"http://win-eto.com/hp.htm?id=31403" Take Two

Re: The "http://win-eto.com/hp.htm?id=31403" blues

Hello everyone--

I just joined up after finding out about this site and reading the threads on this win-eto.com browser virus. I must first say that this site is fantastic and you guys are all very cool. However, I fear that I too am a victim of this virus and everything I have done so far hasn't gotten rid of it.

I have read all the previous posts and what you have instructed Dave to do. I have done everything that you have told him to do except mess with the Hijack This program. It is fully installed and ready to go, but your help file said to wait for you guys to ask for the Hijack This file.

I'm pretty sure all I need now is just your feedback on what is wrong with my Hijack This file. But just in case, I'll wait to see what you have to say first.

I most definitely would appreciate any help you could lend. Having this on my computer is driving me nuts.

Thank you,

Brian

 

Hi Brian,

I gave you your own thread.

If you have exhausted the Tutorial options, then go ahead and send us a HijackThis Log. Make sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I'll try to check back when I get a chance.

Best
PP

 

I would have to say that after following all of the guidelines and suggested downloads in the tutorial that my computer is probably cleaner and safer than it has ever been.

Well, except for this browser-redirecting bug.

I ran Hijack This and my log file is attached. I read what to do and what certain things mean in the log file from the tutorial, but when it comes to messing with registry inputs, I am still a little nervous. And I am almost positive that there are still a few other bugs in there along with the win-eto.com problem.

Thank you for replying so quickly PP, I await your further instructions.

--Brian

 

Hi Brian,

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Please run HijackThis and Check the Boxes for the Following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=32856

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=32856

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=32856

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=32856

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=32856

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=32856

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\3X12SG~1.DLL

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm10.chm::/ieloader.exe

O20 - AppInit_DLLs: 52xnodzphfyxbsll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.

Click FIX and then, while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, Enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\System32\52xnodzphfyxbsll.dll and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click OKAY and DO NOT REBOOT AGAIN.

While in Safe Mode (making sure that you are able to view hidden files) Navigate to and DELETE the following if they somehow should remain:

C:\WINDOWS\System32\52xnodzphfyxbsll.dll
C:\WINDOWS\System32\3X12SG~1.DLL

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Rescan with HJT and Attach that log. How are things running? Let me know of any problems that you may have encountered with the above instructions.

Best luck
PP

 

Alright PP, I followed your directions and everything ran smoothly.

However, now when I go in Internet Options my browser homepage is still set aswww.win-eto.com and still won't go away even if I set it to about:blank.

But when I open internet explorer it actually brings me to this website:
http://kita-search.com/enter.htm?id=9

The only thing I have a question about is when you told me to manually delete the C:\WINDOWS\System32\3x12SG~1.dll I found a file that began with the 3x12SG but had about 7-8 other letters attached to it. I did not delete that file, even though I wanted to.

I really don't know what went wrong...unless my computer has more seriously damaged than I suspected.

I'm attaching the post-clean Hijack This log. I'm hoping it is just some minor error I made.

--Brian

 

I almost forgot:

Internet Explorer also randomly brings me to this site in addition to the other one I mentioned. http://t.swapx.cc/h.php?aid=20009

And the file that I was talking about that I did not delete was:
3x12sgiprmg9.dll

And another file that just seemed to appear in the System32 after completing your instuctions is this file:

2roz4x1nuxyxbsll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
Which looks mysteriously like the last one that you had Hijack This get rid of.

I hope that helps diagnosis...

--Brian

 

Hi Brian,

Looks like we've got more issues to deal with!
The DLLs you mentioned needed to be deleted. The one for the BHO should have been deleted by HJT - no biggie, though.

Winlogin has made an appearance and we need to delete that as well.

Please go ahead and download the following tool:

Pocket KillBox

I will post instructions for you in an hour or so.

Hang in there,

PP

 

Hi Brian,

Let’s try this again.


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

FIRST:
Run Pocket Killbox and select the Delete on Reboot option. Then, Copy and Paste the following into the Box: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

Then, Click Delete (red X) and then Yes or OK until your machine reboots.

THEN, navigate to C:\WINDOWS\System32\2roz4x1nuxyxbsll.dll and verify that this is the correct path for the DLL.
If it is not there, try looking for it here: C:\WINDOWS\2roz4x1nuxyxbsll.dll

After you find the correct path, run Pocket Killbox and again choose the Delete on Reboot option. Navigate to 2roz4x1nuxyxbsll.dll and press the Delete button (red X) and then Yes or OK until your machine reboots.

After your machine reboots, navigate to where the file should be and make sure it is gone.

Once it is gone, scan with HijackThis and Check the Boxes for the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\3X12SG~1.DLL

O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\tfcsefre5wrthd.exe

O4 - Global Startup: winlogin.exe

O20 - AppInit_DLLs: 2roz4x1nuxyxbsll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.

Again, make sure All Browser Windows are Closed when you Click FIX.

Now boot into Safe Mode with the Viewing of Hidden Files Enabled and DELETE the following if it remains:

C:\WINDOWS\System32\tfcsefre5wrthd.exe
C:\WINDOWS\System32\3X12SG~1.DLL ---> There will be additional #s.

NOW:
Run CWShredder

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let me know of any problems that you may have encountered with the above instructions.

Best luck
PP

ALSO: After you get cleaned up, you ought to swing by Windows Updates and get Updated.

PLUS: I always wonder what tags along when you download Party Poker – Could be nothing at all. Still, I wonder. . . .

 

I to am having a problem with this http://win-eto.com/hp.htm?id=0 thing can you guys help me? here is the hijackthis log file. I would be very greatful if anyone can help me think you.

Edit by chaslang: Unrequested inline log removed.