Another Browser Hijacked by Swapx

Re: Browser Hijacked by Swapx

My browser is currently hijacked by swapx and another called novapage. I've run adaware, spybot, and cwshredder to no avail. Attached is a log file created with HijackThis!. It seems my problem is similar to the one that Chase was dealing with. Philliephan--if you're out there, or someone as knowledgeable as you is out there, i could really use some help...

The brower hijack URLs that pop up are the following two:

http://t.swapx.cc/h.php?aid=543&said=ce100
http://novapage.cc/dm/543/?2412

Thanks for any help you might be able to give me...

Dave

 

Hi Dave,

I gave you your own thread - Less confusion that way

Looks like you have a few issues. Please download the following tool: Pocket KillBox



Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial. Also, please turn Spybot's Tea Timer OFF before proceeding as it may interfere with the fix.

FIRST, look in Task Manager for the following running processes and try to end them if found:

6boowoywvybpethd.exe
tibs3.exe

NOW, navigate to D:\WINDOWS\System32\bzx2vrwrsyrey2ll.dll and verify that this is the correct path for the DLL. If it is not there, try looking for it here: D:\WINDOWS\bzx2vrwrsyrey2ll.dll
*** Note that you may not find this DLL if you have since rebooted your machine. If that is the case, you will need to run a fresh HJT scan and target the new 020 entry DLL.

After you find the correct path, run Pocket Killbox and choose the Delete on Reboot option. Navigate to bzx2vrwrsyrey2ll.dll and press the Delete button (red X) and then Yes or OK until your machine reboots.

After your machine reboots, navigate to where the file had been and make sure it is gone.

Once it is gone, scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=543
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=543
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=543
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - D:\WINDOWS\System32\UZUE3N~1.DLL

O4 - HKLM\..\Run: [Control handler] D:\WINDOWS\System32\6boowoywvybpethd.exe
O4 - HKLM\..\Run: [tibs3] D:\WINDOWS\System32\tibs3.exe

O20 - AppInit_DLLs: bzx2vrwrsyrey2ll.dll.dll.dll.dll.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

Now boot into Safe Mode and DELETE the following if they should remain:

D:\WINDOWS\System32\tibs3.exe
D:\WINDOWS\System32\6boowoywvybpethd.exe

NOW:
Run CWShredder

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let me know of any problems that you may have encountered with the above instructions. I will try to check back when time permits.

Best luck
PP