Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

please help - my hjt log


  • Please log in to reply
15 replies to this topic

#1 alisonrae00

alisonrae00

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 17 November 2004 - 01:40 PM

I have been infected with this stupid swapx thing. My homepage always goes to http://t.swapx.cc/h.php?aid=20009. Please help me. I can barely use my computer anymore.

Logfile of HijackThis v1.98.2
Scan saved at 1:06:28 PM, on 11/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\nxdyiy.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alison\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://win-eto.com/hp.htm?id=9
F3 - REG:win.ini: load= pythizer.exe
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\E1LRYR~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [oxfphdjvyvlib] C:\WINDOWS\System32\nxdyiy.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "cws" "2"
O4 - HKLM\..\RunOnce: [5vygyd.exe] C:\WINDOWS\System32\5vygyd.exe /k
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\RunOnce: [5vygyd.exe] C:\WINDOWS\System32\5vygyd.exe /k
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: winlogin.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm9.chm::/file1.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O20 - AppInit_DLLs: 17n9tw6geto.dll

BC AdBot (Login to Remove)

 


m

#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:02:03 PM

Posted 17 November 2004 - 02:10 PM

Hi, alisonrae00, no one likes the effects of this crud. I will take responsibility for helpin' you get rid of it. It might take 24 hours to get a custom fix worked up & through our double-checks and all. Best advice is to sit tight & limit your use 'til we get started. Really, you've probably done enough scans and head-scratchin' for now. Please be patient. :thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...

#3 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:02:03 PM

Posted 17 November 2004 - 05:42 PM

alisonrae00, while you wait patiently for some answers, please rearrange your HJT file/folder before we start. Once that is done, simply leave the computer on and don't reboot. Monitor can be shut off if you like. This particular problem changes somewhat when you reboot, so please post a fresh log...and after that ... just let it sit, OK?

Regarding the HijackThis: C:\Documents and Settings\Alison\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe
should look like this C:\HJT\HijackThis.exe on your log. To make it that way: click Start-->My Computer-->Hard Disk Drive C:\-->File-->New-->Folder and name it HJT. The easiest thing to do now would be to download HijackThis 1.98.2 once again and extract to: your newly created folder. If you wanted to move your present hijackthis.exe file from where it is now, it would require many more steps to accomplish the same thing. We will be cleaning out your C:\Local Settings\Temp\(and all contents in it) as part of the "required fix - sequence" of steps, also. In this way the program will save backups automatically to it's permanent folder and we may need them.

One more thing:
The free version of Weather Bug is generally considered to be adware. As such, it is up to you whether you wish to remove it or leave it installed. The information here and here may help you decide. If you wish to uninstall this: First, right click the WeatherBug icon in the systray and disable it, then go to Control Panel, open Add/Remove Programs and uninstall from there.

The latest version of WeatherBug only has a banner ad in the program itself. If yours is the latest version, and everything is cool, no problem. Let me know as a comment to your fresh log, please.

Here at bleepingcomputers we try to offer good free alternative programs that are also trouble-free when you run them with all the other ones we have you install or use when fixing your problems. Jaycee, a HJT Team member uses this: Weather Pulse
patiently patrolling, plenty of persisant pests n' problems ...

#4 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:02:03 PM

Posted 17 November 2004 - 07:21 PM

Transponders Some more preliminary information for you, alisonrae00. The entries that represent this problem can be eliminated using two programs we strongly recommend that you use. They can be run before you post that fresh log.

1. Use Spybot S&D & Update
  • Install and use this program with its TeaTimer option.
  • This will provide realtime spyware & hijacker protection on your computer alongside your virus protection.
  • You should also scan your computer with this program on a regular basis, just as you would an antivirus software.
  • Check for updates when you do. A tutorial is available in a link below.
2. Use Ad-Aware & Update
  • Install, configure and use this program with the others.
  • It is very well thought of in it's effectiveness, it complements the actions of the others.
  • It provides for additional plug-in specialty tools as well as an upgrade if you choose them.
  • Updates are frequent, so I suggest that you do both that and run the program regularly.
Tutorials covering these programs: Using Spybot - Search & Destroy to remove Spyware from Your Computer
Using Ad-Aware SE to remove Spyware & Hijackers from Your Computer

One more, and this is the one that identified this part of your problem
3. Use SpywareBlaster & Update
  • Install and use this program
  • Adding a large list of sites/programs into your Browser settings, it protects you from running or downloading known malicious programs.
  • You may customize it if required to accomodate your individual needs, and updates are also frequently issued with new definitions added
  • Make it a habit to run and update on a regular basis.
Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware

I know it's a lot to ask you to do. It will be worth it, however. (the information is usually given after you are clean, so please keep that in mind.) The spywareBlaster will not elimonate the problem you now have, but it will prevent it from happening again. The Spybot S&D 1.3, in combination with Ad-AwareSE Personal 1.05 will likely clean it up, and we will then continue to get the others after you post another HJT log.
Thank you for your patience.

:thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...

#5 alisonrae00

alisonrae00
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 19 November 2004 - 01:14 PM

I have downloaded both ad-aware and spywareblaster on my computer, and neither will open. Help! (And please be aware that while I am not computer-illiterate, I don't know much about the inner workings.)

Thanks.

#6 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:02:03 PM

Posted 19 November 2004 - 01:25 PM

OK. Do you have icons on your desktop for each? Usually, by double-clicking the icon a dialog box will appear on your screen, The Installation Wizard, which leads you through the install process. No Wizard? Also, it's important that when you try to install these programs, you are not online, and you don't have other programs going. You should close the others that might be showing as buttons in you lowest area of the screen...what's called the task bar. Those programs, if any show that way, should be made large by clicking them, and then use the red square button with the white X on it in the very top right of your screen to close them. :flowers: If you have more "little icons" on the task bar, usually you can right-click on each one, and the menu that pops up will have some choice like "exit" or "close" or sometimes you must open it up to find the way to exit, end, or close it.

above said at some risk of having misinterpreted your "I'm not computer illiterate, but " comment, so continue...

Place your cursor on the task bar and right-click. Choose "Task Manager". The dialog box appearing has five tabs.
  • Applications - will show you what , if any, programs are currently running.
  • Processes - will show you current running processes
  • Performance will show you memory use & other "inner workings".
  • Networking - shows present online use figures.
  • Users - will give you access to some info about logged on users.
Quite often information found here can help us to track down why installation is not being allowed. Do you have problems when you install other programs? It might be another issue having to do with how you logon. Please let us know, we'll get to the bottom of this little mystery together.
:thumbsup:

Edited by phawgg, 19 November 2004 - 02:07 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#7 alisonrae00

alisonrae00
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 19 November 2004 - 02:32 PM

Spyware blaster installs, but then doesn't allow me to open the actual program. The ad-aware setup icon appears on my screen, but then won't open to the install wizard. What am I doing wrong? I never have problems downloading anything. I feel like this swapx thing has taken over my computer.

#8 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:02:03 PM

Posted 19 November 2004 - 02:43 PM

swapx is a particularly noxious number, I'll agree. One more Question, and then we can continue with what will be needed to get rid of it and the rest that is showing in your log.

What about installing the Spybot S&D? It could get some of those problems real easily for us.
patiently patrolling, plenty of persisant pests n' problems ...

#9 alisonrae00

alisonrae00
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 19 November 2004 - 02:47 PM

I have spybot, and I usually run it every other day. I could not find anything about the teatimer on it that you had mentioned earlier, however.

#10 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:02:03 PM

Posted 19 November 2004 - 03:02 PM

Good. In Spybot, top of page: Mode-->advanced-->click "yes" to the pop up alert-->Tools (on the left, now)-->Resident--> and read. "SDHelper" is checked by default" & "Tea Timer" you must check to activate it. Simply leave it off for the moment, as it will alert you to any changes to your system before they actually occur by giving you the option to allow or deny them, which means the changes we will make, also. So, instead of discussing those variables, I'd rather get busy with your log and it'll be a while yet before we are ready to post your individualized procedure. OK?

BTW, here ais an example of "processes currently running" on my PC, which has winXPpro on it. If you see different processes, maybe a few, that are not any of these, take note of 'em. It might be useful to know. (you will just see the name.exe using your task bar - just the first names on the left of each line. :thumbsup: )

smss.exe 432 Windows NT Session Manager Microsoft Corporation
csrss.exe 480 Client Server Runtime Process Microsoft Corporation
winlogon.exe 504 Windows NT Logon Application Microsoft Corporation
services.exe 548 Services and Controller app Microsoft Corporation
svchost.exe 696 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 796 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 848 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 916 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 976 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1196 Spooler SubSystem App Microsoft Corporation
avgamsvr.exe 1304 AVG Alert Manager GRISOFT, s.r.o.
avgupsvc.exe 1440 AVG Update Service GRISOFT, s.r.o.
kpf4ss.exe 1480 Kerio Personal Firewall 4 - Service Kerio Technologies
kpf4gui.exe 1848 Kerio Personal Firewall 4 - GUI Kerio Technologies
kpf4gui.exe 1120 Kerio Personal Firewall 4 - GUI Kerio Technologies
nvsvc32.exe 1628 NVIDIA Driver Helper Service, Version 61.77 NVIDIA Corporation
wdfmgr.exe 1684 Windows User Mode Driver Manager Microsoft Corporation
alg.exe 420 Application Layer Gateway Service Microsoft Corporation
lsass.exe 560 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1156 Windows Explorer Microsoft Corporation
avgcc.exe 1544 AVG Control Center GRISOFT, s.r.o.
avgemc.exe 1560 AVG E-Mail Scanner GRISOFT, s.r.o.
TeaTimer.exe 1620 System settings protector Safer Networking Limited
firefox.exe 2240 Firefox Mozilla
procexp.exe 3400

Edited by phawgg, 19 November 2004 - 03:13 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#11 alisonrae00

alisonrae00
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 19 November 2004 - 04:52 PM

Okay, I'm ready to get rid of this CRAP whenever you are.

Thanks

#12 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:02:03 PM

Posted 20 November 2004 - 01:15 AM

alisonrae, let's go with this technique.

Please make sure to work through the fixes in the exact order that they're presented below. You should also print out or copy this page to Notepad. Screenshots are included to help you.

Copy the contents of the CODE Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop. Don't use it yet.

REGEDIT4

[-HKEY_CLASSES_ROOT\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}]
[-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj]
[-HKEY_CLASSES_ROOT\redalert.here]
[-HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}]
You will need several tools on your desktop. Unlike HJT, you may run them from the desktop. All are .zip files, examples of zip files after extraction to the desktop Please use these links to download them:You will also need to install Ad-Aware SE Personal 1.05 onto your PC, unless you already have this version. You should uninstall an older version before installing this, and immediately check for updates. Don't worry about this right now, alisonrae00.

Using Ad-Aware SE to remove Spyware & Hijackers from Your Computer

Extract Killbox, open folder & choose extract to your desktop. "Finish". Open the folder and then double-click on Killbox.exe to start the program.

Start Killbox.exe

Select the Delete on reboot option.

Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\System32\17n9tw6geto.dll

Then press the button that looks like a red circle with a white X in it.
When it asks, Reboot now, press the YES button.

Your computer will reboot.
Check if the C:\WINDOWS\System32\17n9tw6geto.dll
still there, by running Killbox once again.

Start-->Add or Remove Programs-->Uninstall (if found) any instances of:Ebates/MoeMoneyMaker or VVSN and consider uninstalling AWS/WeatherBug at this time here. If having read comments above, you decide to keep this, ignore any other references to deletions involving Weatherbug from here on.

Set your PC to: show hidden files.
This time Start-->MyComputer-->Tools-->Options-->View Tab-->Show Hidden Files & Folders (system-wide)

Reboot your computer into Safe Mode by tapping F8 until the screen appears where you can use the up arrow to choose safe mode. Hit enter.

Open your C:\HJT folder and double-click the icon. Close everything except HijackThis, nothing else on your desktop.

Run Hijackthis: click Scan, and put a checkmark next to each of the following objects.
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\E1LRYR~1.DLL
O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: 17n9tw6geto.dll

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://win-eto.com/hp.htm?id=9
F3 - REG:win.ini: load= pythizer.exe

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [oxfphdjvyvlib] C:\WINDOWS\System32\nxdyiy.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe

O4 - HKLM\..\RunOnce: [5vygyd.exe] C:\WINDOWS\System32\5vygyd.exe /k
O4 - HKCU\..\RunOnce: [5vygyd.exe] C:\WINDOWS\System32\5vygyd.exe /k

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm9.chm::/file1.exe
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab
Then consider these files for deletion also. As mentioned before, you may need the newest installation, which can be done later.
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

When you're sure that files marked for deletion are correct, click the Fix button and exit HJT.

Search for, locate and delete these files or folders (Do not be concerned if they do not exist, the previous steps may have eliminated them.) Do not delete main folders like C:\WINDOWS or C:\Program Files. Navigate to the folder locations or use: Start-->Search-->select "all files & folders"-->select "more advanced options"-->check search "system folders", "hidden files & folders", "sub-folders".

Delete

C:\"where ever it is" pythizer.exe<--this file only
C:\"where ever it is" winlogin.exe<--this file only
C:\WINDOWS\conscorr.exe<--this file only
C:\WINDOWS\web\related.htm<--this file only
C:\WINDOWS\System32\5vygyd.exe<--this file only
C:\WINDOWS\System32\nxdyiy.exe<--this file only
C:\WINDOWS\System32\E1LRYR~1.DLL<--this file only
C:\Program Files\VVSN<--this folder & contents only
C:\Program Files\Web_Rebates<--this folder & contents only
C:\Program Files\Ebates_MoeMoneyMaker<--this folder & contents only
C:\Program Files\AWS<--this folder & contents only

Extract CWShredder 1.59.1, open folder & choose and choose to extract to your desktop. "Finish". Open the folder and doulble-click on the cwshredder.exe Select Fix

Run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds. If Ad-Aware is not yet installed, simply move to the next step.

Run System Security Suite. (All windows and browsers closed) To clean out Temp and Temporary Internet Files, In the "Items to Clear" tab click:
1. Internet Explorer (left pane): Cookies & Temporary files
2. My Computer (right pane): Temporary files & Recycle Bin
Click the "Clear Selected Items" button. Close.

Double-click on the fix.reg file you saved earlier on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.

Open Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button.

Extract HostFix. Open the zipped-folder and choose to extract to your desktop. Click "Finish". Then open the unzipped folder and double-click on the HostFix.exe file. With the program open, click "YES". This will restore the Hosts file.

Reboot your computer to go back to normal mode.
You may choose to move the programs on your desktop to a permanant folder or simply delete them, perhaps when you're certain the PC is clean.

Run HijackThis again and post the new log as a reply to this post.
(Include comments regarding any problems you might have had, and let us know if its working better.)
patiently patrolling, plenty of persisant pests n' problems ...

#13 alisonrae00

alisonrae00
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 21 November 2004 - 05:22 PM

I followed all of the instructions in the last reply, and this thing is still not gone! I am about to throw this computer into oncoming traffic. Here is my new hjt log:

Logfile of HijackThis v1.98.2
Scan saved at 4:19:04 PM, on 11/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\zrkecfe8m94vthd.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\zrkecfe8m94vthd.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "cws" "2"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O20 - AppInit_DLLs: rs5v8r8w1y5ej87.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

Thanks.

#14 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:02:03 PM

Posted 21 November 2004 - 05:36 PM

Don't :flowers: yet, alisonrae. This problem we are finding is tough because it 'morphs', which is to say it changes on reboots. Please consider it to be a hard-learned lesson beyond the scope of most others. I'm checking into it further begining now. Patience is a virtue. Don't reboot, just let it run without doin' much of anything for the time being, please. :thumbsup: Thank you for following the instructions. Progress has been made, I assure you.
patiently patrolling, plenty of persisant pests n' problems ...

#15 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:02:03 PM

Posted 22 November 2004 - 12:54 AM

Well, alisonrae, I need to go offline for 8 hours. If you need to turn off the computer, no big problem. Just turn it on when you like, and post a fresh log. The differences I see can be adjusted ...between it and the one I've analyzed. It shouldn't be a very long between that point & our improved plan of action. If no changes, or the computer has been running, that's fine as well. Sorry for the delay.
patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users