A new twist on an old problem?

FIRST, I have read the sticky thread and followed each step to the 'T'.(Except the Adaware SE step-- see below)

That being said, I have (almost, I'm sure) the same EXTREMELY annoying problem other posters on this forum have. My home page has been set to

ttp://t.swapx.cc/h.php?aid=11034

(this is in the address bar)

ttp://win-eto.com/hp.htm?id=11034

(and this is in the Internet Options "select home page bar")

{I left off the h in http so as to not create links.}

I cannot change this home page for the life of me. I am also redirected to porn sites, porn sites are showing up in my favorites bar and programs are running noticeably slower.

Adaware SE will not complete a scan. I tried it over 10 times and

1st--- 3 or 4 times it just froze while scanning deep registry (i think thats what its called)

2nd--- A popup comes up that says Remote Procedure Call (RPC) {something} and automatically reboots my computer without finishing the scan. I didnt have any of the 3 (from step #2 in sticky thread).

Also it seems that every time I run Spybot SD it finds something new. I always check it and clean it but I scan again and it finds either the same thing or something new it didn't find the last time. The only thing I never check is Hotbar which I've had installed for almost two years.

I'll post Hijackthis log shortly...

Thanks.

 

Here is the Hijackthis log....

 

Hi Ibizabar18,

It would make us more comfortable if you would please locate HijackThis in its own folder - C:\Program Files\HijackThis.

ALSO, Please download the following tool:

Pocket KillBox

This is great for knocking out that troublesome DLL.

I've got to get back to real work, but Chas or I will check back later.

PP

 

Sorry about that,

I hope this is better. Please let me know if not.

 

Hi Ibizabar18,

It is probably a good idea to lose the BearShare. Save you some headaches down the road.

C:\windows\System32\mciole32.exe
I am unsure about these two. I’ll leave them alone.
O4 - HKCU\..\Run: [mciole32] C:\windows\System32\mciole32.exe



NOW:
Please look in Add or Remove Programs for the following and Uninstall them if found:

VVSN
BearShare --> Suggested

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

FIRST , navigate to C:\WINDOWS\System32\6ex4hhdlr76g6wl.dll and verify that this is the correct path for the DLL.
If it is not there, try looking for it here: C:\WINDOWS\6ex4hhdlr76g6wl.dll

After you find the correct path, run Pocket Killbox and choose the Delete on Reboot option. Navigate to 6ex4hhdlr76g6wl.dll and press the Delete button (red X) and then Yes or OK until your machine reboots.

After your machine reboots, navigate to where the file should be and make sure it is gone.

Once it is gone, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them if possible:

VVSN.exe
9mws6sr1e9thd.exe

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=11034

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=11034

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=11034

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\windows\System32\UJ2DD7~1.DLL

O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)

O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe

O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause ---> Suggested

O4 - HKLM\..\Run: [Control handler] C:\windows\System32\9mws6sr1e9thd.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present ---> Ok if set by You or Spybot

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\windows\web\related.htm ---> Mild Spyware

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\windows\web\related.htm ---> Mild Spyware

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/273c9c8168193b62de06/netzip/RdxIE601.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O20 - AppInit_DLLs: 6ex4hhdlr76g6wl.dll.dll.dll.dll.dll.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

Now boot into Safe Mode and navigate to and DELETE the following if they should remain:

C:\Program Files\BearShare ---> The Folder Suggested
C:\windows\web\related.htm ---> Mild Spyware
C:\windows\System32\UJ2DD7~1.DLL --> There may be additional #s
C:\Program Files\VVSN ---> The Folder
C:\windows\System32\9mws6sr1e9thd.exe

NOW:
Run CWShredder

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when I can get some free time.

Best luck
PP

 

Okay. First of all, thank you for your time.

In (add or remove programs) there was no VVSN or Bearshare

Also, no:

C:\WINDOWS\System32\6ex4hhdlr76g6wl.dll
or
C:\WINDOWS\6ex4hhdlr76g6wl.dll
So I never ran Killbox.

or
C:\windows\System32\UJ2DD7~1.DLL --> There may be additional #s

Everything else was indeed present and was delt with as instructed.

My computer is still running noticeably slower and I still cannot change my homepage.

I have attatched a new hijackthis log. The Website says the .log is an invalid file type and will not allow me to upload it>?????

 

Hi Ibizabar18,

I am bit rushed with work these days, so I have to be brief. Please use my previous instructions as the model for the below.

The entries may mutate on reboot. The dll we are trying to kill with KillBox is the 020 item.

So, run the same procedure for KillBox - This time, look for and make sure you kill 45zjzwuh75x2mwl.dll.

Then run HijackThis as before and have it fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\windows\System32\W8C6S4~1.DLL

O4 - HKLM\..\Run: [tibs3] C:\windows\System32\tibs3.exe

O20 - AppInit_DLLs: 45zjzwuh75x2mwl.dll.dll.dll.dll.dll.dll.dll.

Boot to safe mode w/ View hidden files and delete the following if you find them:

C:\windows\System32\W8C6S4~1.DLL
C:\windows\System32\tibs3.exe ---> This is new to the log. It's a porn Dialer

Post back W/Results and new log. I will try to check back tonight if time permits.

PP

 

I cannot find the file 45zjzwuh75x2mwl.dll in either C:/windows or C:/windows/system32 so I went no further (not knowing if it would still be beneficial)

 

The bad DLL may have changed again if you have since rebooted. What you will need to do is Scan with HijackThis and then look for an 020 entry similar to a previous one like O20 - AppInit_DLLs: 45zjzwuh75x2mwl.dll.dll.dll.dll.dll.dll.dll. - Then, perform the KillBox routine on it and complete the rest of the above instructions.

If you still have trouble, please include a HJT log and then do not reboot until I can check back. Trouble is, I'm not able to visit this forum too often these days. You may put your machine in "Standby Mode," but do not reboot.

PP

 

I have completed your instructions and I will not reboot until you check back.

I am now having problems clicking on links in IE and I cannot type in the box in Yahoo Mail.

 

Hi Ibizabar18,

Your HJT Log looks OK. Did you have any problems removing any of the items I listed? Please go ahead and reboot your machine now - looks like you got all the SwapX.

After rebooting, try running the latest version of CWShredder again and see if it detects anything. Then update and run SpybotSD once more and reboot and see if the problem with IE and Yahoo mail remain.

Best luck
PP

 

Thank you, I can now change my homepage!!

However, the problems with Yahoo! and IE remain.

In Yahoo!, I cannot type in the compose mail box and IE will not allow me to click on links (sometimes I can refresh the page and the link will work, other times it won't.) I always get that yallow triangle in the bottom left hand corner of the page that says "error on page".

 

This sounds like it may be a settings issue. Often, after doing battle with malware and running a lot of tools, the Web Settings need to be reset. You might also try looking in Add/Remove programs and IE and see if there is a "Repair" option and try that if need be.
I doubt if the Malware or the items we removed are directly connected to this new problem. My gut says that settings may have been changed during the removal process.
Keep me posted.

PP

 

I tried restore web settings and I still have the same problem. IE is in add/remove windows components and as you know, doesn't have a repair option. My Windows media player also won't play streaming media(this has been for a long time). Any thoughts?

 

I am not too familiar with Yahoo!, so little help there . . .Sorry.

Regarding Windows Media Player, do you have the latest version? Maybe install the latest version from Windows Update - I seem to remember being prompted to download it there. There could be lots of possible causes for the problem - Suggest you take a look the Troubleshooting section here:
http://support.microsoft.com/default.aspx?scid=/support/mediaplayer/wmptshoot.asp

For IE, if repairing is not an option, perhaps try the following:

Start > Run > Type or Copy and Paste regsvr32 urlmon.dll and click OK and then do the same for the rest of these:

Start > Run > regsvr32 Shdocvw.dll
Start > Run > regsvr32 Msjava.dll
Start > Run > regsvr32 Actxprxy.dll
Start > Run > regsvr32 Oleaut32.dll
Start > Run > regsvr32 Mshtml.dll
Start > Run > regsvr32 Browseui.dll
Start > Run > regsvr32 Shell32.dll

Best luck
PP

 

Not too worried about WMP, just thought it may have something to do w/ IE.

As of now, I cannot type emails, I cannot even open a new email account anywhere because I can't click on links. This is very annoying.

I did what you said in your last post ansd still nothing. Hmmm.

 

Hi Ibizabar18,

Like you, I am at a loss here. I had heard of this occurring after a CWS infection, but have never seen it firsthand. That's why I thought immediately it was a settings issue.

I looked to Microsoft and they suggest what I suggested in last post. They also list some registry entries to check as well - so it might be worth reading.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q281679&sd=tech

A more drastic approach would be to repair or reinstall IE, here:
http://www.theeldergeek.com/repair_reinstall_ie_and_oe_6.htm

I'm going to try to get a second opinion on the problem as well.

PP

 

No luck with suggestion #1

 

Hi Ibizabar18,

I have asked a couple of our more knowledgable regulars for a second and third opinion - Perhaps they'll see what I am missing. Hang in there

PP

 

Try this, just to rule some things out:

Reset Web Settings

Start Internet Explorer.

On the Tools menu, click Internet Options.

Click the Programs tab, and then click the Reset Web Settings button.

Under Internet programs, verify that the correct e-mail program is selected.

Click to select the Internet Explorer should check to see whether it is the default browser check box.

Click Apply, and then click OK. Restart your computer.

NOTE: You may receive the following message when Internet Explorer starts:
Internet Explorer is not currently your default browser. Would you like to make it your default browser?
If you receive the message, click Yes.

Steve

 

After you follow Matacumbie's instructions, see what happens and repost here again before I put in my 2 cents as asked by PP.
Let us know in detail with clear examples as to what the exact e=issue is.

"As of now, I cannot type e-mail, I cannot even open new e-mails accounts" did not mean much to me. Elaborate on these if they are still a problem.
For example: I cannot type/write new e-mails:

Turco's questions: What e-mail program are you using? Yahoo, Hotmail, Outlook Express (and also which ones are having the problem)?
What happens when you click on "New Message" , "Compose", etc button in the email program to start a new e-mail?
Is the 'can't open links in IE' still a problem?
Have you tried holding down the CTRL or SHIFT key prior to clicking on a link to see if that simple workaround helped? IF you were to right-click on a link what options do you get and can you choose open in new window option?
Which browser are you using and have you tried another like Firefox to see if you are able to replicate the problem?
Keep us posted...