Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My internet startpage has been hijacked!


  • Please log in to reply
6 replies to this topic

#1 hoejgaard

hoejgaard

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 20 November 2004 - 08:58 AM

I have a problem with my computer. My internet startup-page has been changed to t.swapx... something!

I have tried some removal methods, but they don't seem to fit my problem. I am using AVG scanner (can't find any viruses) and "Ad-Aware SE personal", which finds some spyware every time I scan. Is there anyone that can please help me?

Ps. my computer is also running very slow, could that be related to the t.swapx-thing??

BC AdBot (Login to Remove)

 


m

#2 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:12:49 PM

Posted 20 November 2004 - 11:11 AM

hi

download hijackthis from here

unzip the download into a permanent folder, like c:\hijackthis

locate the folder, doubleclick on hijackthis.exe to launch it:
hit the button scan. once the scan is finished the text of the button will change into save log
save it, open it with notepad. press crtl+a to select all, ctrl+c to copy it and paste its contents here as your next reply

remember that most items in the log are harmless or even essential so do not fix anything yet.

Edited by illukka, 20 November 2004 - 11:14 AM.

To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#3 hoejgaard

hoejgaard
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 20 November 2004 - 11:18 AM

Logfile of HijackThis v1.98.2
Scan saved at 16:24:03, on 20/11/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\GSICON.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINNT\loadqm.exe
C:\WINNT\System32\dslagent.exe
C:\WINNT\System32\bcmwltry.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\notepad.exe
C:\temp\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=191
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=191
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RunMotive] C:\DOCUME~1\SORENA~1.SOR\LOCALS~1\Temp\RunMotive.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [Control handler] C:\WINNT\ahjinst.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: UKOnLineSigningApplet - https://www.taxcredits.inlandrevenue.gov.uk...gningApplet.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C445712B-BC35-4D56-A400-E6B7E7D510EB}: NameServer = 158.43.240.4,158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6689284-220D-4803-928D-CADF9BE70A9F}: NameServer = 158.43.240.4,158.43.240.3

#4 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:12:49 PM

Posted 20 November 2004 - 12:10 PM

hi

just to doublecheck:

1. Download registrar lite: http://www.resplendence.com/reglite

2. install "Reglite" and run it, enter(copy/paste the bold text) the following into the address bar and click the GO button.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

3. Double click on AppInit_DLLs to open a "Data Editor" properties window, if the bottom textfield named "Value" contains a .dll file

write it down and post the info here
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#5 hoejgaard

hoejgaard
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 20 November 2004 - 04:13 PM

Hi,

Thanks for your help. I tried what you suggested, but unfortunately, the value line was empty and there was no text in the decription box, so I am not quite sure what to do now.

Regards

#6 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:12:49 PM

Posted 20 November 2004 - 04:27 PM

hi

ok that'll supposedly help things, there is no hidden dll to expose

It is a good ideea to print or copy these instructions because you are not able to access the Internet in SafeMode.

1, Download CWShredder from here
After you download the program, unzip it into a directory. Don't use it yet.

2. Download Ad-aware SE: here
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items.
Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet.

3. Download System Security Suite here:System Security Suite Download & Tutorial. Unzip it to your desktop. Install the program. Don't use it yet.

4. Download the Hoster from here. Unzip the program to your desktop. Don't use it yet.

5. Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop. Don't use it yet.

REGEDIT4

[-HKEY_CLASSES_ROOT\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}]
[-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj]
[-HKEY_CLASSES_ROOT\redalert.here]
[-HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}]


6. Download KillBox here: KillBox. Unzip it to your desktop.

Start Killbox.exe

Select the Delete on reboot option.

Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINNT\ahjinst.exe

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the YES button.

Your computer will reboot.
Check if the C:\WINNT\ahjinst.exe is still there. If it is repeat step no.6. If not go to the next step.

7. Reboot into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=191
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=191

O4 - HKLM\..\Run: [RunMotive] C:\DOCUME~1\SORENA~1.SOR\LOCALS~1\Temp\RunMotive.exe

O4 - HKLM\..\Run: [Control handler] C:\WINNT\ahjinst.exe

O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan

Close all other windows and browsers, and press the Fix Checked button.

8. Search for these files and delete them if found:
C:\WINNT\ahjinst.exe<-- this file

Delete these folders:
C:\DOCUME~1\SORENA~1.SOR\LOCALS~1\Temp\ <-- delete the contents of the folder

9. Make sure all browser windows are closed and run cwshredder.exe to start the program and click on the FIX button (not the "Scan only" button) and let it scan your computer.

10. Run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds.

11. With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

12. Double-click on the fix.reg file you saved earlier on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.

13. Open Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button.

14. Locate Hoster on your desktop, press Restore Original Hosts and press OK. Exit Program. This will restore the Hosts file.

15. REBOOT normally. Run HijackThis! again and post a new log.
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#7 hoejgaard

hoejgaard
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 21 November 2004 - 05:57 AM

The log-file now looks like this:




Logfile of HijackThis v1.98.2
Scan saved at 11:01:01, on 21/11/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\GSICON.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINNT\loadqm.exe
C:\WINNT\System32\dslagent.exe
C:\WINNT\System32\bcmwltry.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Soren Andersen.SOREN\Desktop\The t.swapx removal thing\HijackThis\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: UKOnLineSigningApplet - https://www.taxcredits.inlandrevenue.gov.uk...gningApplet.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C445712B-BC35-4D56-A400-E6B7E7D510EB}: NameServer = 158.43.240.4,158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6689284-220D-4803-928D-CADF9BE70A9F}: NameServer = 158.43.240.4,158.43.240.3



I tried the internet, and now the startup-page isn't the t.swapx... thing! If that was it, THANK YOU SO MUCH!

You have been fantastic!

Regards




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users