Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! "http://t.swapx.cc/h.php?aid=20009"


  • Please log in to reply
5 replies to this topic

#1 theaction

theaction

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 27 November 2004 - 03:19 PM

While at my in-laws I discovered their PCs have been severly hijacked by "http://t.swapx.cc/h.php?aid=20009"

I did some brief research and downloaded HijackThis and came up with this log:

Logfile of HijackThis v1.97.7
Scan saved at 3:13:30 PM, on 11/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Steve\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.emachines.com/
F2 - REG:system.ini: UserInit=Userinit.exe,TGBRFV_
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W1LKWW~1.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab



They're running Norton Anti-Virus and since I've gotten here I've downloaded and updated both Ad-Aware SE and Spybot S&D. I have run both programs several times and tried some basic manual cleanup, but have had no luck.

Any help to get rid of t.swapx would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:30 PM

Posted 27 November 2004 - 04:12 PM

You are using an outdated version of hijackthis. Please download the newer version.

Download HijackThis from:

HijackThis Download Site

Then,

Try using this online virus scanner and then post the log from the scan and a new hijackthis log

http://www3.ca.com/virusinfo/virusscan.aspx

When it asks if it can install the program, say yes. Then it will scan your computer. Delete everything it has and post its log along with the hijackthis log

#3 theaction

theaction
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 27 November 2004 - 05:20 PM

Here's the scan log:

103937312.tmp Win32.Startpage.JY cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
129844406.tmp Win32.Startpage.JY cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
130946359.tmp Win32.Startpage.JY cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
15681796.tmp Win32.Startpage.JY cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
15729343.tmp Win32.Startpage.JY cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
15731515.tmp Win32.Startpage.JY cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
15755781.tmp Win32.Startpage.JY cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
157966593.tmp Win32.Startpage.JY cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
188062.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
193750.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
1949312.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
202473500.tmp Win32.Startpage.JY cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
316515.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
332750.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
334187.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
3832953.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
387407781.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
390026515.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
4004890.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
406562.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
464234.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
468125.tmp Win32.Startpage.JY cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
4758625.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
476234.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
477671.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
514750.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
535937.tmp Win32.Startpage.JY cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
602842953.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
602854187.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
687411234.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
7541671.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
7747578.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
97354531.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
992460812.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
992597484.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
992610593.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
992614843.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
993254484.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
993358765.tmp Win32.Startpage.IK cannot cure C:\Documents and Settings\Steve\Local Settings\Temp\
2.dat Win32.SillyDl.AQ cannot cure C:\Program Files\America Online 8.0\download\
Dc11.dll Win32.Startpage.IK cannot cure C:\RECYCLER\S-1-5-21-1864645043-2969994678-3951023404-1005\
cb839wer6v.exe Win32.Startpage.IK cannot cure C:\WINDOWS\
2sfxs276j15x.bak Win32.Startpage.IK cannot cure C:\WINDOWS\system32\
e2dxtijbljp.dll Win32.Startpage.IK cannot cure C:\WINDOWS\system32\
iu48wc3env6.dll Win32.Startpage.IK cannot cure C:\WINDOWS\system32\
lpt.exe Win32.SillyDl.AQ cannot cure C:\WINDOWS\system32\
pzs0p0ozbr1.bak Win32.Startpage.IK cannot cure C:\WINDOWS\system32\
r90x50mz3p25c.bak Win32.Startpage.IK cannot cure C:\WINDOWS\system32\
sdor4555ymzv.dll Win32.Startpage.IK cannot cure C:\WINDOWS\system32\
xi2mf5fex6.bak Win32.Startpage.IK cannot cure C:\WINDOWS\system32\
yduy39898b.exe Win32.Startpage.IK cannot cure C:\WINDOWS\
zona02.exe Win32.Mutters.C cannot cure C:\WINDOWS\


HijackThis log:
Logfile of HijackThis v1.98.2
Scan saved at 5:16:32 PM, on 11/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Steve\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
F2 - REG:system.ini: UserInit=Userinit.exe,TGBRFV_
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W1LKWW~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs: iu48wc3env6.dll

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:30 PM

Posted 27 November 2004 - 07:37 PM

OK, we don't normally recommend running two antivirus programs together - I assume your Symantec is up to date? The program I am going to tell you to install has been successful removing this particular variant in the past.

Could you disable Symantec for now and go here to download the free version of Grisoft's AVG AntiVirus program.

Install the program, check for updates and scan your system allowing it to remove whatever it finds.

Open TheKillbox.

Select the Delete on reboot option.

In the 'Full Path of File to Delete' box, copy and paste the following, clicking the 'Delete File' button (red circle with a white X) after pasting:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

It will prompt you to reboot, press the NO button. Instead, copy and paste the following and click the 'Delete File' button again:

c:\windows\system32\iu48wc3env6.dll

When it prompts you to reboot after the last one has been entered time, press the YES button.

With only HJT running, have it fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=Userinit.exe,TGBRFV_
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W1LKWW~1.DLL
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: iu48wc3env6.dl

Reboot again and post a new log.

#5 theaction

theaction
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 27 November 2004 - 10:20 PM

I'm sorry. I'm not familiar with the term "Killbox." What am I looking for?

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:30 PM

Posted 28 November 2004 - 02:49 PM

I am sorry , you can download killbox from here:

http://www.bleepingcomputer.com/files/killbox.php




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users