Cannot get rid of here4search & win-eto.com

I have run everything in the read me first before post except for AD-ware does not finish it says that the RPC times out and it makes the comp restart. The here4search keeps poping up when AOL is turned on and I just purchased the 2005 update for norton antivirus and when I download it it does not run. I think win-eto.com is inhibiting it from downloading correctly It downloads to a file that just says .xds. I have run Hijack this and attached it please let me know what I can do to fix my problems.

 

Hi Carnold2,

Suggest you start by Uninstalling Ares - It begs for stuff like this.

Then, please download this tool: Pocket KillBox

Finally, attach a fresh HijackThis log. Note that you MUST NOT REBOOT after submitting the log or the bad DLL will mutate.

PP

 

I have uninstalled Ares and downloaded Killbox I have now posted the new kijack please look at it and let me know what i need to do

 

Hi Carnold2,

Before starting this fix, you must disable SpybotSD’s Tea Timer as it may interfere with the fix.

Also, if you have since rebooted, the problem DLL will be different. If this is the case, look at the 020 HJT entry for the new bad DLL entry and substitute it below.


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

FIRST:
Run Pocket Killbox and select the Delete on Reboot option. Then, Copy and Paste the following into the Box: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

Then, Click Delete (red X) and then Yes or OK until your machine reboots.

THEN, navigate to C:\WINNT\System32\xkktdg4n9xfu3dg.dll and verify that this is the correct path for the DLL.
If it is not there, try looking for it here: C:\WINNT\xkktdg4n9xfu3dg.dll

After you find the correct path, run Pocket Killbox and again choose the Delete on Reboot option. Navigate to xkktdg4n9xfu3dg.dll and press the Delete button (red X) and then Yes or OK until your machine reboots.

After your machine reboots, navigate to where the file should be and make sure it is gone.

Once it is gone, scan with HijackThis and Check the Boxes for the following:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=632
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=632
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=632

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\OVDHI9~1.DLL

O4 - HKLM\..\Run: [Control handler] C:\WINNT\System32\4wd6ut0fufmk0vthd.exe
O4 - HKLM\..\Run: [tibs3] C:\WINNT\System32\tibs3.exe
O4 - HKLM\..\Run: [dnscleaner] C:\WINNT\dnscleaner.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: winlogin.exe

O15 - Trusted Zone: *.greg-search.com

O20 - AppInit_DLLs: xkktdg4n9xfu3dg.dll.dll.dll.dll.dll.dll.dll

O23 - Service: WLTRYSVC - Unknown - C:\WINNT\System32\WLTRYSVC.EXE C:\WINNT\System32\bcmwltry.exe (file missing)
Again, make sure ALL Browser Windows are CLOSEDwhen you Click FIX.

Now boot into Safe Mode and DELETE the following if they should somehow remain:

C:\WINNT\System32\OVDHI9~1.DLL
C:\WINNT\System32\4wd6ut0fufmk0vthd.exe
C:\WINNT\System32\tibs3.exe
C:\WINNT\dnscleaner.exe
C:\Program Files\Ares ---> The Folder

NOW:
Run CWShredder

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let me know of any problems that you may have encountered with the above instructions.

Best luck
PP

 

Hi I have run everything that you told me too. The only problem I seemed to of had was 04-Global Startup: winlogin.exe was not there when i went to delete everything from the hijack list. The problem with internet explorer poping up when AOL is on seems to be fixed but when I open internet explorer it still uses here4search as the home page and I cant change it also a box comes up that says microsoft internet explorer warning windows detected spyware software "scpStelth.cih" ver.2.018. somebody is trying to access you through port 443. your private info is in danger click ok for info on how to remove. I just close out the window. My only other concern would be if my norton update will download corectly now but Ill wait to try. I have attached the latest hijack file.
Thanks Casey

 

Hi Casey,

The infection is back. Did you disable SpyBot's Tea Timer before trying last fix? It still shows in HJT log. Please disable it and then run through the steps again for these new entries.


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

NOW:
Please navigate to C:\WINNT\System32\5yju5h25ph555dll.dll and verify that this is the correct path for the DLL.
If it is not there, try looking for it here: C:\WINNT\5yju5h25ph555dll.dll

After you find the correct path, run Pocket Killbox and again choose the Delete on Reboot option. Navigate to 5yju5h25ph555dll.dll and press the Delete button (red X) and then Yes or OK until your machine reboots.

After your machine reboots, navigate to where the file should be and make sure it is gone.

Once it is gone, scan with HijackThis and Check the Boxes for the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=632
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=632
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=632

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\5626K1~1.DLL

O4 - HKLM\..\Run: [Control handler] C:\WINNT\System32\4wd6ut0fufmk0vthd.exe

O20 - AppInit_DLLs: 5yju5h25ph555dll.dll.dll.dll.dll
Again, make sure ALL Browser Windows are CLOSEDwhen you Click FIX.

Now boot into Safe Mode and DELETE the following if they should somehow remain:

C:\WINNT\System32\5626K1~1.DLL --> This may be gone
C:\WINNT\System32\4wd6ut0fufmk0vthd.exe

NOW:
Run CWShredder

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. Let's see if this did the trick.

PP

 

How do I dissable Tea Timer because I thought I had but I must not of

 

Open Spybot > Go Advanced Mode > Select Tools > Select Resident and Uncheck Tea Timer.

This has been known to interfere with some fixes. You can always enable it again when machine is clean, if you so desire.

PP

 

Ok Ive disabled tea timer and run everything but my comp froze and I had to reboot before I did it so Im sure its not fixed because it is still doing everything I said in my last post plus some new things. First off my wireless ethernet wont work or register under internet conects. when I reboot I get an Error message that says Resource Conflict-PCI Network Controller on Motherboard BUS:02, Device: 04, Funcion: 00. Then once the comp reboots I get a RUNDLL error that says Error loading p2esocks_1014.dll The specific module could not be found. I have once again posted my new hijack I will try my best not to reboot before you reply but I dont think this virus likes me trying to get rid of it and wierd things are happening. Thank you for your help. Casey

 

Hi Casey,

Well, looks like it is back at full strength. Winlogin is back and you've picked up a Tibs dialer as well! Sad thing is, this shouldn't be so hard to remove!

Essentially, the fix is the same as the 1st one I posted for you including Winlogin and adding Tibs to the mix. Look at the 020 entry in HJT Log for the problem DLL that needs to be removed.

I will have to check back tomorrow - Got a lot of work to do tonight, so very little free time for MGs. Hang in there

PP

 

Im not going to touch the thing untill I hear back from you tom and get fresh instructions if I have to reboot the comp I will send a fresh hijack but hopefully I wont. I dont want to screw this thing up anymore and I want to get it fixed.

 

Sorry - Hate to drag this out, but so many threads and so little free time

Tomorrow afternoon/evening sometime, post me a fresh HJT and we'll try again!

PP

 

I had to restart my comp so I did a new hijack and here it is.

 

Hi Casey,

Let's try this one more time! Let me know if you have problems with the following steps and removing the pesky DLL.


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

FIRST:
Run Pocket Killbox and select the Delete on Reboot option. Then, Copy and Paste the following into the Box: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

Then, Click Delete (red X) and then Yes or OK until your machine reboots.

THEN, navigate to C:\WINNT\System32\kezvpocieyzv8vll.dll and verify that this is the correct path for the DLL.
If it is not there, try looking for it here: C:\WINNT\kezvpocieyzv8vll.dll

After you find the correct path, run Pocket Killbox and again choose the Delete on Reboot option. Navigate to kezvpocieyzv8vll.dll and press the Delete button (red X) and then Yes or OK until your machine reboots.

After your machine reboots, navigate to where the file should be and make sure it is gone. If it remains, go through above process again until it is removed.

Once it is gone, scan with HijackThis and Check the Boxes for the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=632
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=632
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=632

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL

O4 - HKLM\..\Run: [tibs3] C:\WINNT\System32\tibs3.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1014.dll,InstantAccess
O4 - Global Startup: winlogin.exe

O20 - AppInit_DLLs: kezvpocieyzv8vll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
Again, make sure ALL Browser Windows are CLOSEDwhen you Click FIX.

Now boot into Safe Mode and DELETE the following if they should somehow remain:

C:\WINNT\System32\tibs3.exe
C:\WINNT\System32\W8C6S4~1.DLL
p2esocks_1014.dll --> Use Windows Explorer to find this one

NOW:
Run CWShredder

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Again, let me know of any problems that you may have encountered with the above instructions.

Best luck
PP

 

Hey first off winlogin wasnt in the doc and set file to delete and then killbox would not let me delete the kez file so I give up I thank you for your time and im going to save all my important files and give my comp to somone who knows what they are doing bc i know i have no clue

 

Sorry I couldn't help you with this, Casey. This baddie can be stubborn! It sometimes doesn't go easily, but ususlly it is removable!

Winlogin sometimes doesn't show when you look for it, but it is a good idea to enter it in Killbox anyway. You got it the first time you tried to kill the baddie, but it came back.

The problem DLL IS difficult and may take a few tries - That's why I ask people to verify that it is gone before proceeding.

Oh, well . . . I wish you the best of luck in exterminating this nasty!

PP