Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Your old pal http://t.swapx.cc/h.php?aid=20009


  • Please log in to reply
16 replies to this topic

#1 WWillie70

WWillie70

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 16 November 2004 - 05:17 AM

Hello y'all,

I tried to follow the steps in Grinler's post about removing this hijacker but I got confused becuase my 020 dll file showed up as being in D:\windows\system32\ (I don't know if that matters) and I couldn't delete it with the killbox program. Maybe I was typing it in wrong or something. Can someone please help me?...I can't use .exe programs, porn sites appear in my favorites list, and my homepage is that stupid search page "http://t.swapx.cc/h.php?aid=20009". Here is my hijackthis log:

Logfile of HijackThis v1.98.2
Scan saved at 6:16:27 PM, on 11/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Mulberry\Mulberry.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\System\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - D:\WINDOWS\System32\VMEHV9~1.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [nortonupdate] nortonuptdate.dll
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - D:\Program Files\SideFind\sidefind.dll
O20 - AppInit_DLLs: lzxvwk09ns.dll

Hope to hear from someone soon. Thanks in advance!

Edited by WWillie70, 16 November 2004 - 03:56 PM.


BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:07:57 PM

Posted 16 November 2004 - 04:19 PM

Hi
I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 WWillie70

WWillie70
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 16 November 2004 - 05:28 PM

Thank you so very much for offering to help. :thumbsup:

Edited by WWillie70, 16 November 2004 - 05:32 PM.


#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:07:57 PM

Posted 16 November 2004 - 07:25 PM

Hi

There is a suspect file in your log: nortonuptdate.dll
Please do me a favour, search for it, zip it and send it to my Yahoo! address: dsrk3r@yahoo.com

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

Thank you
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 WWillie70

WWillie70
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 17 November 2004 - 07:00 PM

Hey,

I just sent the file. Thanks again.

#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:07:57 PM

Posted 17 November 2004 - 07:06 PM

Thanks.

It's Backdoor.Cmjspy.

I'll be back shortly with the fix.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:07:57 PM

Posted 17 November 2004 - 07:16 PM

Hi

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

O4 - HKLM\..\Run: [nortonupdate] nortonuptdate.dll

Close all other windows and browsers, and press the Fix Checked button.

Search for and delete this file:
nortonuptdate.dll

Empty the Recycle Bin.

REBOOT your machine an post a new log please.

This is very important !

Please change all your passwords NOW !. This Backdoor is a keylogger.
Think about what you had done on your PC recently, and what information you may have entered while the PC was infected, and respond accordingly to protect yourself.

"Backdoor.Cmjspy is a Backdoor Trojan Horse that logs keystrokes to compromise private information." (Symantec)

Edited by cryo, 17 November 2004 - 07:17 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#8 WWillie70

WWillie70
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 18 November 2004 - 09:18 PM

OK, I followed your steps. Thanks for the warnings. Here is my new log:

Logfile of HijackThis v1.98.2
Scan saved at 10:10:38 AM, on 11/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\System\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - D:\WINDOWS\System32\VMEHV9~1.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mod3] mod3.exe
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [mod3] mod3.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [mod3] mod3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - D:\Program Files\SideFind\sidefind.dll
O20 - AppInit_DLLs: lzxvwk09ns.dll

Thanks so much.

#9 mpfeif101

mpfeif101

    Spyware Sucks


  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 18 November 2004 - 09:26 PM

Hi there WWillie70,

Cyro will be gone for a few days so I will reviewing your log until he gets back.
Spyware Aid - A guide and more to spyware

Please do not PM me asking for support. Post on the forums instead :)
Please post the final results, good or bad. We like to know!

HijackThis! | Recommended Software | Help Wanted
| Search the Forums | Forum Guidelines
Faster, safer, better, free -> Posted Image Now 1.0 Final!

If you'd like to donate to the fight against spyware...
Donate to mpfeif101 |

#10 mpfeif101

mpfeif101

    Spyware Sucks


  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 18 November 2004 - 09:49 PM

First, are you running HJT from a CD drive or some place other than your main hard drive? If so, please run it from your main drive so that backups can be stored.

After doing this, run HJT again and place a check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\System\blank.htm
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - D:\WINDOWS\System32\VMEHV9~1.DLL

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [mod3] mod3.exe
O4 - HKLM\..\RunServices: [mod3] mod3.exe

O20 - AppInit_DLLs: lzxvwk09ns.dll

Close any open browsers and windows and click "Fix Checked".

Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Go to Start -> Search

Search for "All files or Folders"

In Advanced Options, make sure:
Search System Folders is checked
Search Hidden Files and Folders is checked
Search subfolders is checked
Case sensitive is unchecked.

Then search for, and if found delete the following files:
lzxvwk09ns.dll
mod3.exe

Reboot into normal mode (just reboot as you normally would), post a new log, and tell me how the problems are coming.
Spyware Aid - A guide and more to spyware

Please do not PM me asking for support. Post on the forums instead :)
Please post the final results, good or bad. We like to know!

HijackThis! | Recommended Software | Help Wanted
| Search the Forums | Forum Guidelines
Faster, safer, better, free -> Posted Image Now 1.0 Final!

If you'd like to donate to the fight against spyware...
Donate to mpfeif101 |

#11 WWillie70

WWillie70
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 19 November 2004 - 03:15 PM

Hey again,

Thanks for the help. Everything seems to be running well now. Thanks so much. I have a couple things to ask you. Before I discovered y'alls site, I stupidly ran hijackthis and fixed/erased most of what appeared in the scan without asking a pro like you. I think this is the reason that I have lost javasript functionality in IE (My bank balance window won't pop up and I can't compose emails in my webmail program, etc). How do I know how much damage I did and what should I do to remedy the problem. Also, I just got Viruscan 8 and I used it to scan and clean my hard drives. It cleaned like 60 different files, but also had to quarantine some files b/c they were "unable to be cleaned." My question is whether or not it is OK to just leave the uncleanable files in the quarantine folder in the c drive. Other than that, thanks again for your help and here is my new hijackthis log:

Logfile of HijackThis v1.98.2
Scan saved at 2:04:55 PM, on 11/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\mcshield.exe
D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\Documents and Settings\JhoJho\Desktop\HijackThis\HijackThis.exe
D:\WINDOWS\System32\wuauclt.exe

O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "D:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - D:\Program Files\SideFind\sidefind.dll

Later!

#12 mpfeif101

mpfeif101

    Spyware Sucks


  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 19 November 2004 - 08:01 PM

To address the question. Go into HJT then backups and see if you can restore to an earlier state. If not, (because it wasn't in a permanent folder), tell me.

As for deleteing the quarentined stuff, I usually wait like a week to make sure it didn't delete anything bad then empty quarantine.

Log does look clean tho :thumbsup:
Spyware Aid - A guide and more to spyware

Please do not PM me asking for support. Post on the forums instead :)
Please post the final results, good or bad. We like to know!

HijackThis! | Recommended Software | Help Wanted
| Search the Forums | Forum Guidelines
Faster, safer, better, free -> Posted Image Now 1.0 Final!

If you'd like to donate to the fight against spyware...
Donate to mpfeif101 |

#13 WWillie70

WWillie70
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 20 November 2004 - 06:25 PM

Unfortunately, I don't have the backup state file from a few weeks ago when I performed my uninformed "cleanup" because I deleted the hijackthis folder after I wasn't able to fix the problems on my own. DOH! Anything I can do? Thanks, you've been a great help.

#14 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:07:57 PM

Posted 20 November 2004 - 07:00 PM

Hi

Go to Start --> Run, and type cmd in the Open box, then click OK to open a command prompt.
Type sfc /scannow, note the space after sfc.

Insert you original Windows CD in the CD-ROM drive. This will restore your protected system files on your computer.

Please check your Internet Explorer settings:

A. Open Internet Explorer
B. Click Tools -> Internet Options ...
C. Click on the Advanced tab.
D. At the bottom of the window click the Restore Defaults button.

Click the Security tab
- click the Internet icon - press Default Level button
- click the Local icon - press Default Level button
- click the Trusted icon - press Default Level button
- click the Restricted icon- press Default Level button

Click the Advanced tab and press Restore Defaults.

When finished visit Windows Updates and install all available critical updates.

Tell me please if the problem is gone.

I deleted the hijackthis folder after I wasn't able to fix the problems on my own. DOH! Anything I can do? Thanks, you've been a great help.

Reinstall the affected programs.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#15 WWillie70

WWillie70
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 21 November 2004 - 09:08 PM

My brother, who owned this computer before me can't find the Windows XP Pro CD, so I couldn't do the scannow thing. Is there any way to do it without the CD? Also, I followed your IE instructions and it didn't fix the jscript problem. Thanks again Cryo and mpfeif101.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users