The "http://win-eto.com/hp.htm?id=31403" blues

Hello, first of all sorry about this, I'm new to all this detecting spyware malarky!

OK, my problem is that my homepage keeps resetting itself to "http://win-eto.com/hp.htm?id=31403", which is really very annoying, also some webpages I visit don't have the right functionality. I've downloaded Hijack This and I've got a log file thingy if anyone fancies helping me out.

I've got another problem too, not sure if it's related, I can't run exe files from my desktop.


Hope someone can help,



Dave

 

Welcome to MG,Dave

why would you want to? it would be better to put the program in a so named folder in program files and create a shortcut on the desktop if need be

first off start with the sticky:
READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal: http://forums.majorgeeks.com/showthread.php?t=35407

then if you need to run HJt:
NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting: http://forums.majorgeeks.com/showthread.php?t=38752


make sure you do not skip anything , if something is not letting you do something let us know
tell us what you did and how it went. .

 

Hello,

I did everything it says to on the sticky threads.

Trend Micro found a couple of trojans; ISTBAR.FZ and SECDROP.T, a couple of the other apps found them too. I couldn't get the Symantic scan site to work.

So I've attached my log, still with the win-eto start page thing on it.

If anyone could give me a hand please,

thanks a lot,

Dave

 

Hi Dave,

Please move HijackThis to its own safe folder - C:\Program Files\HijackThis - You must do this before we can proceed.

Look in Add or Remove Programs for 180 Solutions and Uninstall it. While there, look for other suspicious entries.

Then use Windows Explorer to find this DLL: pm4kcgmiombw9.dll and give me its full path.

You should find it either here - C:\WINDOWS\System32\pm4kcgmiombw9.dll

or here - C:\WINDOWS\pm4kcgmiombw9.dll

Do the above and attach a fresh HJT log and we'll go from there Please make sure all browser windows and system tray items are closed when you scan. I'll check back when I get a chance.

Best,
PP

 

Ok, got rid of the 180 solutions thing (also got rid of something called Bullseye Networks, which looked pretty dodgy),

the pm4kcgmiombw9.dll file is in the system32 folder,

and I have attached a new log,


Cheers for the help,


Dave

 

Hi Dave,

Good catch on the BullsEye Network - That needed to go!

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the Tutorial.

NOW:
Open HijackThis and look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\Windows\System32\pm4kcgmiombw9.dll and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot.

You may receive an error message after rebooting that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

Scan with HijackThis and Check the Boxes for the following:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/greg/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/greg/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/greg/sp.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://super-spider.com/greg/hp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/greg/sp.php

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\WEWD47~1.DLL

O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe

O20 - AppInit_DLLs: pm4kcgmiombw9.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

Now, boot into Safe Mode and Navigate to and DELETE the following (if they Remain):

c:\program files\180solutions <---- The folder
C:\WINDOWS\System32\WEWD47~1.DLL
C:\Windows\System32\pm4kcgmiombw9.dll

Now, Run SpybotSD and CCleaner again and have SpybotSD Fix what it finds.

Reboot to Normal Windows and Scan with HijackThis and attach that log. Let me know of any problems you may have encountered with the above instructions and tell me how things are working now. I'll check back when I get a chance.

Best luck
PP

 

Hello again PP,

Did all that, the dlls and the 180solutions folder were cleaned out by HJT, SpyBot caught a couple of things DSO exploit and coolwwwsearch.control, so I let it clean them up.

When I rebooted back to Normal Mode I checked the home page and it was about:blank, better than win-eto or super-spider! I changed it to the old faithful google!

At the moment it seems to be ok, I haven't done any serious browsing yet though.

I've attached the log again for you to look at, if you see anything else just let me know.

Thanks again mate!



Dave

 

Hi Dave,

Your HJT log looks good! Glad we could help

I'll wait for you to take your machine for a spin to make sure everything is working as it should before declaring Victory.

The DSO Exploit in Spybot is a bug - There is a remedy for it available in the Spyware Tools section.

You should take a look at Chaslang's recommendations HERE:How to protect yourself from malware!

I definitely recommend that you use the following tools:
Ad-Aware SE Personal

SpyBot-Search & Destroy - Remember to use the "Immunize" feature

SpywareBlaster

These are all FREE! Just remember to Internet Update them regurlarly! They, along with a good Anti-Virus and Firewall & keeping your Windows up-to-date will do wonders in helping to keep Malware off your computer!

Best
PP

 

I just got rid of that win-eto tonite. I let it run in my system while I watched certain folders and the task manager to see how it worked. Had I known I was going to write this, I would have taken the time to write down all the file names, but I have partials. First, look for the following .exe files: they begin with tu88, l4t, zona02 and iinstall (that's not a typo "iinstall.exe"). They hide in the windows, windows\system and windows\temp folder. When it runs, a .tmp file with a random number for a file name is created in the windows\temp folder. You can't deleted it because it is in use. When you clear the other things the file can be deleted. Check your msconfig startup for romahere3 at or near the first line. Also, check the system registry (regedit) at these locations and delete the entry with these files:
hkey_current_user\software\microsoft\windows\current version\run
hkey_users\software\microsoft\windows\current version\run
local_machine\software\microsoft\windows\current version\run