Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Swapx Browser Hijack


  • This topic is locked This topic is locked
6 replies to this topic

#1 pbpekh

pbpekh

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 12 November 2004 - 08:59 PM

I have trtied to remove this trojan from my computer and it is continually coming back. I first used killbox to remove the file on reboot and then ran CWshredder to remove the cool web search piece. I then run adaware and it continually returns. Any ideas?

Hijack this log
Logfile of HijackThis v1.97.7
Scan saved at 8:50:51 PM, on 11/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\System32\sgbjpk1b6o.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\sgbjpk1b6o.exe
C:\WINDOWS\System32\sgbjpk1b6o.exe
C:\WINDOWS\System32\sgbjpk1b6o.exe
C:\WINDOWS\System32\sgbjpk1b6o.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\s87rkipsgkb9iy.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\sgbjpk1b6o.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Begone] C:\spywarebegone\SpywareBeGone.exe -FastScan
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

BC AdBot (Login to Remove)

 


m

#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:12:02 AM

Posted 12 November 2004 - 09:15 PM

Hi, pbpekh, I'll check your log, it'll take some hours to get back with you.
A couple things:
Please use the newest HijackThis and post a fresh log. HijackThis 1.98.2
The spyware Begone should go. Listed as bad

The exact sequence of use of the tools is important, also. Its good you tried to clean it up, I'm sure you will succeed next go-around, but it takes some time to post your advice, OK? Post as a reply right here. Thanks.

Edited by phawgg, 12 November 2004 - 09:16 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#3 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:12:02 AM

Posted 12 November 2004 - 10:27 PM

also, the file names change on each reboot with this one. When you post the new HJT log, it will likely change things, so please hold tight a bit so we can nail this. I'll try to help asap. :thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...

#4 pbpekh

pbpekh
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 13 November 2004 - 09:32 AM

The computer that I am working on is not mine. It is my neighbors and I haven't had an opportunity to rerun using the new version of hijack this. He is running XP service pack 2. I will repost later today and I appreciate the help.

#5 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:12:02 AM

Posted 13 November 2004 - 11:21 AM

OK. SP2 is alright, it wouldn't cause the problems or hinder the fix. I await your post. :thumbsup:

Edited by phawgg, 13 November 2004 - 11:22 AM.

patiently patrolling, plenty of persisant pests n' problems ...

#6 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:12:02 AM

Posted 14 November 2004 - 12:23 PM

Hi, pbpekh I have some recommendations. t.swapx is one infection, there are others. In this case, I think the SpywareBeGone should be removed.

Please make sure to work through the fixes in the exact order that they're presented below. You should also print out or copy this page to Notepad. Sceenshots are included to help you.

Copy the contents of the CODE Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop. Don't use it yet.

REGEDIT4

[-HKEY_CLASSES_ROOT\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}]
[-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj]
[-HKEY_CLASSES_ROOT\redalert.here]
[-HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}]
You will need several tools on your desktop. Unlike HJT, you may run them from the desktop. All are .zip files, examples of zip files after extraction to the desktop Please use these links to download them:You will also need to install Ad-Aware SE Personal 1.05 onto your PC, unless you already have this version. You should uninstall an older version before installing this, and immediatly check for updates. Using Ad-Aware SE to remove Spyware & Hijackers from Your Computer

Set your PC to: show hidden files.
This time Start-->MyComputer-->Tools-->Options-->View Tab-->Show Hidden Files & Folders (system-wide)

Open your C:\HJT folder and double-click the icon. Close everything except HijackThis, nothing else on your desktop.

Run Hijackthis: click Scan, and put a checkmark next to each of the following objects.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\s87rkipsgkb9iy.dll (CoolWebSearch)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll (file missing)
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\sgbjpk1b6o.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\spywarebegone\SpywareBeGone.exe -FastScan not good

The following entries are marked (1) unneeded at startup, and you can save memory resources by starting them if/when you need them. The programs themselves will do just fine without these entries. Or marked (2) programs that are not dangerous, but it might be appropriate to consider deleting at this particular time, perhaps to re-install later if you choose to, when everything is working well and you can be certain no problems result by doing so.
You may simply leave them in for now, also. Your problems may go away doing the above deletions. If they don't, we can take another look at possibly deleting them
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (1) Not Required at Startup - Application Launcher, System Tray access to Apple's "Quick Time" viewer from version 5 onwards
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe (1) (? this file unidentified. Something new you use, perhaps?)
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" (1) Not Required at Startup - Application Launcher, Installed with Verizon DSL accounts. IP Insight is a Quality of Service monitor and diagnostic tool that isn't required
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe (1) Not Required at Startup - Application Launcher
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe (2) Not Required at Startup - Application Launcher
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe (1) Not Required at Startup - Application Launcher, Musicmatch Jukebox icon in the task tray. Often supplied with HP CD-RW drives. The program works fine without it
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe (2) Not Required at Startup - Application Launcher
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (1) on many PCs EVNTSVC slows down boot-ups unacceptably, using up to 90% of CPU time at times.
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe (1) Users Choice (application need to be run at startup, but is not system critical) Available via Start -> Settings -> Control Panel more info

When you're sure that files marked for deletion are correct, click the Fix button and exit HJT.

Reboot your computer into Safe Mode by tapping F8 until the screen appears where you can use the up arrow to choose safe mode. Hit enter.

Search for, locate and delete these files or folders (Do not be concerned if they do not exist, the previous steps may have eliminated them.) Do not delete main folders like C:\WINDOWS or C:\Program Files. We're looking for individual files, unless otherwise noted. The best way to find them is to use: Start-->Search-->select "all files & folders"-->select "more advanced options"-->check search "system folders", "hidden files & folders", "sub-folders" & perhaps "case sensitive" if you like.
Delete

C:\WINDOWS\System32\sgbjpk1b6o.exe<--this file only
C:\WINDOWS\system32\s87rkipsgkb9iy.dll<--this file only
C:\spywarebegone\SpywareBeGone.exe -FastScan

Consider deleting the particular files residing in their main folders below, for the reasons stated. Just leave them if you're not sure.
C:\Program Files\Yahoo!\browser\ybrwicon.exe<--this file only Leave it if you use it.

Reboot your computer to go back to normal mode.

Extract CWShredder 1.59.1, open folder & choose and choose to extract to your desktop. "Finish". Open the folder and doulble-click on the cwshredder.exe Select Fix

Reboot at least once, perhaps a couple of times to be sure it worked.

Run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds.

Run System Security Suite. (All windows and browsers closed) To clean out Temp and Temporary Internet Files, In the "Items to Clear" tab click:
1. Internet Explorer (left pane): Cookies & Temporary files
2. My Computer (right pane): Temporary files & Recycle Bin
Click the "Clear Selected Items" button. Close.

Double-click on the fix.reg file you saved earlier on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.

Open Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button.

Extract HostFix. Open the zipped-folder and choose to extract to your desktop. Click "Finish". Then open the unzipped folder and double-click on the HostFix.exe file. With the program open, click "YES". This will restore the Hosts file.

You may choose to move the programs on your desktop to a permanant folder or simply delete them, perhaps when you're certain the PC is clean.

Run HijackThis again and post the new log as a reply to this post.
(Include comments regarding any problems you might have had, and let us know if its working better. Some additional options may exist)

I have confidence in your success, no problem posting again if you're unsure though. Sorry it too me so long.
patiently patrolling, plenty of persisant pests n' problems ...

#7 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:12:02 AM

Posted 31 December 2004 - 06:41 PM

Closed. Lack of responses.
If you originated this thread, and need it re-opened:
You may also contact a HJT Team Member, and reference the link location address. Thanks. :thumbsup:

If referring to this thread for any other reason, you may:
Right-click Posted. Choose Copy Link Location. Paste with comments to a New Topic.
patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users