Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Similar log to "Kamy"


  • This topic is locked This topic is locked
6 replies to this topic

#1 jazzit

jazzit

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 28 November 2004 - 08:10 PM

Apparently my bro has been going to places he should on my dad's computer. So I've been assigned to help the cause. Unfortunately I don't know too much so I thought the good people at bleepingcomputer could help. Already ran updated versions of Ad-Aware, SpyBot, CWShreeder, and below is my log for HijackThis v1.98.2 just taken.

I think I've got the same problem (or similar) to "Kamy", who have one of the last log posts. The IE homepage has been redirected from yahoo.com to

http://t.swapx.cc/h.php?aid=31130&said=001
but has also been
t.swapx.cc/h.php?aid=20009
and
t.swapx.cc/h.php?aid=31403

Help would be greatly appreciated as I've got a paper to write that is due tomorrow and feel bad for my pops for having a curious bro - he's got to use this thing for work tomorrow, too.

I've examined other pep's logs with similar problems but I can't seem to find that we have any of the same log entries....the win-eto.com things and the long dll.dll.dll.dll.dll.dll.dll.dll thing at the very bottom seems to be similar to a lot of these other t.swapx.cc logs, though. Thanks guys! Maybe someone could tackle both Kamy's and my log at the same time????


Logfile of HijackThis v1.98.2
Scan saved at 6:51:51 PM, on 11/28/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\viw4d6m65r2thd.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Lab-ProOnlS\X-WinPro\lpd_w32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\martin\Desktop\Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31130123321001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31130123321001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31130123321001
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31130123321001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirect...&c=3c01&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31130123321001
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\RYTJZU~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\viw4d6m65r2thd.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - Startup: Trillian.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: Lpd.lnk = C:\Program Files\Lab-ProOnlS\X-WinPro\lpd_w32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NETZWERK, KABEL, DSL.bhf.LNK = C:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\NETZWERK, KABEL, DSL.bhf
O4 - Global Startup: winlogin.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Support - {E0AF464A-C78B-40FE-81B4-B74995D6D437} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm10.chm::/ieloader.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfromtheweb.com/install/iftwclix.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1101688941015
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - AppInit_DLLs: nfnpbj4x97dt3cl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

BC AdBot (Login to Remove)

 


#2 Kamy

Kamy

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 29 November 2004 - 07:38 AM

Jazzit,
I usually don't use choice words but thought this might help. Repeat after me.


t.swapx you are nothing but a bleeping menace,
Iíd like to grab your balls and play a game of tennis.

Oh wait you donít have balls cause you're a pansy from hell,
You're a lowerly coward, you play your part so well.

Thereís nothing Iíd like more than to yank your chain,
wrap it round your neck and inflict on you pain.

You're the devil in disguise and your homepage is your bastard,
You cause havoc and grief, youíre nothing but a disaster.

Are you black, Puerto Rican, Asian or maybe white?
Oh thatís right you're not human you're a freakin parasite.

To figure out the moral of this story you donít have to be real bright,
But thatís the last damn time Iíll be curious about clicking on a porn site.


Jazzit we have to keep our humor.... right?

Kamy

Edited by Kamy, 29 November 2004 - 07:43 AM.


#3 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:07:45 PM

Posted 29 November 2004 - 09:26 PM

Jazzit we have to keep our humor.... right?

Right? As you know already, jazzit this ones tough. The updates to windows not shown in your log concern me, but we'll go about a procedure to get rid of the infection first. I will continue to urge you to udate everything we use, though. I will prepare the steps for your fix, run them by some experts, and post a reply within 24 hours. :thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...

#4 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:07:45 PM

Posted 30 November 2004 - 11:49 PM

It will take some doing to get your PC squared away, jazzit

Please make sure to work through the fixes in the exact order that they're presented below. You should also print out or copy this page to Notepad. Sceenshots are included to help you.

Copy the contents of the CODE Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop. Don't use it yet.
REGEDIT4

[-HKEY_CLASSES_ROOT\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}]
[-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj]
[-HKEY_CLASSES_ROOT\redalert.here]
[-HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}]
You will need a couple tools on your desktop. Unlike HJT, you may run them from the desktop. All are .zip files, examples of zip files after extraction to the desktop Please use these links to download them: do not run any of them out of sequence, pleaseYou will also need to install Ad-Aware SE Personal 1.05 onto your PC, unless you already have this version. You should uninstall an older version before installing this. Run Ad-Aware and immediately check for updates. Exit after updating. We will run it again later.
More information can be found here: Using Ad-Aware SE to remove Spyware & Hijackers from Your Computer

Go to this site for an anti-virus program we've found works with this infection. avg70free_ 289a392.exe. Download the 9.9MB program ( that's about 40 minutes on dialup) to your desktop. Registration is free, installation is to your program files & it will uninstall normally, also. Exit all other anti-virus programs if you have them installed. Run AVG, opening to the "control center" and updating it first. When finished updating, make all boxes blue. (full install). Choose "test center" next. Click the top icon. Scan may take another 20 minutes or more. You will see test results, and as I do not have the infection, I can only suggest you follow the prompts given to deal with your results at this time. Exit the program.

Extract Killbox, open folder & choose extract to your desktop. "Finish". Open the folder and then double-click on Killbox.exe to start the program.

Start Killbox.exe

Select the Delete on reboot option.

Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\System32\viw4d6m65r2thd.exe

Then press the button that looks like a red circle with a white X in it.
When it asks, Reboot now, press the YES button.

Your computer will reboot.
Check if the C:\WINDOWS\System32\viw4d6m65r2thd.exe
still there, by running Killbox once again.

Copy and paste the line below in the field labeled "Full path of file to delete"
C:\documents and settings\all users\start menu\programs\startup\winlogin.exe

Then press the button that looks like a red circle with a white X in it.
When it asks, Reboot now, press the YES button.

Your computer will reboot.
Check if the C:\documents and settings\all users\start menu\programs\startup\winlogin.exe
still there, by running Killbox once again.

Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\system32\nfnpbj4x97dt3cl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll


Then press the button that looks like a red circle with a white X in it.
When it asks, Reboot now, press the YES button.

Your computer will reboot.
Check if the C:\WINDOWS\system32\nfnpbj4x97dt3cl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
still there, by running Killbox once again.

Set your PC to: show hidden files.
This time Start-->MyComputer-->Tools-->Options-->View Tab-->Show Hidden Files & Folders (system-wide)

Reboot your computer into Safe Mode by tapping F8 until the screen appears where you can use the up arrow to choose safe mode. Hit enter. Stay in safemode, until told to reboot, please. Do not open Internet Explorer or reboot because the fix will fail and CW_NS3 will mutate. It will be more difficult to remove it.

Open your C:\HJT folder and double-click the icon. Close everything except HijackThis, nothing else on your desktop.
Run Hijackthis: click Scan, and put a checkmark next to each of the following objects. (some may no longer appear, due to previous steps)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31130123321001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31130123321001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31130123321001
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31130123321001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31130123321001
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\RYTJZU~1.DLL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711 (ignore if you set this up yourself)
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\viw4d6m65r2thd.exe
O4 - Global Startup: winlogin.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm10.chm::/ieloader.exe
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
click for information about these O16 activeX entries
O20 - AppInit_DLLs: nfnpbj4x97dt3cl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
(or anything that has a string of .dlls)

When you're sure that files marked for deletion are correct, click the Fix button and exit HJT.

Search for, locate and delete these files or folders (Do not be concerned if they do not exist, the previous steps may have eliminated them.) Do not delete main folders like C:\WINDOWS or C:\Program Files. Navigate to the folder locations or use: Start-->Search-->select "all files & folders"-->select "more advanced options"-->check search "system folders", "hidden files & folders", "sub-folders".

Delete
C:\documents and settings\all users\start menu\programs\startup\winlogin.exe<--this file only (this is not winlogon.exe!
C:\WINDOWS\System32\viw4d6m65r2thd.exe<--this file only
C:\WINDOWS\System32\RYTJZU~1.DLL<--this file only

Then Run Ad-Aware prepare for system scan using "full scan" and not including the "negligible risk items". Run the scan to completion. The "Finish" button will change screen to "scanning results". The scan summary tab is where to tick the boxes to delete what was found.

Run System Security Suite. (All windows and browsers closed) To clean out Temp and Temporary Internet Files, In the "Items to Clear" tab click:
1. Internet Explorer (left pane): Cookies & Temporary files
2. My Computer (right pane): Temporary files & Recycle Bin
Click the "Clear Selected Items" button. Close.

Open Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button.

Double-click on the fix.reg file you saved earlier on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.

Reboot your computer to go back to normal mode.

Run HijackThis again and post the new log as a reply to this post.

(Include comments regarding any problems you might have had, and let us know if its working better.)
You may choose to move the utilities on your desktop to a permanant folder or simply delete them, perhaps when you're certain the PC is clean. You might consider continuing to use AVG, but only run one anti-virus program with resident protection at a time, please.

Thanks, phawgg

Edited by phawgg, 30 November 2004 - 11:50 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#5 Tankerdog2002

Tankerdog2002

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 11 December 2004 - 09:35 AM

Hi guys,

I nuked this beastly t.swapp.cc Hijacker very simply.

After trying everything I could think of... I went here and found out that I needed to reload Ad-aware SE Personal and then update it before I ran it.

I did this and was immediately infected with 185 new objects when I re-booted. Whoaaaaaaa! I only had 32 to start with.

So....I turned to MajorGeeks.com; were I found a little program under the spyware category called HSremove. The author said that he couldn't remove his malware with all the other spyware gunk so he wrote a program himself.

I ran it once and the problem was fixed! Then I donated $5 bucks to help him out.

Yep....that simple.

Do not reboot after running Ad-aware or you'll just get more bugs.....run the Ad-awareSE and then HSremove.

Tankerdog

#6 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:07:45 PM

Posted 11 December 2004 - 12:48 PM

hey, tankerdog, good find. I noticed the author had put HSRemove up on the 28th of Nov. makes it pretty new. I'm glad he's done it. This one is a b@!#h beyond most others.
patiently patrolling, plenty of persisant pests n' problems ...

#7 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:07:45 PM

Posted 31 December 2004 - 07:16 PM

Closed. Lack of responses.
If you originated this thread, and need it re-opened:
You may also contact a HJT Team Member, and reference the link location address. Thanks. :thumbsup:

If referring to this thread for any other reason, you may:
Right-click Posted. Choose Copy Link Location. Paste with comments to a New Topic.
patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users