Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log


  • This topic is locked This topic is locked
6 replies to this topic

#1 Goober1128

Goober1128

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 07 November 2004 - 05:00 PM

I found a tutorial for removing http://t.swapx.cc/h.php?aid=20009 as your startup page. It recomended running HJT to find a certrain entry (You will have a O20 entry with a DLL that has a random filename). Well, I have no O20 entry but I am still hijacked by the t.swapx homepage hijacker. So, here is my HJT log file, Any help you can provide would be greatly appreciated.

Logfile of HijackThis v1.98.2
Scan saved at 3:34:27 PM, on 11/7/04
Platform: Windows 95 (Win9x 4.00.0950)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\CPIEXE.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\DMI\SIA\BIN\CSERVICE.EXE
C:\WINDOWS\SYSTEM\ATIKEY32.EXE
C:\DMI\sia\bin\os_ac.exe
C:\AVSUITE\AS2\AS2TRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\DMI\sia\bin\pnp_ac.exe
C:\WINDOWS\SYSTEM\FLNEJXVL5877D.EXE
C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINSM32.EXE
C:\DMI\sia\bin\swi_ac.exe
C:\DMI\sia\bin\dmib_ac.exe
C:\DMI\sia\bin\logic_ac.exe
C:\DMI\sia\bin\sprof_ac.exe
C:\DMI\win16\bin\WINSL.EXE
C:\Program Files\Norton CleanSweep\Monwow.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE
D:\SPYWARE TOOLS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F1 - win.ini: load=srsapp.exe
F1 - win.ini: run=cservice.exe
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\JDP6UU~1.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [AtiKey] Atikey32.exe
O4 - HKLM\..\Run: [VoyetraAudioStation2] C:\AVSUITE\AS2\AS2TRAY.EXE
O4 - HKLM\..\Run: [NAPopup] C:\RealTime\Setup\naudiort\None\napopup.exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton CleanSweep\CSINJECT.EXE
O4 - HKCU\..\Run: [romahere2] C:\WINDOWS\SYSTEM\FLNEJXVL5877D.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton CleanSweep\csinsm32.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .rpm: C:\Program Files\Netscape\Navigator\Program\PLUGINS\nppl3260.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {AD19DD06-EDDC-11D2-8C35-00105A0AE07A} (SearchCriteria.ucSearchCriteria) - http://www.co.jackson.mo.us/RecordsData/SearchCriteria.CAB
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} - http://content.hiwirenetworks.net/inbrowse...5.26/Hiwire.cab

Edited by Goober1128, 07 November 2004 - 05:01 PM.


BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:03:44 AM

Posted 07 November 2004 - 05:39 PM

Hi

Please move hijackthis.exe to a permanent folder, such as c:\hjt . This has to be done as HijackThis creates backups when you fix items.

First create a new folder:
A. Click My Computer icon on your desktop
B. Click C: drive
C. Click the File menu --> New --> Folder, a folder "New folder" will be created.
D. Rename it HJT

Move\Unzip hijackthis.exe to the c:\HJT folder.

Download KillBox here:
KillBox. Unzip it to your desktop.

Start Killbox.exe

Select the Delete on reboot option.

Copy and paste the line below in the field labeled "Full path of file to delete"
C:\Windows\system\TGBRFV_5.dll
Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\System\TGBRFV_.exe
Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the YES button.

Your computer will reboot.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

Run HijackThis!, press Scan, and put a check mark next to all these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\JDP6UU~1.DLL

O4 - HKCU\..\Run: [romahere2] C:\WINDOWS\SYSTEM\FLNEJXVL5877D.EXE

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O15 - Trusted Zone: *.greg-search.com

O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} - http://content.hiwirenetworks.net/inbrowse...5.26/Hiwire.cab


Close all other windows and browsers, and press the Fix Checked button.

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Search for these files and delete them if found:
C:\WINDOWS\SYSTEM\JDP6UU~1.DLL <-- this file, filename starts with JDP6UU
C:\WINDOWS\SYSTEM\FLNEJXVL5877D.EXE <-- this file

Empty the Recycle Bin.

REBOOT normally.

Run HijackThis! again and post a new log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 Goober1128

Goober1128
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 07 November 2004 - 06:04 PM

When I enter the file names in Kill Box, press the Red X button and say OK at the "delete on next reboot" confirmation box, I get an error saying that "this program has performed an illegal operation and will be shutdown. I look at the details for this error and its an error in KERNEL32.DLL. Any ideas about that?

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:03:44 AM

Posted 07 November 2004 - 06:24 PM

Hi

Any ideas about that?

No ideas ... but I have another solution.

Please move hijackthis.exe to a permanent folder, such as c:\hjt . This has to be done as HijackThis creates backups when you fix items.

First create a new folder:
A. Click My Computer icon on your desktop
B. Click C: drive
C. Click the File menu --> New --> Folder, a folder "New folder" will be created.
D. Rename it HJT

Move\Unzip hijackthis.exe to the c:\HJT folder.

Open HijackThis, press the Config... button, then Misc. Tools button, and press Delete a file on reboot ...

Copy and paste the line below in the field labeled "File name"
C:\Windows\system\TGBRFV_5.dll

Press Open and when it asks if you would like to Reboot now, press the NO button.

Press again the Delete a file on reboot ... button.

Copy and paste the line below in the field labeled "File name"
C:\WINDOWS\System\TGBRFV_.exe
Press Open and when it asks if you would like to Reboot now, press the YES button.

Your computer will reboot.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

Run HijackThis!, press Scan, and put a check mark next to all these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\JDP6UU~1.DLL

O4 - HKCU\..\Run: [romahere2] C:\WINDOWS\SYSTEM\FLNEJXVL5877D.EXE

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O15 - Trusted Zone: *.greg-search.com

O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} - http://content.hiwirenetworks.net/inbrowse...5.26/Hiwire.cab


Close all other windows and browsers, and press the Fix Checked button.

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Search for these files and delete them if found:
C:\WINDOWS\SYSTEM\JDP6UU~1.DLL <-- this file, filename starts with JDP6UU
C:\WINDOWS\SYSTEM\FLNEJXVL5877D.EXE <-- this file

Empty the Recycle Bin.

REBOOT normally.

Run HijackThis! again and post a new log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 Goober1128

Goober1128
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 07 November 2004 - 10:02 PM

OK, I have completed all the steps in your above post with the exception of deleting C:\WINDOWS\SYSTEM\JDP6UU~1.DLL. This file could not be found. Here is my latest HJT log.

Logfile of HijackThis v1.98.2
Scan saved at 8:49:14 PM, on 11/7/04
Platform: Windows 95 (Win9x 4.00.0950)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\CPIEXE.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\DMI\SIA\BIN\CSERVICE.EXE
C:\WINDOWS\SYSTEM\ATIKEY32.EXE
C:\DMI\sia\bin\os_ac.exe
C:\AVSUITE\AS2\AS2TRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\DMI\sia\bin\pnp_ac.exe
C:\WINDOWS\SYSTEM\PWJL9UD7KZ.EXE
C:\DMI\sia\bin\swi_ac.exe
C:\DMI\sia\bin\dmib_ac.exe
C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINSM32.EXE
C:\DMI\sia\bin\logic_ac.exe
C:\DMI\sia\bin\sprof_ac.exe
C:\DMI\win16\bin\WINSL.EXE
C:\Program Files\Norton CleanSweep\Monwow.exe
C:\WINDOWS\DESKTOP\SPYWARE TOOLS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F1 - win.ini: load=srsapp.exe
F1 - win.ini: run=cservice.exe
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\S2ZN30~1.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [AtiKey] Atikey32.exe
O4 - HKLM\..\Run: [VoyetraAudioStation2] C:\AVSUITE\AS2\AS2TRAY.EXE
O4 - HKLM\..\Run: [NAPopup] C:\RealTime\Setup\naudiort\None\napopup.exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton CleanSweep\CSINJECT.EXE
O4 - HKCU\..\Run: [romahere2] C:\WINDOWS\SYSTEM\PWJL9UD7KZ.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton CleanSweep\csinsm32.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .rpm: C:\Program Files\Netscape\Navigator\Program\PLUGINS\nppl3260.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {AD19DD06-EDDC-11D2-8C35-00105A0AE07A} (SearchCriteria.ucSearchCriteria) - http://www.co.jackson.mo.us/RecordsData/SearchCriteria.CAB

#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:03:44 AM

Posted 08 November 2004 - 07:45 AM

Download CWShredder from here
After you download the program, unzip it into a directory. Don't use it yet.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

Run HijackThis!, press Scan, and put a check mark next to all these:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9

F1 - win.ini: load=srsapp.exe

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\S2ZN30~1.DLL

O4 - HKCU\..\Run: [romahere2] C:\WINDOWS\SYSTEM\PWJL9UD7KZ.EXE


Close all other windows and browsers, and press the Fix Checked button.

REBOOT into SafeMode: Starting your computer in Safe mode, use the F8 method

Search for these files and delete them if found:
C:\WINDOWS\SYSTEM\S2ZN30~1.DLL <-- this file
C:\WINDOWS\SYSTEM\PWJL9UD7KZ.EXE <-- this file

Go to Start -->All Programs --> Accessories --> System Tools --> Disk Cleanup, and clean everything, especially temp files.

Open Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content

Make sure all browser windows are closed and run cwshredder.exe to start the program and click on the FIX button (not the "Scan only" button) and let it scan your computer.

REBOOT normally.

Run HijackThis! again and post a new log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:03:44 AM

Posted 28 November 2004 - 03:46 AM

Due to the lack of feedback this topic is closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users