Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

log for t.swapx.cc permanent homepage switch


  • Please log in to reply
9 replies to this topic

#1 pop

pop

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 28 November 2004 - 09:23 PM

Logfile of HijackThis v1.97.7
Scan saved at 6:53:22 PM, on 11/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRA~1\Navnt\defwatch.exe
C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\l0li814whhivyjthd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\System32\?ttrib.exe
C:\PROGRA~1\Navnt\vpexrt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Navnt\vpdn_lu.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\WindowsXP-KB828741-x86-ENU.EXE
C:\HijackThis\HijackThis.exe
c:\8ea580ec197e100143e00cb9542f06\xpsp1hfm.exe
c:\8ea580ec197e100143e00cb9542f06\sp2\update\update.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.utah.edu:8080
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\l0li814whhivyjthd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Iehrfhck] C:\WINDOWS\System32\?ttrib.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...d2855a162e1eaec
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {9A95FE4A-0CD3-4698-A0F4-D2264C6E7046} (HPActiveChat Class) - http://isupport4.hp.com/awebui/jsp/answerw...EActiveChat.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/...7875.5737384259
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A790} (BerbCln Object) - http://www.microsoft.com/security/controls...w/0/BerbCln.CAB
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

I hope that posted ok. So I looked up somestuff on this new problem and it had a listed O20 but I don't have one so I'm not sure what to do. I've tried most of the stuff I know how to do but I can't seem to get rid of this one.
Thanks for any help

BC AdBot (Login to Remove)

 


m

#2 pop

pop
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 28 November 2004 - 09:26 PM

that win-eto.com is what it has set my homepage to, and then it goes to the swapx page. It won't let me change the homepage it always goes back to the win-eto thing
ok thanks again

#3 pop

pop
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 28 November 2004 - 09:49 PM

I don't think that first log was from the new version of HJT, so here the next scan if that helps any,
thanks again

Logfile of HijackThis v1.98.2
Scan saved at 7:49:09 PM, on 11/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRA~1\Navnt\defwatch.exe
C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\update\update.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\?ttrib.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\PROGRA~1\Navnt\vpexrt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.utah.edu:8080
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\l0li814whhivyjthd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Iehrfhck] C:\WINDOWS\System32\?ttrib.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...d2855a162e1eaec
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {9A95FE4A-0CD3-4698-A0F4-D2264C6E7046} (HPActiveChat Class) - http://isupport4.hp.com/awebui/jsp/answerw...EActiveChat.CAB
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - AppInit_DLLs: bmfeppdv2hvk6s.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

#4 mpfeif101

mpfeif101

    Spyware Sucks


  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 28 November 2004 - 10:23 PM

Open Notepad (Start>All Programs>Accessories>NotePad)
Copy/paste the following quote (bold) to Notepad:

@echo off
if exist %SYSTEMDRIVE%\baddlllist.txt del %SYSTEMDRIVE%\baddlllist.txt
dir %SYSTEMROOT%\System32\*.dll.dll > %SYSTEMDRIVE%\baddlllist.txt
notepad %SYSTEMDRIVE%\baddlllist.txt
cls
exit


-Go up to the Notepad File menu, and select: Save As
-In the Save As dialogue box:
--Save in: Desktop
--File Name: find_bad_dlls.bat
--Save as Type: use right side arrow to select: All Files
-Click: Save button

Now, go to the Desktop
-Double click on find_bad_dlls.bat
-A baddlllist - NotePad text will appear with the contents of: Directory of C:\WINDOWS\System32
-Copy and paste the contents of the resulting text file and post them back to this thread

From the moment you post the find_bad_dll log do not shut down your computer! Doing so will cause the file names to change and the fix to fail
Spyware Aid - A guide and more to spyware

Please do not PM me asking for support. Post on the forums instead :)
Please post the final results, good or bad. We like to know!

HijackThis! | Recommended Software | Help Wanted
| Search the Forums | Forum Guidelines
Faster, safer, better, free -> Posted Image Now 1.0 Final!

If you'd like to donate to the fight against spyware...
Donate to mpfeif101 |

#5 pop

pop
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 28 November 2004 - 10:44 PM

Volume in drive C has no label.
Volume Serial Number is 549D-2077

Directory of C:\WINDOWS\System32

11/28/2004 04:52 PM 6,656 1cr2pumpxjzh74.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
11/28/2004 04:52 PM 6,656 4k7gznvugfvzx4.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
11/28/2004 04:52 PM 6,656 5ewgswircuizx4.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
11/28/2004 04:52 PM 6,656 742l3ydcvub8bw.dll.dll.dll.dll.dll.dll
11/28/2004 04:52 PM 6,656 bmfeppdv2hvk6s.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
11/28/2004 04:52 PM 6,656 eur6w7ux2uzrnp.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
11/28/2004 04:52 PM 6,656 gve8hptj7k3xyp.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
11/28/2004 04:52 PM 6,656 h6j4nxbjyn8zx4.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
11/28/2004 04:52 PM 6,656 lhrp2hletg6xyp.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
11/28/2004 04:52 PM 6,656 pgph1zre5t1hvs.dll.dll.dll
11/28/2004 04:52 PM 6,656 y8jvyt9sg3fo54.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
11 File(s) 73,216 bytes
0 Dir(s) 29,509,136,384 bytes free
ok here they are
thanks for the quick reply

#6 mpfeif101

mpfeif101

    Spyware Sucks


  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 28 November 2004 - 11:10 PM

Alright... this is a new hijacker and it is pretty difficult to remove. If you follow these directions tho, we should be able to remove it. Please follow each direction EXACTLY. If, for some reason you can't follow a particular step, keep going and post your problem in a new reply.

1) Show hidden files/folders:
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

2) Copy the information in the quote box into notepad. Save it to your desktop as type "all files" and name it fix.reg.

REGEDIT4


[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin6.DNSErrObj]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin6.DNSErrObj.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\redalert.here]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\redalert.here.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}]

[-HKEY_CLASSES_ROOT\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}]

[-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj]

[-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj.1]

[-HKEY_CLASSES_ROOT\redalert.here]

[-HKEY_CLASSES_ROOT\redalert.here.1]

[-HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}]


3) Download CleanUp! from here. Install it but do not run it yet.

4) Install Ad-Aware SE 1.05 from here. Install it but do not run it yet. After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run. You may want to print out this tutorial: http://www.bleepingcomputer.com/forums/ind...showtutorial=48 so you can refer to it later. At the very least skim it over it.

5) Download CWShredder from here. Extract/save it to your desktop but do not run it yet.

6) Download the Grisoft AVG Anti-Virus from here (direct link). Install it but do not run it yet.

7) Next, download KillBox.zip (Removal Tool #15) from here:
http://www.subratam.org/?page=removal
Place it in a folder on your Desktop.
Extract it from the zip file and then double-click on Killbox.exe to run it.
Select the option: Delete on Reboot

In the Full Path of File to Delete box, copy and paste this entry:
C:\WINDOWS\System32\W8C6S4~1.DLL
Press the button with a red circle and a white X.
When asked if you would like to Reboot, select No.

Once again, in Full Path of File to Delete, copy and paste the following:
C:\WINDOWS\System32\l0li814whhivyjthd.exe
Press the button with a red circle and a white X.
When asked to Reboot, select Yes.

Repeat the directions above for the following files:
C:/WINDOWS/system32/bmfeppdv2hvk6s.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
C:/WINDOWS/system32/1cr2pumpxjzh74.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
C:/WINDOWS/system32/4k7gznvugfvzx4.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
C:/WINDOWS/system32/5ewgswircuizx4.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
C:/WINDOWS/system32/742l3ydcvub8bw.dll.dll.dll.dll.dll.dll
C:/WINDOWS/system32/bmfeppdv2hvk6s.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
C:/WINDOWS/system32/eur6w7ux2uzrnp.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
C:/WINDOWS/system32/gve8hptj7k3xyp.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
C:/WINDOWS/system32/h6j4nxbjyn8zx4.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
C:/WINDOWS/system32/lhrp2hletg6xyp.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
C:/WINDOWS/system32/pgph1zre5t1hvs.dll.dll.dll
C:/WINDOWS/system32/y8jvyt9sg3fo54.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll


***Do not open IE while doing the following fix. Doing so may cause the fix to fail. In the following steps your internet connection will be temprorarily disabled so you may want to print out the instructions. This fix may and probably will take a LONG time, so please be patient.***

8) Reboot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

9) Using Windows Explorer, delete the following folder:
C:\Program Files\Windows TaskAd

10) Now we get to run AVG that you download before. Check for updates and run a Full System Scan.

11) After the full scan above is done and it removes everything it finds update and run a full system scan with Ad-Aware. For a in depth tutorial on how to do this see the tutorial I refered you to earlier (Do NOT open Internet Explorer).

12) Run CWShredder. Click "Fix" and let CWShredder remove all traces of CoolWebSearch.

13) Run CleanUp! on Standard Mode. When it asks to reboot/log off, decline.

14) Double-click on the fix.reg that you previously saved on the desktop. Accept any changes to the registry.

15) Reboot your computer so you're back in normal mode.

16) Run HJT and place a check next to the following items if they still exist:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\l0li814whhivyjthd.exe
O4 - HKCU\..\Run: [Iehrfhck] C:\WINDOWS\System32\?ttrib.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...d2855a162e1eaec

Close any open browsers and windows and click "Fix Checked".

17) Reboot one last time into normal mode and post a new log.
Spyware Aid - A guide and more to spyware

Please do not PM me asking for support. Post on the forums instead :)
Please post the final results, good or bad. We like to know!

HijackThis! | Recommended Software | Help Wanted
| Search the Forums | Forum Guidelines
Faster, safer, better, free -> Posted Image Now 1.0 Final!

If you'd like to donate to the fight against spyware...
Donate to mpfeif101 |

#7 pop

pop
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 28 November 2004 - 11:58 PM

do I need to reboot after every two deletes or do I do the whole list then reboot just once?
ok thanks
oh yeah after I did the first file I lost my start bar is there a way to get it back or should I just keep using alt-tab to switch back and forth

#8 pop

pop
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 29 November 2004 - 12:10 PM

Ok it seems to have worked like a charm. My homepage reset itself to msn.com and everything seems intact. here is the log after I finished the fix.

Logfile of HijackThis v1.98.2
Scan saved at 10:05:46 AM, on 11/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Navnt\defwatch.exe
C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Navnt\vpexrt.exe
C:\HijackThis[1]\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.utah.edu:8080
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {9A95FE4A-0CD3-4698-A0F4-D2264C6E7046} (HPActiveChat Class) - http://isupport4.hp.com/awebui/jsp/answerw...EActiveChat.CAB

hey thanks a lot for the help, there is no way I would have been able to figure that out, I probably would have either just dealt with it or had to wipe.
thanks

#9 pop

pop
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 29 November 2004 - 06:14 PM

here is that post, the only thing was that you do the whole list of .dll's before you reboot.
I think that your list of .dll's might be different than mine so just whatever that file comes up with is what you should do in that step
good luck

#10 mpfeif101

mpfeif101

    Spyware Sucks


  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 29 November 2004 - 07:22 PM

Posted Image

Your log is clean :thumbsup:

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
Spyware Aid - A guide and more to spyware

Please do not PM me asking for support. Post on the forums instead :)
Please post the final results, good or bad. We like to know!

HijackThis! | Recommended Software | Help Wanted
| Search the Forums | Forum Guidelines
Faster, safer, better, free -> Posted Image Now 1.0 Final!

If you'd like to donate to the fight against spyware...
Donate to mpfeif101 |




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users