HIJACKED by SWAPX

If you downloaded HJT from Majorgeeks, it is in a compresses ZIP file. You need to extract it from the ZIP file using a utility like WinZip. Extract it to a directory like we indicated. If you have run ALL steps of the READ ME FIRST, then shut down all applications and post your HJT log as an attachment. Make sure you have HJT version 1.98.2.

 

Next time please remember to exit your browser before running HJT. You had the below running:
C:\Program Files\Internet Explorer\iexplore.exe

What is your expected home page?

 

You did not run the READ ME FIRST tutorial yet. Why not? You stated you followed the complete instructions.

If you had followed the tutorial, I believe some of your problems would have been fixed.

Please run ALL steps from: READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you run CWShredder and the online scans. Do not skip anything.

Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL
O20 - AppInit_DLLs: r5kmzg136n121edll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\W8C6S4~1.DLL
C:\WINDOWS\System32\r5kmzg136n121edll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

First make sure System Restore is disabled and the viewing of Hidden Files is enabled as per the tutorial.

Please download this tool: Pocket KillBox http://www.downloads.subratam.org/KillBox.zip

Please print out or save these instructions locally because you must perform the below steps with ALL Browser sessions CLOSED.

First use Windows Explorer and navigate to C:\WINDOWS\System32\w8c6s4xcm66o9zdll.dll and verify that this is the correct path for the DLL.
Also look for r5kmzg136n121edll.dll
If those two DLL's are not in the system32 folder, try looking for then in C:\WINDOWS

After you find the correct path, run Pocket Killbox and choose the Delete on Reboot option. Navigate to w8c6s4xcm66o9zdll.dll and press the Delete button (red X) and then Yes or OK until your machine reboots.

After your machine reboots, navigate to where the file should be and make sure it is gone.
Now repeat using Pocket Killbox to delete r5kmzg136n121edll.dll (which I assume is in C:\WINDOWS\System32)


After both files are deleted, scan with HijackThis and Check the Boxes for the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL
O20 - AppInit_DLLs: r5kmzg136n121edll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

Again, make sure All Browser Windows are Closed before you Click FIX.


Now boot into Safe Mode and DELETE the following if they show up again:
C:\WINDOWS\System32\w8c6s4xcm66o9zdll.dll
C:\WINDOWS\System32\r5kmzg136n121edll.dll

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to http://www.nprealtygroup.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Now skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to http://www.nprealtygroup.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


Reboot to Normal Windows and Scan with HJT and attach that log.

 

You're welcome. But it may be a good idea to post a final HJT log just to double check.