dll file
index.dat would only give me a dos screen and not respond.

The Hijacker is still there and now he's pissed off.

Please help.

HJT - Ridin4jc2000 #2
Logfile of HijackThis v1.98.2
Scan saved at 6:25:29 AM, on 10/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\system32.exe
C:\Documents and Settings\User\My Documents\spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://try-this-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://try-this-search.biz/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://try-this-search.biz/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://try-this-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://try-this-search.biz/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://try-this-search.biz/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://try-this-search.biz/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://try-this-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://try-this-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://try-this-search.biz
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\DW8VZN~1.DLL
O4 - HKLM\..\Run: [system32.exe] C:\WINDOWS\System32\system32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...400/mcfscan.cab
O20 - AppInit_DLLs: 9tx4djmsft8df.dll
O21 - SSODL: eplrr9 - {A5E05CA3-A36C-4672-8672-AFB2886BDFD4} - C:\WINDOWS\System32\eplrr9.dll

#4 CalamityKen

CalamityKen

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Location:Whitby. Ont.
  • Local time:09:14 PM

Posted 22 October 2004 - 09:07 AM

ridin4jc2000, you are grappling with the infamous CoolWebSearch (CWS) hijackers.

Looks like the system has Backdoor.SysXXX trojan by the presence of C:\WINDOWS\System32\system32.exe
http://securityresponse.symantec.com/avcen...oor.sysxxx.html

index.dat would only give me a dos screen and not respond.

I do not understand this at all.

Make sure 'show all files' is enabled:
http://service1.symantec.com/SUPPORT/tsgen...=&osv=&osv_lvl=

Boot into Safe Mode by tapping F8 key repeatedly at bootup.
More detailed instructions here:
http://service1.symantec.com/SUPPORT/tsgen...001052409420406

Delete if still present:
C:\WINDOWS\System32\DW8VZN~1.DLL
C:\WINDOWS\System32\system32.exe
<== file

Note: You will probably find several files in the System32 folder all created around the same time and have unusuall names. Delete them all.

Is the system using the FAT32 hard disk file system?

Start HijackThis and tick the boxes next to all these, then close all browser and explorer windows, and tell HijackThis to "Fix checked" if still present.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://try-this-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://try-this-search.biz/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://try-this-search.biz/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://try-this-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://try-this-search.biz/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://try-this-search.biz/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://try-this-search.biz/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://try-this-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://try-this-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://try-this-search.biz
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\DW8VZN~1.DLL
O4 - HKLM\..\Run: [system32.exe] C:\WINDOWS\System32\system32.exe
O20 - AppInit_DLLs: 9tx4djmsft8df.dll
O21 - SSODL: eplrr9 - {A5E05CA3-A36C-4672-8672-AFB2886BDFD4} - C:\WINDOWS\System32\eplrr9.dll


Reboot and Install the prevention protection below and help your friends from being infected on the Internet.

Empty the Recycle Bin.

Download and install WinPatrol.
http://www.winpatrol.com

Browser settings for increased security:
http://bshagnasty.home.att.net/browsersettings.htm

Install IE-SPYAD then run the install.bat in the ie-spyad folder and SpywareBlaster then keep them up to date as today's Internet is full of nasty infections.
https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD
http://www.javacoolsoftware.com/spywareblaster.html

Install Windows Service Pack 2 and ALL Critical Updates.

Install an anti virus application and keep it updated daily.

#5 ridin4jc2000

ridin4jc2000
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 22 October 2004 - 10:01 PM

I think I did everything you said, but I am still getting the http://t.swapx.cc/h.php?aid=20009 web page.

HJT Log File
Logfile of HijackThis v1.98.2
Scan saved at 10:01:06 PM, on 10/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\User\My Documents\spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\U1FHCU~1.DLL
O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: 6o9gi241j7e.dll

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:14 PM

Posted 25 October 2004 - 08:05 AM

I am sorry for interjecting here, but is there any way you can copy the following files to a folder called c:\submit. Then zip and email that folder to grinler@yahoo.com:

C:\WINDOWS\System32\U1FHCU~1.DLL
c:\windows\system32\6o9gi241j7e.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

If you can not see the files, Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

It looks like you have a new variant that we need samples of.

If you can not copy the files for some reason, reboot into safe mode first, by following these steps:

How to boot into Safe Mode

Then try coping the files to c:\submit. Then reboot, zip the folder and email it to the above address.

Let us know if you run into any problems.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users