I have been hijacked HELP!!

[John A. Gurba]

I have been hijacked to this page http://t.swapx.cc/h.php?aid=20009
If I look in the IE tools section to change home page it shows the current
page as
http://win-eto.com/hp.htm?id=632 I have run norton, adware, spy bot and all
clean. I ran hijackthis and came up with this log. I have deleted the LINE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://win-eto.com/hp.htm?id=632 But it keeps coming back. Can anyone help.
Please..... I do not know what to do. I am lost.....


Logfile of HijackThis v1.98.2
Scan saved at 1:30:02 PM, on 11/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\Program Files\Norton Internet Security Professional\Norton
AntiVirus\navapsvc.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\Program Files\Norton Internet Security Professional\Norton
AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\slpservice.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\slpmonx.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
C:\WINNT\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\fskiptb.exe
C:\WINNT\Seiko\slpcap.exe
C:\Program Files\Symantec\WinFax\wfxctl32.exe
C:\Program Files\Norton Internet Security Professional\Norton
AntiVirus\SAVScan.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2
for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://win-eto.com/hp.htm?id=632
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} -
C:\WINNT\System32\8TZHKM~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} -
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton Internet Security Professional\Norton
AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"
/background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINNT\System32\fskiptb.exe
O4 - Global Startup: SmartCapture.lnk = C:\WINNT\Seiko\slpcap.exe
O4 - Global Startup: WinFax PRO Controller.lnk = C:\Program
Files\Symantec\WinFax\wfxctl32.exe
O4 - Global Startup: winlogin.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Bug Swatter Options -
{99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Geek
Superhero\GeekSuperHeroBugSwat.dll
O9 - Extra button: Popup Slapdown Options -
{A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek
Superhero\GeekSuperHeroSlapdown.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINNT\System32\Shdocvw.dll
O16 - DPF: Sametime Meeting Toolkit ST25 -
file://C:\PROGRA~1\Java\ControlF1\STMeeting25.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio
Conferencing) -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101307049093
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) -
http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8C42D15B-D8C2-40AD-9A06-3F27F58AE33E} -
http://www.search-climbers.com/download/uninstall/KeywordsUnInst.cab
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) -
http://aerial.leepa.org/ecwplugins/ncs.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) -
https://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) -
http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F104576A-91BA-40AD-91DE-2C2080133900} -
http://www.search-climbers.net/download/cab/ieplugin.cab
O20 - AppInit_DLLs:
w25h7o4y198mzgll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
..dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
..dll.dll.dll.dll.dll.dll.dll.dll.dll



John A. Gurba
http://www.courtaccess.com
(e-mail address removed)

 

[Jan Il]

Hi John

This may be a newer variant of about: blank. Methods that previously removed
the previous variant may not have any effect on it. Try the following and
follow the instructions carefully. This variant replicates itself, thus, you
must fully clean it from your system. This coolwebsearch infection uses a
hidden dll to reinfect, thus it replicates itself over and over if not
removed properly.

<<<<BE SURE TO FOLLOW ALL INSTRUCTIONS CAREFULLY>>>>

CAUTION!!!!!
Before you try to remove spyware using any of the programs below, download a
copy of LSPFIX from any of the following sites:
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html (if your OS is Win2k or
XP) The process of removing certain malware may kill your internet
connection. If this should occur, this program, LSPFIX, will enable you to
regain your connection.

Also, get a copy of WINSOCKFIX available at:
http://www.spychecker.com/program/winsockxpfix.html


IMPORTANT!!
RUN ALL PROGRAMS OFF LINE IN SAFE MODE AND SHOW HIDDEN
FILES. THEN REBOOT AND RUN THEM AGAIN TO BE SURE ALL FILES
ARE ACCESSED, DELETING ALL ITEMS DISPLAYED IN RED IN SPYBOT

HOW TO Restart in Safe Mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339

About Buster
http://www.majorgeeks.com/download4289.html

CWShredder
http://www.majorgeeks.com/download4086.html

SpyBot Search & Destroy: Free
http://download.com.com/3000-8022-10289035.html?tag=lst-0-2

AdAware: Free
http://www.lavasoftusa.com/support/download/
HOW TO: Reconfigure Ad-aware for a Full Scan
http://forum.aumha.org/viewtopic.php?t=5877

HiJackThis:

Unzip the Download file in a NEW FOLDER that you can create before you start
the download.
DO NOT install in your Desktop folder.
DO NOT use any of the TEMP folders that are presently in your computer.
Double-click "HijackThis.exe" and Press "Scan".

Go to:
http://www.majorgeeks.com/download3155.html
and download HiJackThis to the new folder. Unzip to a folder other than your
Desktop or the Temp folder, doubleclick HiJackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log"
button. Press that, save the log some place you remember where it is.
Most of what it lists will be harmless or even required, so DO NOT fix
anything yet.

Open the copy of your log in NotePad and make a copy. Then you can go to one
of the following to post your log:

<<PLEASE DO NOT POST YOUR LOG FILE TO THIS NEWSGROUP>>

Spyware and Hijackware Removal Support, here:
http://216.180.233.162/~swicom/forums/
or
AumHa Forums here:
http://forum.aumha.org/viewforum.php?f=30

You will need to register to open a new thread to post you log. It is free,
and no one will Spam you, it is one of many that provides this service. Once
registered, go to the HiJackThis section on the forum list and click to
open. Then start a new post and post your log. The experts there will
analyze the log and report back the results. Please allow at least a few
hours or a days time for a response, depending on when you post the log

Remember, you must return to the HJT site to get your answer. It is a good
idea to click the "Notify" box so that you will get an electronic
notification by e-mail to let you know when a response has been posted.
But, you must still return to the site of your answer

Finally, go to Windows Update and ensure that ALL Critical updates are
installed.

HJT Tutorial
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42

Security tips and other useful information at
http://mvps.org/winhelp2002/unwanted.htm

if the above does not remove it completely, then continue to the following
more intense removal process.

New ABOUT:BLANK CWS variant removal tool:

Like any disinfection procedure, it's a bit risky - it deletes an important
registry key and subsequently restores a revised version. If something goes
wrong, your PC may no longer work normally.

YOU USE THIS PROCEDURE AT YOUR OWN RISK!

Download Registrar Lite 2.0, install it and run it.
http://www.majorgeeks.com/download469.html
http://www.softpedia.com/public/cat/12/5/12-5-21.shtml

Navigate to this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
(note...should be all on one line)
and look at the AppInit_Dlls value.

Write down the name of the DLL file that's displayed!

(If you see several values separated by commas or spaces, which is unlikely,
use Windows Explorer to search for each one in the Windows\System32 or
Winnt\System32 directory. The one you can't find is the one to remember!)

Exit Registrar Lite.


Download and run this script. It will delete the CWS AppInit_Dlls value and
reboot Windows. After the reboot, the shield-DLL file is still on the hard
disk, but it's no longer a threat to your PC.
http://www.silentrunners.org/CWS Shield Dropper.vbs

Download Silent Runners here:
http://www.silentrunners.org/Silent Runners.vbs
Run it and look at the list of Browser Helper Objects. One of them will have
a strange name. Write down the the file name (including the full path)!

(If you're not sure which BHO was installed by CWS, reboot into Safe Mode
and follow steps 8-10 here. Commercial programs, such as PestPatrol, are
also available to identify and delete BHO pests.)

Download and run this script to delete the CWS shield-DLL and the BHO files.
No reboot will be required.
http://www.silentrunners.org/CWS File Cleaner.vbs

Reset your Internet Explorer home page. Your PC should now run normally.


If these steps do not resolve your problem, please post back to this thread
with the details and any error messages.

Hope this helps

Jan
Smiles are meant to be shared,
that's why they're so contagious.

Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other readers.

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

I have been hijacked to this page http://t.swapx.cc/h.php?aid=20009
If I look in the IE tools section to change home page it shows the current
page as
http://win-eto.com/hp.htm?id=632 I have run norton, adware, spy bot and all
clean. I ran hijackthis and came up with this log. I have deleted the LINE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://win-eto.com/hp.htm?id=632 But it keeps coming back. Can anyone help.
Please..... I do not know what to do. I am lost.....


Logfile of HijackThis v1.98.2
Scan saved at 1:30:02 PM, on 11/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\Program Files\Norton Internet Security Professional\Norton
AntiVirus\navapsvc.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\Program Files\Norton Internet Security Professional\Norton
AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\slpservice.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\slpmonx.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
C:\WINNT\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\fskiptb.exe
C:\WINNT\Seiko\slpcap.exe
C:\Program Files\Symantec\WinFax\wfxctl32.exe
C:\Program Files\Norton Internet Security Professional\Norton
AntiVirus\SAVScan.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2
for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://win-eto.com/hp.htm?id=632
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} -
C:\WINNT\System32\8TZHKM~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} -
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton Internet Security Professional\Norton
AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"
/background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINNT\System32\fskiptb.exe
O4 - Global Startup: SmartCapture.lnk = C:\WINNT\Seiko\slpcap.exe
O4 - Global Startup: WinFax PRO Controller.lnk = C:\Program
Files\Symantec\WinFax\wfxctl32.exe
O4 - Global Startup: winlogin.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Bug Swatter Options -
{99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Geek
Superhero\GeekSuperHeroBugSwat.dll
O9 - Extra button: Popup Slapdown Options -
{A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek
Superhero\GeekSuperHeroSlapdown.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINNT\System32\Shdocvw.dll
O16 - DPF: Sametime Meeting Toolkit ST25 -
file://C:\PROGRA~1\Java\ControlF1\STMeeting25.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio
Conferencing) -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101307049093
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) -
http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8C42D15B-D8C2-40AD-9A06-3F27F58AE33E} -
http://www.search-climbers.com/download/uninstall/KeywordsUnInst.cab
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) -
http://aerial.leepa.org/ecwplugins/ncs.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) -
https://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) -
http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F104576A-91BA-40AD-91DE-2C2080133900} -
http://www.search-climbers.net/download/cab/ieplugin.cab
O20 - AppInit_DLLs:
w25h7o4y198mzgll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll..dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
.dll.dll.dll.dll.dll.dll.dll.dll.dll



John A. Gurba
http://www.courtaccess.com
(e-mail address removed)