Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP! Been Hijack by t.swapx.cc


  • Please log in to reply
3 replies to this topic

#1 yeeman

yeeman

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 12 November 2004 - 01:32 AM

Can someone help me remove http://t.swapx.cc/h.php?aid=20009 from my computer? My homepage has been hijacked by this site, porn sites have been added to my bookmarks, and when I go to other sites it redirects me to t.swapx.cc.

I did read the post from http://www.bleepingcomputer.com/forums/ind...t=0&#entry27387
On How to remove the CWS SWAPX

I downloaded all the tools. I want to make sure I delete the right files. I'm little confused on what to do on steps 13 and 14.

Here is my HijackThis:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\GREGORY YEE\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.excite.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = F:\QUICKENW\inet\common\blank.htm
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\JVF9VM~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\ahjinst.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: winlogin.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O9 - Extra button: Whistle - {220E39C3-B081-4719-AB1A-9A884DCBD05C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/webinst.exe
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BaseComp
O17 - HKLM\Software\..\Telephony: DomainName = BaseComp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BaseComp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BaseComp
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: lhvz5lfy7gtj.dll

What do I remove?

Thanks for your help!

BC AdBot (Login to Remove)

 


#2 Nirvana

Nirvana

    In Utero


  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 12 November 2004 - 02:36 AM

Hello yeeman,

Don't run HijackThis directly from a temporary file. Unzip it/move it to a folder all of its own. HijackThis makes back-ups of everything you fix in case something should go wrong. This way you can restore the back-ups if need be. Running from a temporary file doesn't save back-ups.

Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Move HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary. Please delete the old copy so it can't be used.

You've already downloaded the required tools, so here are the steps to take:

Launch the KillBox:

Once launched, In the box where it says Full Path of File to Delete copy and paste this in there:

C:\WINDOWS\System32\lhvz5lfy7gtj.dll

With Delete on Reboot ticked with a dot, press the Red X.

Reboot your p.c.


Restart HijackThis and put checks next to the following, close all browser windows (including this one) then click on 'Fix Checked':


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = F:\QUICKENW\inet\common\blank.htm
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\JVF9VM~1.DLL

O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\ahjinst.exe
O4 - Global Startup: winlogin.exe

O15 - Trusted Zone: *.greg-search.com


Make sure you have Set Windows to show Hidden Files & Folders, then reboot into safe mode then find and delete:


C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe <-------- Delete this file.
C:\WINDOWS\ahjinst.exe <-------- Delete this file.
C:\WINDOWS\System32\JVF9VM.DLL <-------- Delete the .DLL file starting with these six letters (JVF9VM....)

Still in Safe Mode go to C:\Windows\Temp folder.
Open the Temp folder and go to Edit>Select All, then Edit>Delete to remove the entire contents of the Temp folder.

Next, go to C:\Documents and Settings\username\Local Settings\Temp folder.
Open the Temp folder and go to Edit>Select All, then Edit>Delete to remove the entire contents of the that Temp folder.

Finally, go to Control Panel>Internet Options.
On the General tab under: Temporary Internet Files, click: Delete Files
Place a check by: Delete Offline Content when the prompt appears, and click OK.
Next, click on the Programs tab, then click: Reset Web Settings button.
Click Apply, then OK.

Also, empty the Recycle Bin.

Reboot into normal mode.

Now run CWShredder
Click Fix, don't just scan. Let it fix everything it asks about.

Now run Ad-Aware and Spybot. For best results follow the tutorials.

Now run the Hoster. This will restore your (possibly) deleted Hosts file.
Just press "Restore Original Hosts" and press "OK". Then exit Hoster.

Copy and paste the following to Notepad. Name the file as cws_swapx.reg . Change the Save as Type to All Files. Save this file on the desktop.

REGEDIT4

[-HKEY_CLASSES_ROOT\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}]
[-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj]
[-HKEY_CLASSES_ROOT\redalert.here]
[-HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}]


Then double-click on the cws_swapx.reg file located on your desktop and when it asks if you would like to merge the information, click on the Yes button.

Reboot, then post a new log and let us know how things are running. Please include the top section of your log so we can see which operating system etc. you are using.

Edited by Nirvana, 12 November 2004 - 02:42 AM.

"Computers are useless. They can only give you answers." <span style='color:red'>Pablo Picasso</span>

#3 yeeman

yeeman
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 15 November 2004 - 09:44 PM

PC and Browser is working great! :thumbsup:

Thank you!

#4 Nirvana

Nirvana

    In Utero


  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 15 November 2004 - 09:55 PM

Can I see another HijackThis log (including the top bit) just to make sure nothing has been missed?
"Computers are useless. They can only give you answers." <span style='color:red'>Pablo Picasso</span>




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users