Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT - MAFOOMBAY


  • This topic is locked This topic is locked
11 replies to this topic

#1 mafoombay

mafoombay

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 06 December 2004 - 05:10 PM

Please forgive my earlier post. Overzealousness didn't allow me to read the instructions so here I go again. Upon signing on to IE, my homepage automatically gets redirected to: http://t.swapx.cc/h.php?aid=543. I downloaded Spybot, Adware, everything but so far no solution.

Help Please!!

Logfile of
HijackThis v1.98.2
Scan saved at 4:57:00 PM, on 12/6/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCP.EXE
C:\file\new\folder\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=543
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: winlogin.exe
O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O20 - AppInit_DLLs: bks6zrbw1c9iv5.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll[B][I]

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:10:01 PM

Posted 07 December 2004 - 03:06 PM

Hello MAFOOMBAY and welcome to Bleeping Computer.


I see NO anti-virus program running in this log. Having an active, up to date AV is mandatory in todays hostile internet environment.

The anti-virus program I am going to recommend is well respected and FREE. In addition, it has been successful at helping to remove the particular malware infection you have.

So go here to download the free version of Grisoft's AVG AntiVirus program. Documentation for AVG7 is also available on that page.

Install the program, check for updates and scan your system allowing it to remove whatever it finds.


You are also way behind on Windows critical updates, but we'll get to that later.


Reboot in normal mode, rescan with HJT and post a new log.

Edited by ddeerrff, 07 December 2004 - 03:06 PM.

Derfram
~~~~~~

#3 mafoombay

mafoombay
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 08 December 2004 - 12:14 AM

First,

Thanks for reply, I really appreciate it.

Here's the new log..

Logfile of HijackThis v1.98.2
Scan saved at 12:12:03 AM, on 12/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCP.EXE
C:\file\new\folder\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=543
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL (file missing)
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealOne Player\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: 75626k1uujx5.dll

#4 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:10:01 PM

Posted 08 December 2004 - 12:35 AM

Looks like some progress MAFOOMBAY.

Click here to download TheKillbox by Option^Explicit, then unzip it to your desktop.
In the 'Paste Full Path of File to Delete' box, copy and paste this entry:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". In the window that opens up, click on the File menu and choose "Add File". The file should show up in the window. Then repeat the process, this time adding:

C:\Windows\System32\W8C6S4~1.DLL

If that's successful you should have the two files listed. Then repeat so that this file appears in the list as well:

C:\WINDOWS\System32\75626k1uujx5.dll

When they are all there (and double check!), in the same window choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=543
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL (file missing)
O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: 75626k1uujx5.dll

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Please reboot and post a new log.
Derfram
~~~~~~

#5 mafoombay

mafoombay
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 08 December 2004 - 10:49 AM

Here you go!
I also noticed this entry wasn't there in the HJT scan results
O4 - Global Startup: winlogin.exe
but here are the results...

Logfile of HijackThis v1.98.2
Scan saved at 10:44:37 AM, on 12/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\file\new\folder\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealOne Player\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

[FONT=Arial][B]

#6 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:10:01 PM

Posted 08 December 2004 - 05:31 PM

The log appears clean now Mafoombay. Any remaining issues?

I'm a bit concerned about it's 'shortness' but I have seen that before and it does not necessarily imply any problems. Please double check a couple of things...

Click on Start then Run, type in msconfig and click on OK. Be sure you are running in 'Normal Startup'. Also, be sure you are booting in Normal Windows mode and not booting to Safe Mode. If either of these are not the case, please correct and post one more log.


Now about those Windows Critical Updates:

Your log shows that you are seriously behind on windows updates. It is essential that you update your windows as otherwise the infections could reoccur. Go to Windows Update and if it asks to install software, allow it to do so. Install the offered Service Pack (SP), reboot as requested and return until you have installed all available critical updates.

If you would prefer to hold off on SP2 for now, then open this link to the Windows XP Service Pack 1a page, select Express Installation and follow the instructions to download/install Service Pack 1a (SP1a). Reboot when requested then return to Windows Update and install any remaining Critical Updates other than SP2.


The following is my standard speech that I post to everyone with a clean log - and your log is now clean:

Here are some simple steps to help keep your computer clean and secure:

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. If there are new critical updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. This will ensure your computer is up to date and the operating system is safe from the latest threats.


Use an AntiVirus Software - It is very important that you have an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

Equally as important is that you keep your AV up to date. Set it to auto-update if that option is available, otherwise update it at least weekly. If you do not keep your antivirus current, then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

The firewall built into Windows XP is better than nothing, but third party firewalls offer more complete protection. A very good firewall, with a free for personal use version, is ZoneAlarm, available from Zone Labs. Firewalls are also part of the Symantec and McAfee Security Suites.

You can test your firewall at one of the following sites:
Symantec Security: http://security.symantec.com
Gibson Research: http://www.grc.com (follow the links to Shield's-Up!)
DSL Reports Port Scanner: http://www.dslreports.com/scan

For a more in-depth tutorial, and an expanded listing of available firewalls, see
Understanding and Using Firewalls.


Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
A in-depth treatise on IE privacy and security by Eric Howes can be found here


Install Spybot - Search and Destroy - Download and install the latest version of Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer as an adjunct to your virus protection. Keep this program updated and scan your system periodically with it just as you do with your antivirus software.

A tutorial on installing & using this product can be found at:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers


Install Ad-Aware SE - Download and install the latest version of Ad-Aware SE. Keep this program updated and use it to scan for malware on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found at:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from downloading and running known malicious programs.

A tutorial on installing & using this product can be found at:
Using SpywareBlaster to protect your computer from Spyware and Malware


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Finally, practice safe computer habits. Don't click on strange email attachments thinking your AV will defend you. Usually it will, but sometimes it won't.

Follow this list and your potential for being infected again will be dramatically reduced.
Derfram
~~~~~~

#7 mafoombay

mafoombay
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 08 December 2004 - 11:24 PM

Everything is perfect!! You guys(or just you) are/is great!! How can I thank you for your services? I will follow the instructions you left to the T so hopefully everything will be smooth from now on.

thanks again!!

#8 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:10:01 PM

Posted 08 December 2004 - 11:30 PM

You're welcome. Glad we could be of help.
Derfram
~~~~~~

#9 mafoombay

mafoombay
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 09 December 2004 - 12:39 PM

One last thing though...I noticed that now my Windows Media Player V 9.0 doesn't work. Should I assume it's a result of the spyware I had? I get a message "specific module could not be found" I removed it and re-installed it and I also upgraded to v10 but to no avail. Any suggestions?

thanks again!

#10 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:10:01 PM

Posted 09 December 2004 - 03:17 PM

It certainly is possible that the malware has left you with that problem.

Does WMP not open? or does it not play any files? or does it not play specific file formats- will it play audio but not video?

A more complete error message would be helpful. The most related I could find just seaching on "specific module could not be found" is here. (note phoneman's post mid-page)

Let me know.

Edited by ddeerrff, 09 December 2004 - 03:50 PM.

Derfram
~~~~~~

#11 mafoombay

mafoombay
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 09 December 2004 - 11:26 PM

Sorry for the miniscule information....

But it's error message 8007007E.
Whenever I try to play a file from either my hard drive or streaming off of the internet, I get the same error "specified module could not be found"
WMP opens and attempts to connect to the file. I've tried to play .wma, .wax, wave files and mp3, mpegs everything but still I get the same message.

thanks.

#12 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:10:01 PM

Posted 10 December 2004 - 12:44 AM

I'm not finding any specific solution to this. Basically what I find is here:

Guide To Error 8007007E In Windows Media Player

Error 8007007E or "Module not found" means something in the playback chain isn't fully installed.  It is most likely not WMP, but something like a sound card driver.  http://www.zachd.com/pss/pss.html#isolate may help narrow it down a bit.  Basically you are looking for what works and what doesn't, then you can find out what is not installed or what is broken.

There is not a single solution to this problem.  Your answer will depend on what exactly doesn't work.  DirectX, third party codec's, sound card drivers, video card drivers, and many other things can cause this.


WindowsXP has a built-in DirectX diagnostics. Go to Start | Run, type in dxdiag and click OK. The DirectX diagnostics should open. See if you can determine anything here. The latest DirectX is v9.0c. If you do not yet have that version, you can download it from Microsoft here.

I would not immediately suspect a corrupted codec, as a bad codec would normally cause one type of file to not play and other to still work.

You would have to check with your computer manufacturer or sound card manufacturer for an updated driver for your sound card. Same goes for the video card.

Have you updated Windows yet to at least SP1? Do you have a WindowsXP installation or recovery disk available?
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users