marrufol Report post Posted November 20, 2004 Hi! I am a new user, I have tried several options to eliminate this that redirects my home page. If you can help me I will appreciate. This is my Hijack this log: Logfile of HijackThis v1.98.2 Scan saved at 23:17:46, on 19/11/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe C:\WINNT\System32\hkcmd.exe C:\WINNT\System32\z58l0m13wiywethd.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe C:\WINNT\System32\ctfmon.exe C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe C:\Archivos de programa\Trend Micro\PC-cillin 9\WebTrap.EXE C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe C:\WINNT\System32\wuauclt.exe C:\Archivos de programa\Internet Explorer\iexplore.exe C:\Documents and Settings\Propietario\Configuración local\Temp\Directorio temporal 1 para hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31403 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31403 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=31403 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\SG12UN~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [Windows Runtime Proccess] 32RUNdll.exe O4 - HKLM\..\Run: [Control handler] C:\WINNT\System32\z58l0m13wiywethd.exe O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe" O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe" O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe" O4 - HKLM\..\RunServices: [Windows Runtime Proccess] 32RUNdll.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Windows Runtime Proccess] 32RUNdll.exe O4 - HKCU\..\Run: [spyware Begone] c:\freescan\freescan.exe -FastScan O4 - HKCU\..\RunServices: [Windows Runtime Proccess] 32RUNdll.exe O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm10.chm::/ieloader.exe O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A028B33F-21D0-4C65-BE3B-493FAB1C5CFC}: NameServer = 200.23.242.202 200.23.242.196 O20 - AppInit_DLLs: su44i9f91w15pml.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll I do not know what to do next, please help me. Share this post Link to post Share on other sites
yellowhammer Report post Posted November 20, 2004 You are running hijackthis from within a temporary folder. That is not a good idea as you will lose your ability to restore any mistakes. Right click on your desktop and select New>Folder. Name the folder hijackthis. Then unzip hijackthis into the new folder. We are going to empty the temporary folders at then end so it will get deleted if you don't move it. Uninstall all of the following that are listed in the "Add/Remove Programs" in the Windows® Control Panel. Spyware Begone Download cwshredder here. Close all browser windows and click on the fix/next button. Make sure you can view hidden and system files: Instructions here. Boot to safe mode: Instructions here. Then Close all windows and have hijackthis fix the following that are still listed: R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31403 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31403 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=31403 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\SG12UN~1.DLL O4 - HKLM\..\Run: [Windows Runtime Proccess] 32RUNdll.exe O4 - HKLM\..\Run: [Control handler] C:\WINNT\System32\z58l0m13wiywethd.exe O4 - HKLM\..\RunServices: [Windows Runtime Proccess] 32RUNdll.exe O4 - HKCU\..\Run: [Windows Runtime Proccess] 32RUNdll.exe O4 - HKCU\..\Run: [spyware Begone] c:\freescan\freescan.exe -FastScan O4 - HKCU\..\RunServices: [Windows Runtime Proccess] 32RUNdll.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm10.chm::/ieloader.exe O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab O20 - AppInit_DLLs: su44i9f91w15pml.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll Then delete the following files or folders: C:\WINNT\System32\z58l0m13wiywethd.exe <-File C:\WINNT\System32\SG12UN~1.DLL <-File The following step is important as you may have several malware files in your temp directory. Then browse to the C:\documents and settings\Your User Name(repeat for all users in documents and savings)\local settings\temp folder and delete all files and folders in it. Then browse to the C:\Windows (Winnt)\Temp folder and delete all files and folders in it. Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well. Then empty the recycle bin. Then reboot to normal mode. Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step. Open adaware and Click the "Check for updates now" line on the main screen. Click the "Connect" button on the webupdate screen. If an update is available download it and install it. Click the "Finish" button to go back to the main screen. Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Check the "Automatically quarantine objects prior to removal" setting and then click "Proceed" to save your changes Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Then select "Use custom scanning options" and click "CUstomize". This will open the "Scan Settings Page. Make sure all of the following are On with a "green" checkmark: Scan within archives Scan active processes Scan Registry Deep-scan Registry Scan my IE Favorites for banned URLs Scan my Hosts File Then click on the "Tweak" Button to open up the tweak settings. Open up the Scanning Engine section and make sure all of the following are On with a "green" checkmark: Scan registry for all users instead of current user only Make sure the following is unchecked with a "red" X: Unload recognized processes & modules during scan. Open up the Cleaning Engine section and make sure all of the following are On with a "green" checkmark: Always try to unload modules before deletion During Removal, unload Explorer and IE if necessary Let Windows remove files in use at next reboot. Click the "Proceed" button to save settings. Click the "Next" button to start the scan. When a scan is completed the Performing System Scan screen will change name to "Scan Complete". Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. Be carefull with the Hosts file entries. Malware uses the hosts file to redirect you websites. However you can use the hosts file as a way to prevent malware. If the object has 127.0.0.1 in it, it should most likely not be deleted as it is protecting against unwanted sites. For more information on how to use a host file to protect yourself read here. So in short, you may or may not want to fix the hosts file entries. To fix all the bad critical objects do the following: Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. In general all should be selected with the exception of the good hosts file entries. When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal. Then search your hard drive for the following file and let me know where it is. You may check the windows/system32 first as it is probably in it. su44i9f91w15pml.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll Post a fresh HijackThis log please and the location of the above file. Share this post Link to post Share on other sites
marrufol Report post Posted November 21, 2004 Ok, I did all what you said. The problem is still here. The file you mentioned didn't appear Here is the new log: Logfile of HijackThis v1.98.2 Scan saved at 20:53:48, on 20/11/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe C:\WINNT\System32\hkcmd.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe C:\WINNT\System32\ctfmon.exe C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe C:\Archivos de programa\Trend Micro\PC-cillin 9\WebTrap.EXE C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe C:\WINNT\System32\wuauclt.exe C:\WINNT\System32\svchost.exe C:\Documents and Settings\Propietario\Escritorio\HiJack This\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe" O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe" O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Windows Runtime Proccess] 32RUNdll.exe O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A028B33F-21D0-4C65-BE3B-493FAB1C5CFC}: NameServer = 200.23.242.202 200.23.242.196 O20 - AppInit_DLLs: xorn1d5v4ibswyl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll Share this post Link to post Share on other sites
yellowhammer Report post Posted November 21, 2004 Launch Notepad. Copy/paste the text in the box below into a new text file. Save it as fixme.reg* on your Desktop REGEDIT4 -HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin6.DNSErrObj] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin6.DNSErrObj.1] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\redalert.here] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\redalert.here.1] [-HKEY_LOCAL_MACHINE\SOFTWARE\Melcosoft] Download Registrar Lite here. Copy and paste the following into the address bar and click go: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows Doubleclick the AppInit_DLLs value in the right pane to open its properties. Clear anything in the "Value" line and then OK out. Go Here: http://download.broadbandmedic.com and download Pocket KillBox Run Killbox.exe and be sure that 'Delete on Reboot is checked' Copy and paste each of the following file(s) to the address bar: C:\WINDOWS\system32\xorn1d5v4ibswyl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll C:\WINNT\System32\W8C6S4~1.DLL After each file press the 'Delete' icon to the far right of the address bar A dialog box will ask if you want to delete and reboot now - on all but the last file, answer 'No' For the last file (or first, if only one file), answer 'Yes' On restart Reboot in Safe Mode, verify that the files have been deleted Locate fixme.reg on your Desktop that you created in the first step and double-click on it. You will* receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer 'Yes' and wait for a message to appear similar to "Merged Successfully" Then Check the following items in HijackThis. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403 O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL O4 - HKCU\..\Run: [Windows Runtime Proccess] 32RUNdll.exe O20 - AppInit_DLLs: xorn1d5v4ibswyl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll Close all windows except HijackThis and click Fix checked. Reboot in normal mode and scan again. Share this post Link to post Share on other sites
marrufol Report post Posted November 21, 2004 When I copy the files to the address bar and click go, it always sends me to the t.swapx.cc page, I also tried it offline. What should I do? Share this post Link to post Share on other sites
yellowhammer Report post Posted November 22, 2004 Are you copying the file name to the address bar in Killbox.exe or internet explorer? You should have internet explorer off while doing this. Share this post Link to post Share on other sites
marrufol Report post Posted November 22, 2004 I am stuck in the first step, trying to copy and paste this instruction to the address bar in the ie: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Window Share this post Link to post Share on other sites
yellowhammer Report post Posted November 22, 2004 That is associated with registrar lite. Copy and paste it into the address bar in registrar lite. Share this post Link to post Share on other sites
marrufol Report post Posted November 22, 2004 I did, sorry, this is the new log Logfile of HijackThis v1.98.2 Scan saved at 21:30:21, on 21/11/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe C:\WINNT\System32\hkcmd.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe C:\WINNT\System32\ctfmon.exe C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe C:\Archivos de programa\Trend Micro\PC-cillin 9\WebTrap.EXE C:\Documents and Settings\Propietario\Escritorio\HiJack This\HijackThis.exe C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe C:\WINNT\System32\imapi.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe" O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe" O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE O15 - Trusted Zone: *.greg-search.com O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab O20 - AppInit_DLLs: t6g9s6z6n665lsl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll Share this post Link to post Share on other sites
yellowhammer Report post Posted November 23, 2004 Apparently this is a new variant. There are several people working on these in several forums and they are proving difficult to remove. Let me see if I can get some additional information. Download autoruns here. Open it and click on view at the top menu and make sure all the following are checked. Show All Locations Show Services Then click the save button and save the .txt file generated. Copy and paste the contents of it into the next reply. Download the Registry Search Tool here. Unzip it and run it. If your antivirus inteferes you may have to disable script blocking in the antivirus. Put the following in the search box: {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} Post or upload the results. Share this post Link to post Share on other sites
marrufol Report post Posted November 24, 2004 This is the autoruns log: HKLM\System\CurrentControlSet\Services + AudioSrv Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe + Browser Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe + CryptSvc Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe + Dhcp Administra la configuración de la red registrando y actualizando direcciones IP y nombres DNS. Microsoft Corporation c:\winnt\system32\svchost.exe + Dnscache Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe + ERSvc Permite informar de errores para servicios y aplicaciones que se ejecutan en entornos no estándar. Microsoft Corporation c:\winnt\system32\svchost.exe + Eventlog Habilita mensajes de registro de sucesos emitidos por programas basados en Windows y componentes para que se vean en Visor de sucesos. Este servicio no se puede detener. Microsoft Corporation c:\winnt\system32\services.exe + helpsvc Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe + HidServ Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe + lanmanserver Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe + lanmanworkstation Crea y mantiene conexiones de cliente de red a servidores remotos. Si se detiene el servicio, estas conexiones no estarán disponibles. Si se deshabilita el servicio, no se podrá iniciar ninguno de los servicios que dependan explícitamente de él. Microsoft Corporation c:\winnt\system32\svchost.exe + LmHosts Habilita la compatibilidad con NetBIOS a través del servicio TCP/IP (NetBT) y la resolución de nombres NetBIOS. Microsoft Corporation c:\winnt\system32\svchost.exe + PCCPFW Administra el servidor de seguridad personal de PC-cillin. (Not verified) Trend Micro Inc. c:\archivos de programa\trend micro\pc-cillin 9\pccpfw.exe + PlugPlay Habilita un equipo para que reconozca y adapte los cambios de hardware con el menor esfuerzo por parte del usuario. Si se detiene o deshabilita este servicio, el sistema se volverá inestable. Microsoft Corporation c:\winnt\system32\services.exe + PolicyAgent Administra la directiva de seguridad IP e inicia el controlador ISAKMP/Oakley (IKE) y de seguridad IP. Microsoft Corporation c:\winnt\system32\lsass.exe + PrismXL PrismXL Service (Not verified) Lanovation c:\archivos de programa\archivos comunes\lanovation\prismxl\prismxl.sys + ProtectedStorage Ofrece almacenamiento protegido para datos importantes, como claves privadas, para impedir el acceso de servicios, procesos o usuarios no autorizados. Microsoft Corporation c:\winnt\system32\lsass.exe + RpcSs Ofrece el asignador de punto final y otros servicios RPC diversos. Microsoft Corporation c:\winnt\system32\svchost.exe + SamSs Almacena información de seguridad de cuentas de usuario locales. Microsoft Corporation c:\winnt\system32\lsass.exe + Schedule Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe + seclogon Habilita los procesos de inicio en credenciales alternas. Si se detiene este servicio, se deshabilitará este tipo de acceso de inicio de sesión. Si este servicio está deshabilitado, cualquier servicio que explícitamente dependa de él no podrá iniciarse. Microsoft Corporation c:\winnt\system32\svchost.exe + SENS Registra sucesos del sistema como los de inicio de sesión en Windows, red y energía, y los notifica a los suscriptores de sucesos del sistema COM+. Microsoft Corporation c:\winnt\system32\svchost.exe + SharedAccess Ofrece servicios de traducción de direcciones, direccionamiento, resolución de nombres y/o servicios de prevención de intrusión para una red doméstica o de pequeña empresa. Microsoft Corporation c:\winnt\system32\svchost.exe + ShellHWDetection Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe + Spooler Carga archivos en la memoria para imprimirlos después. Microsoft Corporation c:\winnt\system32\spoolsv.exe + srservice Realiza funciones de restauración del sistema. Para detener el servicio, desactive Restaurar sistema en la ficha de Restaurar sistema en propiedades de Mi PC Microsoft Corporation c:\winnt\system32\svchost.exe + Themes Proporciona administración de temas de experiencia de usuario. Microsoft Corporation c:\winnt\system32\svchost.exe + Tmntsrv Permite la exploración en tiempo real de PC-cillin. (Not verified) Trend Micro Inc. c:\archivos de programa\trend micro\pc-cillin 9\tmntsrv.exe + TrkWks Mantiene vínculos entre archivos NTFS dentro de un equipo o entre equipos en un dominio de red. Microsoft Corporation c:\winnt\system32\svchost.exe + uploadmgr Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe + W32Time Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe + WebClient Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe + winmgmt Generic Host Process for Win32 Services Microsoft Corporation c:\winnt\system32\svchost.exe + wuauserv Habilita la descarga e instalación de actualizaciones críticas de Windows. Si el servicio está deshabilitado, el sistema operativo se puede actualizar manualmente en el sitio Web de Windows Update. Microsoft Corporation c:\winnt\system32\svchost.exe + WZCSVC Proporciona configuración automática para los adaptadores 802.11 Microsoft Corporation c:\winnt\system32\svchost.exe HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit + C:\WINNT\system32\userinit.exe, Aplicación de inicio de sesión (Userinit) Microsoft Corporation c:\winnt\system32\userinit.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell + Explorer.exe Explorador de Windows Microsoft Corporation c:\winnt\explorer.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run + HotKeysCmds hkcmd Module Intel Corporation c:\winnt\system32\hkcmd.exe + IgfxTray igfxTray Module Intel Corporation c:\winnt\system32\igfxtray.exe + PCCClient.exe PCCClient (Not verified) Trend Micro Inc. c:\archivos de programa\trend micro\pc-cillin 9\pccclient.exe + pccguide.exe PCCGuide (Not verified) Trend Micro Inc. c:\archivos de programa\trend micro\pc-cillin 9\pccguide.exe + Pop3trap.exe POP3Trap (Not verified) Trend Micro Inc. c:\archivos de programa\trend micro\pc-cillin 9\pop3trap.exe + SunJavaUpdateSched c:\archivos de programa\java\j2re1.4.2_03\bin\jusched.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio + Microsoft Office.lnk Microsoft Office 2000 component (Not verified) Microsoft Corporation c:\archivos de programa\microsoft office\office\osa9.exe C:\Documents and Settings\Propietario\Menú Inicio\Programas\Inicio HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run + CTFMON.EXE CTF Loader Microsoft Corporation c:\winnt\system32\ctfmon.exe + MsnMsgr MSN Messenger (Not verified) Microsoft Corporation c:\archivos de programa\msn messenger\msnmsgr.exe HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Task Scheduler This is the regsearch: REGEDIT4 ; RegSrch.vbs © Bill James ; Registry search results for string "{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}" 23/11/2004 21:12:21 ; NOTE: This file will be deleted when you close WordPad. ; You must manually save this file to a new location if you want to refer to it again later. ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}\InprocServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}\ProgID] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}\Programmable] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}\TypeLib] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}\VersionIndependentProgID] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin6.DNSErrObj\CLSID] @="{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin6.DNSErrObj.1\CLSID] @="{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\redalert.here\CLSID] @="{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\redalert.here.1\CLSID] @="{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}] Share this post Link to post Share on other sites
yellowhammer Report post Posted November 24, 2004 Ok, Now scan again with hijackthis and post the log. After you do so, do not reboot until I get back with you. This thing changes every time you reboot. Share this post Link to post Share on other sites
marrufol Report post Posted November 25, 2004 This is the hijack this log: Logfile of HijackThis v1.98.2 Scan saved at 22:15:05, on 24/11/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe C:\WINNT\System32\hkcmd.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe C:\WINNT\System32\ctfmon.exe C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe C:\Archivos de programa\Trend Micro\PC-cillin 9\WebTrap.EXE C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe C:\Archivos de programa\Microsoft Office\Office\EXCEL.EXE C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe C:\WINNT\System32\wuauclt.exe C:\Archivos de programa\Internet Explorer\iexplore.exe C:\Documents and Settings\Propietario\Escritorio\HiJack This\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31403 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31403 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=31403 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=31403 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe" O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe" O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE O15 - Trusted Zone: *.greg-search.com O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A028B33F-21D0-4C65-BE3B-493FAB1C5CFC}: NameServer = 200.23.242.202 200.23.242.196 O20 - AppInit_DLLs: hhvhynt2felvrel.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll Share this post Link to post Share on other sites
yellowhammer Report post Posted November 25, 2004 1. First look in your C:\WINNT\System32 folder and get the full name for the following file W8C6S4~1.DLL 2. Download the latest version of AVG antivirus here and install it. Disable your existing antivirus temporarily and have AVG do a full scan. Have it remove everything it finds. 3. Download cwshredder here and unzip it to your desktop. Don't run it yet. 4. Reboot to safe mode. 5. Run cwshredder. Close all browser windows and click on the fix/next button. 6. Copy the information in the quote box into notepad. Save it to your desktop as type "all files" and name it search.reg. Double click on the search.reg file and grant it permission to add the registry entries. REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin6.DNSErrObj] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin6.DNSErrObj.1] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\redalert.here] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\redalert.here.1] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}] [-HKEY_CLASSES_ROOT\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}] [-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj] [-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj.1] [-HKEY_CLASSES_ROOT\redalert.here] [-HKEY_CLASSES_ROOT\redalert.here.1] [-HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}] 7. Open killbox Make sure the following are checked Delete on Reboot End Explorer Shell While Killing File Unregister .dll Before Deleting Then type the full path to the following files in the killbox address bar: C:\WINNT\System32\W8C6S4~1.DLL (Note - Use the full name you got in the first step above) and C:\WINNT\System32\hhvhynt2felvrel.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll Click the Delete on Reboot button. Then press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, Click No until you have pasted the path to the last file. On the last file Click Yes and allow it to reboot. 8. After the reboot, scan with hijackthis and fix all the following entries. R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31403 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31403 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=31403 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=31403 O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL O15 - Trusted Zone: *.greg-search.com O20 - AppInit_DLLs: hhvhynt2felvrel.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll Reboot and post another log. Share this post Link to post Share on other sites
marrufol Report post Posted November 25, 2004 I did it all. The anti-virus didn't find anything. This is the new log: Logfile of HijackThis v1.98.2 Scan saved at 23:49:00, on 24/11/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe C:\WINNT\System32\hkcmd.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINNT\System32\ctfmon.exe C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe C:\Archivos de programa\Trend Micro\PC-cillin 9\WebTrap.EXE C:\Documents and Settings\Propietario\Escritorio\HiJack This\HijackThis.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe" O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe" O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab O20 - AppInit_DLLs: fvusbwmn2558v4l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll Share this post Link to post Share on other sites
yellowhammer Report post Posted November 25, 2004 OK, Lets try another method. Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm save it to your desktop you'll need it later. Close all Internet explorers and folders also. Now run the APM program In the upper window select C:\WINNT\explorer.exe In the lower window find and rightclick this file C:\WINNT\System32\W8C6S4~1.DLL Select Unload DLL and click OK on the prompts that follow. Do the same for fvusbwmn2558v4l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll or whatever file is currently listed in the O20 line Run Hijackthis and fix these R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403 O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL O20 - AppInit_DLLs: fvusbwmn2558v4l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll ====================== Run Cwshredder again Scan and post another log. Share this post Link to post Share on other sites
marrufol Report post Posted November 26, 2004 The Cwshredder didn't find anything. Is frustrating to deal with this spyware. This is the new log: Logfile of HijackThis v1.98.2 Scan saved at 22:28:00, on 25/11/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe C:\WINNT\System32\hkcmd.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINNT\System32\ctfmon.exe C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe C:\Archivos de programa\Trend Micro\PC-cillin 9\WebTrap.EXE C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe C:\WINNT\System32\wuauclt.exe C:\Documents and Settings\Propietario\Escritorio\HiJack This\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe" O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe" O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A028B33F-21D0-4C65-BE3B-493FAB1C5CFC}: NameServer = 200.23.242.202 200.23.242.196 Share this post Link to post Share on other sites
yellowhammer Report post Posted November 26, 2004 Yes but we made progress the last time as the O20 entry is gone. I think we are close now. 1. First look in your C:\WINNT\System32 folder and get the full name for the following file W8C6S4~1.DLL 2. Copy the information in the quote box into notepad. Save it to your desktop as type "all files" and name it search.reg. Save it to your desktop and do not run it yet. REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin6.DNSErrObj] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin6.DNSErrObj.1] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\redalert.here] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\redalert.here.1] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}] [-HKEY_CLASSES_ROOT\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}] [-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj] [-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj.1] [-HKEY_CLASSES_ROOT\redalert.here] [-HKEY_CLASSES_ROOT\redalert.here.1] [-HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}] 3. Disconnect from the internet and stay disconnected until you are through with these instructions. 4. Double click on the search.reg file and grant it permission to add the registry entries. 5. Open killbox Make sure the following are checked Delete on Reboot Then type the full path to the following files in the killbox address bar: C:\WINNT\System32\W8C6S4~1.DLL (Note - Use the full name you got in the first step above) 6. After the reboot scan with hijackthis and fix all the following entries. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403 O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL Reboot and post another log. Share this post Link to post Share on other sites
marrufol Report post Posted November 27, 2004 I think its gone! This is the new log: Logfile of HijackThis v1.98.2 Scan saved at 21:49:38, on 26/11/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe C:\WINNT\System32\hkcmd.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINNT\System32\ctfmon.exe C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe C:\Archivos de programa\Trend Micro\PC-cillin 9\WebTrap.EXE C:\Documents and Settings\Propietario\Escritorio\HiJack This\HijackThis.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Archivos de programa\Archivos comunes\Lanovation\PrismXL\PRISMXL.SYS C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe C:\WINNT\System32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe" O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe" O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab Share this post Link to post Share on other sites
yellowhammer Report post Posted November 27, 2004 Yes, It looks like it is finally gone. Share this post Link to post Share on other sites
marrufol Report post Posted November 28, 2004 Thank you so much! What should I do with all the programs I downloaded? How can I protect my computer to avoid this kind of spyware? Share this post Link to post Share on other sites
yellowhammer Report post Posted November 28, 2004 Your Welcome, You may delete all the files you downloaded. They should not be needed anymore. Some tips to keep your computer secure: 1. Keep Windows Updated via the windows update site. Better yet, set it up to automatically update. Instructions here 2. Keep a good antivirus system updated and running at all times. I use NOD32 available here. If you want a good free antivirus try AVG which is available here. 3. Keep a firewall running at all times. I recommend Sygate Personal Available here. 4. Set up your internet explorer security properly. See instructions here. 5. Use Adaware and Spybot S&D weekly after updating. 6. Use SpywareBlaster, SpywareGuard, IE-Spyad. Links to all of these on my site here. 7. Replace your host file with the one available here. 8. Run BugOff available here which disables three exploits that are commonly used by browser hijackers (including CWS), thus protecting you from infection. 9. Switch Browsers. Try Firefox available here or Opera available here. Share this post Link to post Share on other sites