Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SWAPX


  • This topic is locked This topic is locked
43 replies to this topic

#1 shanksman

shanksman

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 13 November 2004 - 12:35 PM

Help! I've been attacked by the SWAPX program. It has taken over my homepage as http://win-eto.com/hp.htm?id=31403. It also takes over my web pages as I try to browse the net. I couldn't even link to the instruction page to download my register log. I've downloaded spybot and got a temporary fix but the problem quickly came back.

BC AdBot (Login to Remove)

 


#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:10:55 AM

Posted 13 November 2004 - 12:41 PM

You posted in the right place, shanksman. We need a HJT log to get busy fixin' that problem.
Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

HijackThis Download Site

Save this file into the directory you made previously and then run the program named hijackthis.exe. When the program opens click on the Config button, then click on the Misc Tools button, and click on the Check for update online button. When it completes checking/applying updates press the back button.

Now click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post here and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

To see a tutorial with screenshots on using HijackThis you can click on the link below:

How to use HijackThis to remove Browser Hijackers, Malware, & Spyware
patiently patrolling, plenty of persisant pests n' problems ...

#3 shanksman

shanksman
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 13 November 2004 - 12:56 PM

Thanks so much for your help! I figured this log part out. Here it is.

Logfile of HijackThis v1.98.2
Scan saved at 10:54:37 AM, on 11/13/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Shank\Local Settings\Temp\Temporary Directory 2 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=31403
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=31403
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\IKGL00~1.DLL
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: dk9vm6wnhh6.dll

#4 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:10:55 AM

Posted 13 November 2004 - 01:40 PM

:thumbsup: we're gettin' there. A couple more things to take care of first, then we get'em!!

The HJT ended up in a temp file, notice? C:\Documents and Settings\Shank\Local Settings\Temp\Temporary Directory 2 for HijackThis.zip\HijackThis.exe should look like this C:\HJT\HijackThis.exe on your log.
To make it that way: click Start-->My Computer-->Hard Disk Drive C:\-->File-->New-->Folder and name it HJT. The easiest thing to do now would be to download HijackThis again, this time, un-zip it To: C:\HJT folder, the one you just made, by using "Browse" when shown that in the Wizard. Otherwise you would have to show Hidden Files and locate the present file in your Temp folder and Move To: your new folder. One way or the other. :flowers:

Your log shows that you are seriously behind on windows updates. It is essential that you update your windows before we continue to help you as the infections could reoccur. Go to Windows Updates and if it asks to install software, let it. Then click on the Scan link and let it do its thing. When its done you will see on your left a section called critical updates. Click on that section and install everything that you can. When it prompts you to reboot, do so. Then repeat this process again until there are no more critical updates listed.

Then, post another HJT log as a reply to this post. There will be several other things to do. :trumpet: If you have questions or problems with these recommendations, please ask us for further answers. There are options regarding the updates, but give it a try so we know what your situation is before continueing with a fix that does take quite a few steps to do successfully.

Edited by phawgg, 13 November 2004 - 01:52 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#5 shanksman

shanksman
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 13 November 2004 - 01:59 PM

I presume that I am behind in my updates because I trust nothing. Therefore, I don't download anything from anyone! Thought that would protect me. I guess ignorance is bliss. :thumbsup:

By clicking on the windows update link from this post I immediately get routed to the nasty website that has taken over my computer. I tried to get there in a round about way and ran into the same problem. So far... I can't get to a few MSN pages nor my home page of yahoo.com. I believe I have everything correctly placed in the C drive now.

Logfile of HijackThis v1.98.2
Scan saved at 11:54:49 AM, on 11/13/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=31403
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=31403
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\IKGL00~1.DLL
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: dk9vm6wnhh6.dll

#6 shanksman

shanksman
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 13 November 2004 - 02:25 PM

Wait! I might have found a way around it. I think I am getting the updates now.

#7 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:10:55 AM

Posted 13 November 2004 - 02:26 PM

YES, that's better.

Therefore, I don't download anything from anyone!

I can see you point, since downloading is a common way to get into trouble. Here at BC we are very careful about what we offer, both in our HJT analysis and in other advice for that exact reason. We will need to have you download a few programs and also a few tools in order to restore your PC to the level of performance you should be experiencing. The updates since winXP was released have numbered nearly 40. I know, as when I reload thats what it used to take to bring it up-to-date! SP2 is a cumulative update meaning it covers all of those previous ones. Depending on what you have in the way of programs, some conflicts may cause some problems. Its a long story, kinda. Anyway, you can get by with a smaller version of the SP1A. This can be downloaded here
Once it is installed, you would then go back to Windows Updates, and it will recognize digitally that the SP1 is on your PC. This will auto-generate the service to display the critical and/or optional updates. I think they call them "express" or "custom" now. The download they request is an activeX applet that can be deleted after the process is done, and reloaded when getting updates later if you like. These updates we know are required, because it's been long enough now for the bad guys to have in place stuff that will exploit all PC's that are not updated. The privacy concerns are real, but we are between a rock & a hard spot in this area. They say they don't use your name for the wrong reasons and I have experienced no spam or problems from MS. You can also have Microsoft send you a CD for the complete SP2, to a post office box or your friend across town, too. That'll take about 10 days probably (maybe longer?), and you would still need to visit the update site in the future. (I have that CD, and it says right on it... use this and pass it on to a friend when your're done with it). They already have a new patch for SP2. Again, everyone's PC is different because of what is put on those operating systems, but some things are all the same. Online can present problems without the updates, and Online is where we are. I hope this helps you some. :thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...

#8 shanksman

shanksman
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 13 November 2004 - 03:59 PM

All right my friend. I think I have all the updates I need. I wasn't able to access the necessary websites to download the info. But I decided to try the icon in bottom right corner of my laptop that I always ignore. It always says I have updates ready for downloading. After about 4 installs, shutdowns, and restarts... I think I have everything. Here is my new log. Hopefully, we can move forward.

Logfile of HijackThis v1.98.2
Scan saved at 1:56:16 PM, on 11/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=31403
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=31403
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\IKGL00~1.DLL
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: winlogin.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: dk9vm6wnhh6.dll

#9 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:10:55 AM

Posted 13 November 2004 - 04:03 PM

VERY GOOD, in record time. I will use your new log, prepare a custom fix sequence, have it checked over & then post back asap. Your patience will be appreciated. :thumbsup: You are indeed ready to rock n' roll, so to speak.
patiently patrolling, plenty of persisant pests n' problems ...

#10 shanksman

shanksman
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 13 November 2004 - 04:07 PM

You rule! :thumbsup:

#11 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:10:55 AM

Posted 13 November 2004 - 04:17 PM

These steps are initial preparation ones, and while you wait for the exact details we need to clarify first, you might just as well do them. I always recommend using Spybot S&D 1.3 & Ad-Aware SE 1.05 together for best effectiveness.
Step 1:
Download Spybot and Adaware from the following locations and install them. You should run both programs and clean up what it finds. This is to guarantee that you find the most malware you can installed on your computer.
Before running the scans on both programs, it is mandatory that you update the programs. There are update options in each program when you run them.

Spybot
Ad-aware
If you would like to learn more about how to use these two programs with the proper settings you can read the tutorials below:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer.
Using Spybot - Search & Destroy to remove Spyware, Malware, & Hijackers from Your Computer.

Step 2:

Copy the contents of the CODE Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop. Don't use it yet.

REGEDIT4

[-HKEY_CLASSES_ROOT\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}]
[-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj]
[-HKEY_CLASSES_ROOT\redalert.here]
[-HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}]

Step 3:

You will need several tools on your desktop. Unlike HJT, you may run them from the desktop. All are .zip files, examples of zip files after extraction to the desktop Please use these links to download them:Don't use them yet. BTW, I say the same about Grinler who runs this show.

:thumbsup:

Edited by phawgg, 13 November 2004 - 04:18 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#12 shanksman

shanksman
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 13 November 2004 - 07:57 PM

After running Ad-aware I think the problem has been fixed. But while running the program it said it was going to quarentine 282 files. That communicates to me that the files are not removed... just segregated from other files on my hard drive. So I'm still leery that I don't have a permanent fix. I downloaded the tools you said to my desktop and ready for your next instructions.

#13 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:10:55 AM

Posted 13 November 2004 - 08:20 PM

It shouldn't be long now. You will need to follow some sequential steps when using those tools, "steady as she goes". The Ad-Aware provides for deletion of quarantined files. But sit tight a little longer please, my advice is scrutinized by others on the Team, to insure it is indeed the right advice. Thats why we wait. :thumbsup: I'm goin' run my Ad-Aware while waitin' so I can advise you exactly how that deletion from quarantine is done.

Open Ad-Aware. Click Open Quarantine List
Posted Image

Highlight the file you want to delete (3 are shown in this example) Click delete.
Posted Image

Edited by phawgg, 13 November 2004 - 08:35 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#14 shanksman

shanksman
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 13 November 2004 - 09:18 PM

I'll wait for your go ahead. I really appreciate all your help!

#15 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:10:55 AM

Posted 13 November 2004 - 09:58 PM

I thought I'd post this to demonstrate what can be done while waiting. It was 10 minutes of well spent time. These updates also indicate quite a lot of time spent "behinds the scenes" and aren't available on a daily basis because it is done for a program that is free & available world-wide and being used constantly by millions of people. Those "english help" updates indicate changes to the help menu in the program, also. I'll be checking on that now that this just came out. The approval to go ahead may still be unavailable for a good reason. :thumbsup: new Spybot S&D update available

Posted Image

Edited by phawgg, 13 November 2004 - 09:59 PM.

patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users