Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CWS SWAPX Infection


  • This topic is locked This topic is locked
13 replies to this topic

#1 Mikew

Mikew

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 26 November 2004 - 04:01 AM

Good Morning All

THis is my first visit and I hope you can help.

I think I have caught the CWS SWAPX virus, this is my HiJackThis Log.

Can you help me please?

Logfile of HijackThis v1.98.2
Scan saved at 08:49:17, on 26/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\mg44m1ls4lncthd.exe
C:\WINNT\system32\internat.exe
C:\Old C_Drive\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\unzipped\hijackthis_198[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\system32\J8GSJX~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Control handler] C:\WINNT\system32\mg44m1ls4lncthd.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: qwe.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Old C_Drive\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O20 - AppInit_DLLs: 2t9y2mzlym95w7.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O21 - SSODL: eplrr - {02DABAF6-CFDB-49ED-8EC5-53C94CE0D74A} - C:\WINNT\system32\eplrr3.dll

Thanks for your help and I look forward to hearing from you.

MikeW

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:16 PM

Posted 26 November 2004 - 04:54 AM

Hi

Please REBOOT your machine.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

Please look for this file:
C:\WINNT\system32\J8GSJX~1.DLL <-- this file, filename starts with J8GSJX

and post the full name please.

Please look in the c:\windows\system32\ folder and post all the filenames like this one:
2t9y2mzlym95w7.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dlll ...
The files have this format random.dll.dll.dll.dll.dll.dll

Please post also a fresh HJT log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 Mikew

Mikew
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 26 November 2004 - 03:47 PM

Hi

Thanks for your speedy reply.

The file you asked me to find is:

j8gsjx1gu99c.dll

Here is my new HijackThis report:

Logfile of HijackThis v1.98.2
Scan saved at 20:35:56, on 26/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\mg44m1ls4lncthd.exe
C:\WINNT\system32\internat.exe
C:\Old C_Drive\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\unzipped\hijackthis_198[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\system32\J8GSJX~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Control handler] C:\WINNT\system32\mg44m1ls4lncthd.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Old C_Drive\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBE51E00-FBD8-4AC0-BD6A-ADE26FEA0367}: NameServer = 213.120.62.104 213.120.62.97
O20 - AppInit_DLLs: 2t9y2mzlym95w7.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O21 - SSODL: eplrr - {63C770C4-EDCE-477A-AFE2-6EB56C7E6C0A} - C:\WINNT\system32\eplrr3.dll

Thanks for your efforts and I look forward to your reply.

Regards

MikeW

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:16 PM

Posted 26 November 2004 - 03:55 PM

Hi

Open Notepad. Copy and past the contents of the following quote box in to Notepad and save to your desktop as find_bad_dlls.bat

dir C:\WINDOWS\System32\*.dll.dll > C:\baddlllist.txt
notepad C:\baddlllist.txt
del c:\baddlllist.txt

Double click on find_bad_dlls.bat and copy the contents of the resulting text file to the next post.

Thanks to ddeerrff for the script.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 Mikew

Mikew
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 27 November 2004 - 04:02 AM

Hi

Thanks for your reply.

I did as you asked and the text file reads as follows:

C:\Documents and Settings\Michael Ward\Desktop>dir C:\WINDOWS\System32\*.dll.dll
1>C:baddlllist.txt
The system cannot find the path specified.

C:\Documents and Settings\Michael Ward\Desktop>Notepad C:\baddlllist.txt

Hope this is correctly done!

Thanks and regards.

MikeW

#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:16 PM

Posted 27 November 2004 - 04:07 AM

Sorry, you have W2K

Open Notepad. Copy and past the contents of the following quote box in to Notepad and save to your desktop as find_bad_dlls.bat

dir C:\WINNT\system32\*.dll.dll > C:\baddlllist.txt
notepad C:\baddlllist.txt
del c:\baddlllist.txt

Double click on find_bad_dlls.bat and copy the contents of the resulting text file to the next post.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 Mikew

Mikew
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 27 November 2004 - 07:07 PM

Hi

Contents of "find_bad_dlls.bat" text file are as follows:

Volume in drive C is Local Disk
Volume Serial Number is 4CE3-DFD1

Directory of C:\WINNT\system32

18/11/2004 01:03 6,656 2t9y2mzlym95w7.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
18/11/2004 01:03 6,656 3pk7o7dkt9b5u9.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
18/11/2004 01:03 6,656 w8c6s4xcm6619o.dll.dll.dll.dll.dll.dll.dll.dll
18/11/2004 01:03 6,656 w8c6s4xcm664f9.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
18/11/2004 01:03 6,656 w8c6s4xcm664f9.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
18/11/2004 01:03 6,656 w8c6s4xcm669i9.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
18/11/2004 01:03 6,656 w8c6s4xcm66p69.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
18/11/2004 01:03 6,656 w8c6s4xcm66p69.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
18/11/2004 01:03 6,656 w8c6s4xcm66x27.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
18/11/2004 01:03 6,656 w8c6s4xcm66x27.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
18/11/2004 01:03 6,656 w8c6s4xcm66xr9.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
18/11/2004 01:03 6,656 w8c6s4xcm66zi7.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
18/11/2004 01:03 6,656 xit2ijusvgm4cx.dll.dll.dll.dll.dll.dll.dll.dll.dll
13 File(s) 86,528 bytes
0 Dir(s) 3,410,923,520 bytes free


Hope that helps.

Thanks and regards

Mike

#8 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:16 PM

Posted 28 November 2004 - 03:35 AM

Hi :thumbsup:

Please print or copy these instructions because you are not able to access the Internet in SafeMode.

1, Download CWShredder from here
After you download the program, unzip it into a directory. Don't use it yet.

2. Download Ad-aware SE: here
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items.
Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet.

3. Download System Security Suite here:System Security Suite Download & Tutorial. Unzip it to your desktop. Install the program. Don't use it yet.

4. Download the Hoster from here. Unzip the program to your desktop. Don't use it yet.

5. Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop. Don't use it yet.

REGEDIT4

[-HKEY_CLASSES_ROOT\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}]
[-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj]
[-HKEY_CLASSES_ROOT\redalert.here]
[-HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}]


6. Download KillBox here: KillBox. Unzip it to your desktop.

Press Control + Alt + Delete to get into the Task Manager and end this process:
<insert here C:\WINDOWS\system32\O4 random.EXE file - Control handler>

Start Killbox.exe

Select the Delete on reboot option.

Copy and paste each of the following file(s) to the address bar:
C:\WINDOWS\System32\2t9y2mzlym95w7.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

C:\WINDOWS\System32\3pk7o7dkt9b5u9.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

C:\WINDOWS\System32\w8c6s4xcm6619o.dll.dll.dll.dll.dll.dll.dll.dll

C:\WINDOWS\System32\w8c6s4xcm664f9.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

C:\WINDOWS\System32\w8c6s4xcm664f9.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

C:\WINDOWS\System32\w8c6s4xcm669i9.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

C:\WINDOWS\System32\w8c6s4xcm66p69.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

C:\WINDOWS\System32\w8c6s4xcm66p69.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

C:\WINDOWS\System32\w8c6s4xcm66x27.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

C:\WINDOWS\System32\w8c6s4xcm66x27.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

C:\WINDOWS\System32\w8c6s4xcm66xr9.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

C:\WINDOWS\System32\w8c6s4xcm66zi7.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

C:\WINDOWS\System32\xit2ijusvgm4cx.dll.dll.dll.dll.dll.dll.dll.dll.dll

C:\WINDOWS\System32\j8gsjx1gu99c.dll

C:\WINNT\system32\mg44m1ls4lncthd.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe


After each file press the Delete button (the button that looks like a red circle with a white X in it).

A dialog box will ask if you want to delete and reboot now - on all but the last file, answer No
For the last file (or first, if only one file), answer Yes

On restart, verify that the files have been deleted.

Please reboot into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

7. Run HijackThis!, press Scan, and put a check mark next to all these:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\system32\J8GSJX~1.DLL

O4 - HKLM\..\Run: [Control handler] C:\WINNT\system32\mg44m1ls4lncthd.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O15 - Trusted Zone: *.greg-search.com

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab

O20 - AppInit_DLLs: 2t9y2mzlym95w7.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

O21 - SSODL: eplrr - {63C770C4-EDCE-477A-AFE2-6EB56C7E6C0A} - C:\WINNT\system32\eplrr3.dll


Close all other windows and browsers, and press the Fix Checked button.

8. Search for these files and delete them if found:
C:\WINNT\system32\eplrr3.dll

9. Make sure all browser windows are closed and run cwshredder.exe to start the program and click on the FIX button (not the "Scan only" button) and let it scan your computer.

10. Run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds.

11. With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

12. Double-click on the fix.reg file you saved earlier on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.

13. Open Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button.

14. Locate Hoster on your desktop, press Restore Original Hosts and press OK. Exit Program. This will restore the Hosts file.

15. REBOOT normally. Run HijackThis! again and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#9 Mikew

Mikew
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 28 November 2004 - 02:32 PM

Good Evening

Thanks for your latest reply.

I have worked down your list to point number 6.

Having opened Task Manager, I cannot see the file C:\WINDOWS\system32\04 randon.EXE file-Control handler.

I have tried to copy the Task Manager window to you, but cannot. Is there a way that I can post it?

Thanks and regards

MikeW

#10 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:16 PM

Posted 29 November 2004 - 10:06 AM

Hi Mikew

Sorry, my bad. Skip thepart with the O4 - Control handler and Task Manager. Delete the files with Killbox. Then go to step no. 7.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#11 Mikew

Mikew
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 05 December 2004 - 02:50 AM

Hi

You guys are awesome!

Having followed your instructions, my system now seems to be back to normal. Many thanks.

Here is my new HJT Log:

Logfile of HijackThis v1.98.2
Scan saved at 07:45:55, on 05/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\internat.exe
C:\Old C_Drive\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\svchost.exe
C:\unzipped\hijackthis_198[1]\HijackThis.exe
C:\Program Files\BT Yahoo! Internet\DialBTYahoo.exe
C:\Program Files\Internet Explorer\iexplore.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Old C_Drive\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab

How does that look?

I am running Norton Anti-Virus and a Zole Labs Firewall. Can you advise me how I can avoid another infection?

Thanks again

Mike

#12 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:16 PM

Posted 05 December 2004 - 04:44 AM

Log looks clean...great job ! :thumbsup:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

How did I get infected?, With steps so it does not happen again!

Glad I was able to help.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#13 Mikew

Mikew
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 06 December 2004 - 11:09 AM

Hi CRYO

Just a final note to thank you and the Bleepingcomputer team for all your help.

It's a great comfort to have such a panel of expets on hand in times of distress!

Thanks again and kindest regards

Mike

#14 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:16 PM

Posted 06 December 2004 - 11:11 AM

thank you and the Bleepingcomputer team for all your help

You're welcome ! Happy surfing ! :thumbsup:


Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users