[solved]problem With Win-eto.com And T.swapx.cc

[marrufol]

Hi! I am a new user, I have tried several options to eliminate this that redirects my home page. If you can help me I will appreciate. This is my Hijack this log:

 

Logfile of HijackThis v1.98.2

Scan saved at 23:17:46, on 19/11/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\System32\z58l0m13wiywethd.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe

C:\WINNT\System32\ctfmon.exe

C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\WebTrap.EXE

C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS

C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe

C:\WINNT\System32\wuauclt.exe

C:\Archivos de programa\Internet Explorer\iexplore.exe

C:\Documents and Settings\Propietario\Configuración local\Temp\Directorio temporal 1 para hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31403

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31403

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=31403

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\SG12UN~1.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [Windows Runtime Proccess] 32RUNdll.exe

O4 - HKLM\..\Run: [Control handler] C:\WINNT\System32\z58l0m13wiywethd.exe

O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"

O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"

O4 - HKLM\..\RunServices: [Windows Runtime Proccess] 32RUNdll.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Windows Runtime Proccess] 32RUNdll.exe

O4 - HKCU\..\Run: [spyware Begone] c:\freescan\freescan.exe -FastScan

O4 - HKCU\..\RunServices: [Windows Runtime Proccess] 32RUNdll.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm10.chm::/ieloader.exe

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A028B33F-21D0-4C65-BE3B-493FAB1C5CFC}: NameServer = 200.23.242.202 200.23.242.196

O20 - AppInit_DLLs: su44i9f91w15pml.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

 

I do not know what to do next, please help me.

[yellowhammer]

You are running hijackthis from within a temporary folder. That is not a good idea as you will lose your ability to restore any mistakes. Right click on your desktop and select New>Folder. Name the folder hijackthis. Then unzip hijackthis into the new folder. We are going to empty the temporary folders at then end so it will get deleted if you don't move it.

 

Uninstall all of the following that are listed in the "Add/Remove Programs" in the Windows® Control Panel.

 

Spyware Begone

 

Download cwshredder here. Close all browser windows and click on the fix/next button.

 

Make sure you can view hidden and system files: Instructions here.

 

Boot to safe mode: Instructions here.

 

Then Close all windows and have hijackthis fix the following that are still listed:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31403

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31403

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=31403

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

 

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\SG12UN~1.DLL

 

O4 - HKLM\..\Run: [Windows Runtime Proccess] 32RUNdll.exe

O4 - HKLM\..\Run: [Control handler] C:\WINNT\System32\z58l0m13wiywethd.exe

O4 - HKLM\..\RunServices: [Windows Runtime Proccess] 32RUNdll.exe

O4 - HKCU\..\Run: [Windows Runtime Proccess] 32RUNdll.exe

O4 - HKCU\..\Run: [spyware Begone] c:\freescan\freescan.exe -FastScan

O4 - HKCU\..\RunServices: [Windows Runtime Proccess] 32RUNdll.exe

 

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

 

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm10.chm::/ieloader.exe

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab

 

O20 - AppInit_DLLs: su44i9f91w15pml.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

 

Then delete the following files or folders:

 

C:\WINNT\System32\z58l0m13wiywethd.exe <-File

C:\WINNT\System32\SG12UN~1.DLL <-File

 

The following step is important as you may have several malware files in your temp directory.

 

Then browse to the C:\documents and settings\Your User Name(repeat for all users in documents and savings)\local settings\temp folder and delete all files and folders in it.

Then browse to the C:\Windows (Winnt)\Temp folder and delete all files and folders in it.

Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

 

Then empty the recycle bin.

 

Then reboot to normal mode.

 

Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step.

 

Open adaware and Click the "Check for updates now" line on the main screen. Click the "Connect" button on the webupdate screen.

 

If an update is available download it and install it. Click the "Finish" button to go back to the main screen.

 

Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Check the "Automatically quarantine objects prior to removal" setting and then click "Proceed" to save your changes

 

Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Then select "Use custom scanning options" and click "CUstomize". This will open the "Scan Settings Page. Make sure all of the following are On with a "green" checkmark:

 

Scan within archives

Scan active processes

Scan Registry

Deep-scan Registry

Scan my IE Favorites for banned URLs

Scan my Hosts File

 

Then click on the "Tweak" Button to open up the tweak settings.

 

Open up the Scanning Engine section and make sure all of the following are On with a "green" checkmark:

 

Scan registry for all users instead of current user only

 

Make sure the following is unchecked with a "red" X:

 

Unload recognized processes & modules during scan.

 

Open up the Cleaning Engine section and make sure all of the following are On with a "green" checkmark:

 

Always try to unload modules before deletion

During Removal, unload Explorer and IE if necessary

Let Windows remove files in use at next reboot.

 

Click the "Proceed" button to save settings.

 

Click the "Next" button to start the scan.

 

When a scan is completed the Performing System Scan screen will change name to "Scan Complete".

 

Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available.

 

Click the Critical Objects Tab. In general all of the items listed will be bad. Be carefull with the Hosts file entries. Malware uses the hosts file to redirect you websites. However you can use the hosts file as a way to prevent malware. If the object has 127.0.0.1 in it, it should most likely not be deleted as it is protecting against unwanted sites. For more information on how to use a host file to protect yourself read here. So in short, you may or may not want to fix the hosts file entries.

 

To fix all the bad critical objects do the following:

 

Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. In general all should be selected with the exception of the good hosts file entries.

 

When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal.

 

Then search your hard drive for the following file and let me know where it is. You may check the windows/system32 first as it is probably in it.

 

su44i9f91w15pml.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

 

Post a fresh HijackThis log please and the location of the above file.

[marrufol]

Ok, I did all what you said. The problem is still here. The file you mentioned didn't appear Here is the new log:

 

Logfile of HijackThis v1.98.2

Scan saved at 20:53:48, on 20/11/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe

C:\WINNT\System32\hkcmd.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe

C:\WINNT\System32\ctfmon.exe

C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\WebTrap.EXE

C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS

C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe

C:\WINNT\System32\wuauclt.exe

C:\WINNT\System32\svchost.exe

C:\Documents and Settings\Propietario\Escritorio\HiJack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"

O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Windows Runtime Proccess] 32RUNdll.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A028B33F-21D0-4C65-BE3B-493FAB1C5CFC}: NameServer = 200.23.242.202 200.23.242.196

O20 - AppInit_DLLs: xorn1d5v4ibswyl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

[yellowhammer]

Launch Notepad.

Copy/paste the text in the box below into a new text file.

Save it as fixme.reg* on your Desktop

 

REGEDIT4 -HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin6.DNSErrObj] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin6.DNSErrObj.1] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\redalert.here] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\redalert.here.1] [-HKEY_LOCAL_MACHINE\SOFTWARE\Melcosoft]

 

Download Registrar Lite here.

 

Copy and paste the following into the address bar and click go:

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

 

Doubleclick the AppInit_DLLs value in the right pane to open its properties.

 

Clear anything in the "Value" line and then OK out.

 

Go Here: http://download.broadbandmedic.com and download Pocket KillBox

 

Run Killbox.exe and be sure that 'Delete on Reboot is checked'

 

Copy and paste each of the following file(s) to the address bar:

 

C:\WINDOWS\system32\xorn1d5v4ibswyl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

C:\WINNT\System32\W8C6S4~1.DLL

 

After each file press the 'Delete' icon to the far right of the address bar

A dialog box will ask if you want to delete and reboot now - on all but the last file, answer 'No'

For the last file (or first, if only one file), answer 'Yes'

 

On restart Reboot in Safe Mode, verify that the files have been deleted

 

Locate fixme.reg on your Desktop that you created in the first step and double-click on it.

 

You will* receive a prompt similar to: "Do you wish to merge the information into the registry?".

 

Answer 'Yes' and wait for a message to appear similar to "Merged Successfully"

 

Then Check the following items in HijackThis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403

 

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL

 

O4 - HKCU\..\Run: [Windows Runtime Proccess] 32RUNdll.exe

 

O20 - AppInit_DLLs: xorn1d5v4ibswyl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

Close all windows except HijackThis and click Fix checked.

 

Reboot in normal mode and scan again.

[marrufol]

When I copy the files to the address bar and click go, it always sends me to the t.swapx.cc page, I also tried it offline. What should I do?

[yellowhammer]

Are you copying the file name to the address bar in Killbox.exe or internet explorer? You should have internet explorer off while doing this.

[marrufol]

I am stuck in the first step, trying to copy and paste this instruction to the address bar in the ie:

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Window

[yellowhammer]

That is associated with registrar lite. Copy and paste it into the address bar in registrar lite.

[marrufol]

I did, sorry, this is the new log

 

Logfile of HijackThis v1.98.2

Scan saved at 21:30:21, on 21/11/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe

C:\WINNT\System32\hkcmd.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe

C:\WINNT\System32\ctfmon.exe

C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\WebTrap.EXE

C:\Documents and Settings\Propietario\Escritorio\HiJack This\HijackThis.exe

C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS

C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe

C:\WINNT\System32\imapi.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"

O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE

O15 - Trusted Zone: *.greg-search.com

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

O20 - AppInit_DLLs: t6g9s6z6n665lsl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

[yellowhammer]

Apparently this is a new variant. There are several people working on these in several forums and they are proving difficult to remove. Let me see if I can get some additional information.

 

Download autoruns here.

 

Open it and click on view at the top menu and make sure all the following are checked.

 

Show All Locations

Show Services

 

Then click the save button and save the .txt file generated. Copy and paste the contents of it into the next reply.

 

Download the Registry Search Tool here. Unzip it and run it. If your antivirus inteferes you may have to disable script blocking in the antivirus. Put the following in the search box:

 

{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}

 

Post or upload the results.

[marrufol]

This is the autoruns log:

 

HKLM\System\CurrentControlSet\Services

 

+ AudioSrv Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ Browser Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ CryptSvc Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ Dhcp Administra la configuración de la red registrando y actualizando direcciones IP y nombres DNS. Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ Dnscache Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ ERSvc Permite informar de errores para servicios y aplicaciones que se ejecutan en entornos no estándar. Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ Eventlog Habilita mensajes de registro de sucesos emitidos por programas basados en Windows y componentes para que se vean en Visor de sucesos. Este servicio no se puede detener. Microsoft Corporation c:\winnt\system32\services.exe

 

+ helpsvc Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ HidServ Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ lanmanserver Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ lanmanworkstation Crea y mantiene conexiones de cliente de red a servidores remotos. Si se detiene el servicio, estas conexiones no estarán disponibles. Si se deshabilita el servicio, no se podrá iniciar ninguno de los servicios que dependan explícitamente de él. Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ LmHosts Habilita la compatibilidad con NetBIOS a través del servicio TCP/IP (NetBT) y la resolución de nombres NetBIOS. Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ PCCPFW Administra el servidor de seguridad personal de PC-cillin. (Not verified) Trend Micro Inc. c:\archivos de programa\trend micro\pc-cillin 9\pccpfw.exe

 

+ PlugPlay Habilita un equipo para que reconozca y adapte los cambios de hardware con el menor esfuerzo por parte del usuario. Si se detiene o deshabilita este servicio, el sistema se volverá inestable. Microsoft Corporation c:\winnt\system32\services.exe

 

+ PolicyAgent Administra la directiva de seguridad IP e inicia el controlador ISAKMP/Oakley (IKE) y de seguridad IP. Microsoft Corporation c:\winnt\system32\lsass.exe

 

+ PrismXL PrismXL Service (Not verified) Lanovation c:\archivos de programa\archivos comunes\lanovation\prismxl\prismxl.sys

 

+ ProtectedStorage Ofrece almacenamiento protegido para datos importantes, como claves privadas, para impedir el acceso de servicios, procesos o usuarios no autorizados. Microsoft Corporation c:\winnt\system32\lsass.exe

 

+ RpcSs Ofrece el asignador de punto final y otros servicios RPC diversos. Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ SamSs Almacena información de seguridad de cuentas de usuario locales. Microsoft Corporation c:\winnt\system32\lsass.exe

 

+ Schedule Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ seclogon Habilita los procesos de inicio en credenciales alternas. Si se detiene este servicio, se deshabilitará este tipo de acceso de inicio de sesión. Si este servicio está deshabilitado, cualquier servicio que explícitamente dependa de él no podrá iniciarse. Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ SENS Registra sucesos del sistema como los de inicio de sesión en Windows, red y energía, y los notifica a los suscriptores de sucesos del sistema COM+. Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ SharedAccess Ofrece servicios de traducción de direcciones, direccionamiento, resolución de nombres y/o servicios de prevención de intrusión para una red doméstica o de pequeña empresa. Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ ShellHWDetection Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ Spooler Carga archivos en la memoria para imprimirlos después. Microsoft Corporation c:\winnt\system32\spoolsv.exe

 

+ srservice Realiza funciones de restauración del sistema. Para detener el servicio, desactive Restaurar sistema en la ficha de Restaurar sistema en propiedades de Mi PC Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ Themes Proporciona administración de temas de experiencia de usuario. Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ Tmntsrv Permite la exploración en tiempo real de PC-cillin. (Not verified) Trend Micro Inc. c:\archivos de programa\trend micro\pc-cillin 9\tmntsrv.exe

 

+ TrkWks Mantiene vínculos entre archivos NTFS dentro de un equipo o entre equipos en un dominio de red. Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ uploadmgr Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ W32Time Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ WebClient Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ winmgmt Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ wuauserv Habilita la descarga e instalación de actualizaciones críticas de Windows. Si el servicio está deshabilitado, el sistema operativo se puede actualizar manualmente en el sitio Web de Windows Update. Microsoft Corporation c:\winnt\system32\svchost.exe

 

+ WZCSVC Proporciona configuración automática para los adaptadores 802.11 Microsoft Corporation c:\winnt\system32\svchost.exe

 

HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon

 

HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

 

+ C:\WINNT\system32\userinit.exe, Aplicación de inicio de sesión (Userinit) Microsoft Corporation c:\winnt\system32\userinit.exe

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell

 

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

 

+ Explorer.exe Explorador de Windows Microsoft Corporation c:\winnt\explorer.exe

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

+ HotKeysCmds hkcmd Module Intel Corporation c:\winnt\system32\hkcmd.exe

 

+ IgfxTray igfxTray Module Intel Corporation c:\winnt\system32\igfxtray.exe

 

+ PCCClient.exe PCCClient (Not verified) Trend Micro Inc. c:\archivos de programa\trend micro\pc-cillin 9\pccclient.exe

 

+ pccguide.exe PCCGuide (Not verified) Trend Micro Inc. c:\archivos de programa\trend micro\pc-cillin 9\pccguide.exe

 

+ Pop3trap.exe POP3Trap (Not verified) Trend Micro Inc. c:\archivos de programa\trend micro\pc-cillin 9\pop3trap.exe

 

+ SunJavaUpdateSched c:\archivos de programa\java\j2re1.4.2_03\bin\jusched.exe

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

 

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio

 

+ Microsoft Office.lnk Microsoft Office 2000 component (Not verified) Microsoft Corporation c:\archivos de programa\microsoft office\office\osa9.exe

 

C:\Documents and Settings\Propietario\Menú Inicio\Programas\Inicio

 

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load

 

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

+ CTFMON.EXE CTF Loader Microsoft Corporation c:\winnt\system32\ctfmon.exe

 

+ MsnMsgr MSN Messenger (Not verified) Microsoft Corporation c:\archivos de programa\msn messenger\msnmsgr.exe

 

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

Task Scheduler

 

 

This is the regsearch:

 

REGEDIT4

; RegSrch.vbs © Bill James

 

; Registry search results for string "{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}" 23/11/2004 21:12:21

 

; NOTE: This file will be deleted when you close WordPad.

; You must manually save this file to a new location if you want to refer to it again later.

; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}\InprocServer32]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}\ProgID]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}\Programmable]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}\TypeLib]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}\VersionIndependentProgID]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin6.DNSErrObj\CLSID]

@="{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin6.DNSErrObj.1\CLSID]

@="{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\redalert.here\CLSID]

@="{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\redalert.here.1\CLSID]

@="{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}]

[yellowhammer]

Ok,

 

Now scan again with hijackthis and post the log. After you do so, do not reboot until I get back with you. This thing changes every time you reboot.

[marrufol]

This is the hijack this log:

 

Logfile of HijackThis v1.98.2

Scan saved at 22:15:05, on 24/11/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe

C:\WINNT\System32\hkcmd.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe

C:\WINNT\System32\ctfmon.exe

C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\WebTrap.EXE

C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS

C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe

C:\Archivos de programa\Microsoft Office\Office\EXCEL.EXE

C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe

C:\WINNT\System32\wuauclt.exe

C:\Archivos de programa\Internet Explorer\iexplore.exe

C:\Documents and Settings\Propietario\Escritorio\HiJack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31403

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31403

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=31403

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=31403

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"

O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE

O15 - Trusted Zone: *.greg-search.com

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A028B33F-21D0-4C65-BE3B-493FAB1C5CFC}: NameServer = 200.23.242.202 200.23.242.196

O20 - AppInit_DLLs: hhvhynt2felvrel.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

[yellowhammer]

1.

First look in your C:\WINNT\System32 folder and get the full name for the following file W8C6S4~1.DLL

 

2.

Download the latest version of AVG antivirus here and install it. Disable your existing antivirus temporarily and have AVG do a full scan. Have it remove everything it finds.

 

3.

Download cwshredder here and unzip it to your desktop. Don't run it yet.

 

4.

Reboot to safe mode.

 

5.

Run cwshredder. Close all browser windows and click on the fix/next button.

 

6.

Copy the information in the quote box into notepad. Save it to your desktop as type "all files" and name it search.reg.

Double click on the search.reg file and grant it permission to add the registry entries.

 

REGEDIT4

 

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin6.DNSErrObj]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin6.DNSErrObj.1]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\redalert.here]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\redalert.here.1]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}]

 

[-HKEY_CLASSES_ROOT\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}]

 

[-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj]

 

[-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj.1]

 

[-HKEY_CLASSES_ROOT\redalert.here]

 

[-HKEY_CLASSES_ROOT\redalert.here.1]

 

[-HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}]

 

7. Open killbox

 

Make sure the following are checked

 

Delete on Reboot

End Explorer Shell While Killing File

Unregister .dll Before Deleting

 

Then type the full path to the following files in the killbox address bar:

 

C:\WINNT\System32\W8C6S4~1.DLL (Note - Use the full name you got in the first step above)

 

and

 

C:\WINNT\System32\hhvhynt2felvrel.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

 

Click the Delete on Reboot button. Then press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, Click No until you have pasted the path to the last file. On the last file Click Yes and allow it to reboot.

 

8.

After the reboot, scan with hijackthis and fix all the following entries.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31403

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31403

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=31403

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=31403

 

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL

 

O15 - Trusted Zone: *.greg-search.com

 

O20 - AppInit_DLLs: hhvhynt2felvrel.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

Reboot and post another log.

[marrufol]

I did it all. The anti-virus didn't find anything. This is the new log:

 

Logfile of HijackThis v1.98.2

Scan saved at 23:49:00, on 24/11/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe

C:\WINNT\System32\hkcmd.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe

C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe

C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINNT\System32\ctfmon.exe

C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\WebTrap.EXE

C:\Documents and Settings\Propietario\Escritorio\HiJack This\HijackThis.exe

C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS

C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"

O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

O20 - AppInit_DLLs: fvusbwmn2558v4l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

[yellowhammer]

OK, Lets try another method.

 

Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm

save it to your desktop you'll need it later.

 

Close all Internet explorers and folders also.

 

Now run the APM program

In the upper window select C:\WINNT\explorer.exe

In the lower window find and rightclick this file

 

C:\WINNT\System32\W8C6S4~1.DLL

Select Unload DLL and click OK on the prompts that follow.

 

Do the same for fvusbwmn2558v4l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll or whatever file is currently listed in the O20 line

 

Run Hijackthis and fix these

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403

 

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL

 

O20 - AppInit_DLLs: fvusbwmn2558v4l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

 

======================

Run Cwshredder again

 

Scan and post another log.

[marrufol]

The Cwshredder didn't find anything. Is frustrating to deal with this spyware. This is the new log:

 

Logfile of HijackThis v1.98.2

Scan saved at 22:28:00, on 25/11/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe

C:\WINNT\System32\hkcmd.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe

C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe

C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINNT\System32\ctfmon.exe

C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\WebTrap.EXE

C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS

C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe

C:\WINNT\System32\wuauclt.exe

C:\Documents and Settings\Propietario\Escritorio\HiJack This\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"

O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A028B33F-21D0-4C65-BE3B-493FAB1C5CFC}: NameServer = 200.23.242.202 200.23.242.196

[yellowhammer]

Yes but we made progress the last time as the O20 entry is gone. I think we are close now.

 

1.

First look in your C:\WINNT\System32 folder and get the full name for the following file W8C6S4~1.DLL

 

2.

Copy the information in the quote box into notepad. Save it to your desktop as type "all files" and name it search.reg.

Save it to your desktop and do not run it yet.

REGEDIT4

 

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin6.DNSErrObj]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin6.DNSErrObj.1]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\redalert.here]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\redalert.here.1]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}]

 

[-HKEY_CLASSES_ROOT\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}]

 

[-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj]

 

[-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj.1]

 

[-HKEY_CLASSES_ROOT\redalert.here]

 

[-HKEY_CLASSES_ROOT\redalert.here.1]

 

[-HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}]

 

3.

Disconnect from the internet and stay disconnected until you are through with these instructions.

 

4.

Double click on the search.reg file and grant it permission to add the registry entries.

 

5. Open killbox

 

Make sure the following are checked

 

Delete on Reboot

 

Then type the full path to the following files in the killbox address bar:

 

C:\WINNT\System32\W8C6S4~1.DLL (Note - Use the full name you got in the first step above)

 

6.

After the reboot scan with hijackthis and fix all the following entries.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403

 

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL

Reboot and post another log.

[marrufol]

I think its gone!

 

This is the new log:

 

Logfile of HijackThis v1.98.2

Scan saved at 21:49:38, on 26/11/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe

C:\WINNT\System32\hkcmd.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe

C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe

C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINNT\System32\ctfmon.exe

C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\WebTrap.EXE

C:\Documents and Settings\Propietario\Escritorio\HiJack This\HijackThis.exe

C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS

C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe

C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe

C:\WINNT\System32\wuauclt.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"

O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

[yellowhammer]

Yes,

 

It looks like it is finally gone.

[marrufol]

Thank you so much!

 

What should I do with all the programs I downloaded? How can I protect my computer to avoid this kind of spyware?

[yellowhammer]

Your Welcome,

 

You may delete all the files you downloaded. They should not be needed anymore.

 

Some tips to keep your computer secure:

 

1. Keep Windows Updated via the windows update site. Better yet, set it up to automatically update. Instructions here

2. Keep a good antivirus system updated and running at all times. I use NOD32 available here. If you want a good free antivirus try AVG which is available here.

3. Keep a firewall running at all times. I recommend Sygate Personal Available here.

4. Set up your internet explorer security properly. See instructions here.

5. Use Adaware and Spybot S&D weekly after updating.

6. Use SpywareBlaster, SpywareGuard, IE-Spyad. Links to all of these on my site here.

7. Replace your host file with the one available here.

8. Run BugOff available here which disables three exploits that are commonly used by browser hijackers (including CWS), thus protecting you from infection.

9. Switch Browsers. Try Firefox available here or Opera available here.