Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win-ETO headaches


  • This topic is locked This topic is locked
4 replies to this topic

#1 Rommel

Rommel

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 17 November 2004 - 04:23 PM

Hey there. I'm computer knoweledgeable and have tackled a friends PC that was riddled with spyware. Using Ad-Aware, Spybot, HijackThis, and some other cleanup tools I've been able to get rid of everything except this blasted Win-Eto and a BHO that is related called 2YBUWE~1.DLL. I'll post the log and hopefully somebody can give me some more advice.

Logfile of HijackThis v1.97.7
Scan saved at 4:19:54 PM, on 11/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Spyware removal\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 198.148.168.53:80
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\2YBUWE~1.DLL
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: Shortcut to apps on 'microhedge' (P).lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Pervasive.SQL Workstation Engine.lnk = C:\PVSW\BIN\W3DBSMGR.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: winlogin.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

-Romm

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:06:36 PM

Posted 17 November 2004 - 04:41 PM

You are using an outdated version of Hijackthis. Please download and install the newest version, v1.98.2, from this HijackThis download site. The new version includes info that is require for this fix.

Post a new log from HJT v1.98.2
Derfram
~~~~~~

#3 Rommel

Rommel
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 18 November 2004 - 12:48 PM

New Log:

Logfile of HijackThis v1.98.2
Scan saved at 12:47:50 PM, on 11/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\SLK\Redi\Primary\Redi.exe
C:\Program Files\Meridian Software\Ovid\ovid.exe
C:\Program Files\Thomson Financial\Thomson ONE\ThomsonONE.exe
C:\PROGRA~1\THOMSO~1\THOMSO~1\SHARED~1.EXE
C:\PROGRA~1\THOMSO~1\THOMSO~1\RDCDDE~1.EXE
C:\Spyware removal\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=31403
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 198.148.168.53:80
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\2YBUWE~1.DLL
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: Shortcut to apps on 'microhedge' (P).lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Pervasive.SQL Workstation Engine.lnk = C:\PVSW\BIN\W3DBSMGR.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: winlogin.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - AppInit_DLLs: bdtk5h6oe8lig.dll

#4 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:06:36 PM

Posted 18 November 2004 - 01:58 PM

Welcome back Rommel.

It is a good idea to print or copy these instructions since you will not be able to access the Internet in SafeMode.

1. Download CWShredder from here.
After you download the program, unzip it to your desktop. Don't use it yet.

2. Download Ad-aware SE from here.
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items. Open Ad-aware and click the "Check for updates now" link and install any updates. Close Ad-aware. Don't use it yet.

3. Download System Security Suite from here.
Unzip it to your desktop. Install the program. Don't use it yet.

4. Download Hoster from here.
Unzip the program to your desktop. Don't use it yet.

5. Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop. Don't use it yet.

REGEDIT4

[-HKEY_CLASSES_ROOT\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}]
[-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj]
[-HKEY_CLASSES_ROOT\redalert.here]
[-HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}]


6. Download KillBox here: KillBox. Unzip it to your desktop.


Start Killbox.exe, select the Delete on reboot option.

Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\System32\bdtk5h6oe8lig.dll

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the YES button.

Your computer will reboot. Using Windows Explorere (windows key+e) check if the file C:\WINDOWS\System32\bdtk5h6oe8lig.dll is still there. If it is repeat the use of Killbox. If not go to the next step.


7. Reboot into Safe Mode.

Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=31403
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=31403

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\2YBUWE~1.DLL

O4 - Global Startup: winlogin.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O20 - AppInit_DLLs: bdtk5h6oe8lig.dll

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


8. Open Windows Explorer (Windows key+e), drill down and delete the following files and folders if found:

C:\WINDOWS\System32\2YBUWE~1.DLL <--File
C:\WINDOWS\System32\bdtk5h6oe8lig.dll <--File

Use Windows Search to locate the following file and delete it:

winlogin.exe <-- Carefully note the spelling. Do not delete the valid Windows file Winlogon.exe


9. Make sure all browser windows are closed and run CWShredder.exe. Start the program and click on the FIX button (not the "Scan only" button) and let it scan your computer.

10. Run Ad-aware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let Ad-aware remove anything it finds.

11. With all windows and browsers closed, clean out temporary and Temporary Internet Files:

A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

12. Double-click on the fix.reg file you saved earlier on your desktop, and when it prompts to merge say Yes. This will clear some registry entries left behind by the process.

13. Open Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button.

14. Run Hoster on your desktop, press Restore Original Hosts and press OK. Exit Program. This will restore the Hosts file.


15. REBOOT normally. Run HijackThis! again and post a new log.
Derfram
~~~~~~

#5 almo

almo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 28 November 2004 - 01:40 PM

Some additional info, not meant to undermine all this wonderful stuff posted here.

When I was recently infected with the win-eto hijacking, i noticed that it created a bunch of really long-named dll files in my c:\windows\system32 directory, like bsdkjha2dja23sdjsdh5gsdhgdh3.dll.dll.dll.dll.dll.dll and various other random combinations.

By displaying "details" in explorer and taking note of the time they were all modified (for me: Nov 24 1:12am), I simply looked for all other files modified at that time on my C drive.

When you mouse over the file name, most show that they are created by a bogus company "Melcosoft", these files should be deleted.

Likewise, even though some files showed a different mod-time, when you moused over the filename, they showed the same create time as the original infection time.

Before deleting these files, take note of them or keep them in your recycle bin so you can refer back to them later on when you search for them in the registry.

I found numerous zero byte files in my root directory (like msdos.exe, mssys.com, p.exe, q.exe, m.exe, n.exe, x.exe, y.exe, q250204.exe, ntldr.exe, tons of multilevel dll files) and numerous other files that are zero bytes. They were all either in C:\ or C:\windows\system32.

I deleted all of these. Some of the dll's I had to reboot in safe mode and delete them. Most of the dll's are self-replicating, if you delete them, they show up in another form later on.

Next I searched through the registry for all dll file names that I deleted and some of the other ones to make sure they weren't there, as well as the win-eto website which automatically gets redirected to t.swapx or whatever it is. Wherever there was a bad entry I simply blanked out the data value.

I also noticed that my hosts file was blown away and some odbc-based software was messed up, which returned to normal once I removed all these crappy files and registry entries. My host file is still wiped but I have a backup.

And of course many weblinks were added to my IE favorites list for various porn sites. I deleted them too.

I didn't use any of the magical SW tools listed, but I'm sure they are quite useful, however, I have recently innoculated the registry using spybot.

Hope this helps, Happy hunting!

a




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users