can't get rid of t.swapx

Hi!
I've been reading this forum for several days and following all the instructions for removing trojans and no matter what I do I can't get rid of this t.swapx thing that has taken over my browser.
I've scanned and fixed with Norton Antivirus, CWShredder, Spybot, Adaware, Kill2me, Stinger and Hijack this.
I keep finding CoolWebSearch and removing it. I got rid of microsoft Java. I tried to download Sun Java but it wouldn't install, so I am Java-less for now.
I wasn't able to use any of the online scanning tools and I can't connect to the internet in safe mode.
I used used killbox to get rid of my winlogin.exe file. I've fixed and cleaned and deleted everything that looks suspicious and rebooted countless times and now I'm out of ideas.
Can I send a log for you to take a look? And since I am reinfected, do I need to do all that scanning and fixing first, or can I just give you my current state?
Thanks for your time!
Karen

 

Hi Karen,

Please go ahead and send us a HijackThis Log. Make sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Send us a log and we'll go from there I'll try to check back when I get a chance.

Best,
PP

 

Here it is- thanks!
Karen

 

Hi Karen,

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and END it (if found):

c3d1kdj31f50kthd.exe

Now scan with HijackThis and Check the Boxes for the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\5626K1~1.DLL

O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\c3d1kdj31f50kthd.exe

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156/scanner/axscanner.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -

O20 - AppInit_DLLs: ufxz9rnu6fte.dll.dll.dll

Click FIX and then while still in HijackThis , look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, Enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\System32\ufxz9rnu6fte.dll and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click OKAY and DO NOT REBOOT AGAIN.

While in Safe Mode (making sure that you are able to view hidden files) Navigate to and DELETE the following if they remain:

C:\WINDOWS\System32\c3d1kdj31f50kthd.exe
C:\WINDOWS\System32\5626K1~1.DLL
C:\WINDOWS\System32\ufxz9rnu6fte.dll

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let me know of any problems that you may have encountered with the above instructions.

Best luck
PP

 

I did all those things and had no problems. When I was marking files for deletion in the windows\system32 folder I found many dll files (and .dll.dll.dll files) from Melcosoft so I deleted all of them as well.
I also found some files that said they were created the same day this problem started but I wasn't sure if it was safe to get rid of them. They are mcc.exe, d2kpax.exe, and winproc32. Do I need those?
Spybot found CoolWWWSearch (as always) and I fixed that.
When I rebooted I got a spybot warning saying my home page was changed from win.eto to about:blank. I accepted that change and here I am. I don't know if it's gone or not.
Karen

 

Hi Karen,

Your HJT log looks OK.
You can set your homepage to whatever you want.
Melcosoft struck me as a bit iffy when I first saw it a while ago. I don't remember specifics - Probably OK to remove.

mcc.exe is a Trojan. I suspect the same of d2kpax.exe.

winproc32 is a CWS variant. You should Delete them all.

Maybe another spin with CWShredder is in order?

As I mentioned, your log looks OK. Naturally, I assumed this was legitimate:
O4 - HKLM\..\Run: [Rosary Reminder] C:\PROGRA~1\VIRTUA~1\reminder.exe

You should take a look at Chaslang's suggestions Here: How to Protect yourself from malware!

I'm calling it an evening, but if you have more questions, post back and I'll check in tomorrow.

Best
PP

 

What a relief!
Melcosoft is for sure the source of all of this evil- nearly everything I've been fixing and deleting is from them. At one point I even did a search and deleted all the files that came up. I guess you just have to get to the killer file that keeps bringing back all the others.

I hope it's really gone this time. I'm afraid to restart my computer now.

Yes, my little rosary program is safe. Maybe i should have used it more

I can tell you how I got this thing- I know the exact moment it happend. I'm sharing this just to help others...
I heard a story on the radio about a certain actress who accidentally exposed her breast at a party and the DJ was talking about pictures he had seen online and what a peculiar looking breast it was. I was curious so I went online when I got home to look. I ended up (quite by accident) at a horrible porn site that spewed popups, added a bunch of Xrated sites to my bookmarks and infected me with all this crap.

If I had known better I would have just restored my system to the previous day... maybe that would have fixed it.



Anyway, DO NOT, under any circumstances, ever click on any of the sites that come up when you put in a Google search for 'Tara Reid's breast'.



And stop laughing!!

thanks for all your help,
Karen

 

I'm sorry . . . . I can't stop laughing!!

We are happy to help!

Best,
PP