Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

http://win-eto.com and here4search.com


  • Please log in to reply
1 reply to this topic

#1 fibermann

fibermann

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 28 December 2004 - 04:44 AM

I have researched this and have done several things


1. I downloaded killbox.exe

2. Downloaded Adware (Latest version)

3. Downloaded CWshredder

4. worked in safe mode.

Alas this just keeps coming back. I am not sure of all the files that need to be deleted from this list. What am I missing.

I am forced to Use Mozilla Firefox which actually works quite well...but i am frustrated at not being able to get rid of this on my computer.

ETO is back at the top again of line RO

Thanks in advance

Logfile of HijackThis v1.99.0
Scan saved at 3:58:05 AM, on 12/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\bgsserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\bgsmsnd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\p5beikvzlo7thd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Symantec\ACT\SideACT.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=11281
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL
O3 - Toolbar: pdfMachine - {0E1230F8-EA50-42A9-983C-E22ABC2EED3F} - C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\bgstb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [bgsmsnd.exe] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\bgsmsnd.exe
O4 - HKLM\..\Run: [NVIDIA Video drivers] video_32D.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [Microsoft Update] winsys32.exe
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\tqajrol.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\p5beikvzlo7thd.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Microsoft Update] winsys32.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\Symantec\ACT\SideACT.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: winlogin.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O17 - HKLM\System\CCS\Services\Tcpip\..\{36FFBE4B-7F83-4CC4-96FA-60F7144A7DFE}: NameServer = 209.244.0.3 209.244.0.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{36FFBE4B-7F83-4CC4-96FA-60F7144A7DFE}: NameServer = 209.244.0.3 209.244.0.4
O20 - AppInit_DLLs: 4kijicfkzw574rl.dll.dll.dll.dll.dll.dll.dll.dll.dll
O23 - Service: bgsserv - Unknown - C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\bgsserv.exe
O23 - Service: Win32 USB2 Driver - Unknown - C:\WINDOWS\System32\smsc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe :trumpet: :thumbsup: :inlove: :flowers:

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:04:32 PM

Posted 29 December 2004 - 07:11 AM

Hi

We don't normally recommend running two antivirus programs together. The program I am going to tell you to install has been successful removing this particular variant in the past.

Could you disable TrendMicro AV for now and go here to download the free version of Grisoft's AVG AntiVirus program.

Install the program, check for updates and scan your system allowing it to remove whatever it finds.

Download KillBox here: KillBox. Unzip it to your desktop.

Start Killbox.exe

Select the Delete on reboot option.

Copy and paste each of the following file(s) to the address bar:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
C:\WINDOWS\System32\w8c6s4xcm66.dll
C:\WINDOWS\System32\tqajrol.exe
C:\WINDOWS\System32\p5beikvzlo7thd.exe
C:\WINDOWS\System32\4kijicfkzw574rl.dll.dll.dll.dll.dll.dll.dll.dll.dll


After each file press the Delete button (the button that looks like a red circle with a white X in it).

A dialog box will ask if you want to delete and reboot now - on all but the last file, answer No
For the last file (or first, if only one file), answer Yes

On restart, verify that the files have been deleted.


Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=11281

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL

O4 - HKLM\..\Run: [NVIDIA Video drivers] video_32D.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [Microsoft Update] winsys32.exe
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\tqajrol.exe
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\p5beikvzlo7thd.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Microsoft Update] winsys32.exe
O4 - Global Startup: winlogin.exe

O20 - AppInit_DLLs: 4kijicfkzw574rl.dll.dll.dll.dll.dll.dll.dll.dll.dll

O23 - Service: Win32 USB2 Driver - Unknown - C:\WINDOWS\System32\smsc.exe (file missing)



This is a restriction. Leave it unchecked if it was set by you using a software like Spybot Search & Destroy, SpywareBlaster or another similar protection software, or if it was set by your system administrator.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if found:
video_32D.exe <-- this file
C:\WINDOWS\System32\smsc.exe <-- this file
winsys32.exe <-- this file
C:\WINDOWS\System32\tqajrol.exe <-- this file

With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

REBOOT normally.

Perform a full scan here: Panda Online, follow the instructions on the screed, make sure these are checked:
- Disinfect automatically
- Scan compressed files
- Scan e-mail files
- Neutralize Trojans
and let him remove anything he finds.

Run HijackThis! again and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users