Browser Hijacked by Swapx

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Chase`, Nov 26, 2004.

  1. Chase`

    Chase` Private E-2

    It keeps changing my homepage to http://t.swapx.cc/h.php?aid=20009. I have done everything on this page http://forums.majorgeeks.com/showthread.php?t=35407 without any luck. I wasen't able to scan in safe mode with networking because it wasen't an option when I got to the screen, but I did scan it in normal mode. I have ran Hijack This and read over the thread with the tutorial still without any luck. Can someone please help? Here is my Hijack This log. I hope this helps.

    Thanks for your time.
     

    Attached Files:

    Chase`, Nov 26, 2004
    #1
  2. PhilliePhan

    PhilliePhan Guest

    Hi Chase`,

    Your HijackThis is out of date.

    Please get an up-to-date version (v1.98.2) here: HijackThis 1.98.2

    Send us a fresh log and somebody will take a look when they get a chance. I'll try to check back tonight.

    Best :)
    PP
     
    PhilliePhan, Nov 26, 2004
    #2
  3. Chase`

    Chase` Private E-2

    Oops! Sorry, I didn't know I had the older version. Here is the new Hijack This log.
     

    Attached Files:

    Chase`, Nov 26, 2004
    #3
  4. PhilliePhan

    PhilliePhan Guest

    Hi Chase`,

    I just gave your log a quick look before heading out the door, but this ought to do the trick.

    Please print out these instructions so that you can operate with All Browser Windows CLOSED.

    Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

    First, look in Task Manager (Ctrl-Alt-Del) and End this running process if found:

    U8TTDTI239DN.EXE

    Now, scan with HijackThis and Check the Boxes for the following:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9

    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS.000\SYSTEM\F1982I~1.DLL

    O4 - HKCU\..\Run: [romahere] C:\WINDOWS.000\SYSTEM\U8TTDTI239DN.EXE

    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/211/webolr/OCX/FlashAX.cab

    Again, make sure All Browser Windows are Closed when you Click FIX.

    Now boot into Safe Mode and DELETE the following if they remain:

    C:\WINDOWS.000\SYSTEM\F1982I~1.DLL
    C:\WINDOWS.000\SYSTEM\U8TTDTI239DN.EXE

    Reboot to Normal Windows and Scan with HijackThis and attach that log. I'll try to check back tonight.

    PP :)
     
    PhilliePhan, Nov 26, 2004
    #4
  5. Chase`

    Chase` Private E-2

    Thanks alot! It seems it has worked. I couldn't find and delete this file C:\WINDOWS.000\System\F1982I~1.dll. Here is the log after I did what you told me.

    Again, thanks for your help.
     

    Attached Files:

    Chase`, Nov 26, 2004
    #5
  6. PhilliePhan

    PhilliePhan Guest

    You're Welcome :)

    Your HJT log looks OK. Are you having any more problems? I'd give you the canned recommendations speech, but it looks like you have already implemented some new anti-malware tools ;)

    PP
     
    PhilliePhan, Nov 26, 2004
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds