SOS. Hijacked by swapx.

I have a problem with swapx similar to that covered in the exchange between pace and PhilliePhan at http://forums.majorgeeks.com/archive/index.php/t-46870. However, there are what seem to be significant differences. Some of the similarites are: hijacking of IE startpage; Melcosoft and win-eto.com found in Resistry; and CoolWWWSearch found by Spybot. Some of the notable differences are: no apparent instance of 76rridkml69.dll in \Windows\System32 or elsewhere (but Norton Antivirus shows that \Windows\System32\9z4zfe1yi4y3c.dll is "at risk" by SuperSpider. Attempts to delete this file fail), and I don't find any instance of Winlogin in Registry or on C:. Also, SpySubtract flags \Windows\System32\csrss.exe is suspect.

I have read the "READ ME FIRST..." document found at http://forums/majorgeeks.com/showthread.php?t=35407 and followed the instructions in setions Getting Prepared, and Scanning and Cleaning (except in step 1.(c) I could not get on line while in "safe mode with network support" so I ran Trend Micro Virus Scan and Symantec Security Check in normal mode).

Results of Trend Micro Virus Scan (in normal mode)
Found: TROJ SECDROP.T
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\IE5\UHXA98Q9\stop.00009_4(1).exe (non cleanable)
C:\Windows\stop9_4.exe (non Cleanable)

Results of Symantec Security Check (in normal mode)
Not safe from hackers
Basic information accessible to hackers
Vulnerable to Trojan attacks
Low risk of viruses (running virus protection software)
Virus protection up to date

Results of Symantec Virus Detection (however, see first paragraph above)
Safe! Your computer is free of all known viruses and Trojan horses

Results of McAfee Stinger Scan (in safe mode)
No reported viruses

Results of CCleaner (in safe mode)
Deleted hundreds (thousands?) of files and Index.dat

Results of Ad-Aware (w/ VX2 plug-in) Scan (in safe mode)
Total of 37 objects found and quarantined
1 MRU List (no threat)
29 CoolWebSearch (high risk)
8 Browser Hijack Attempt (moderate risk)

Results of Spybot Scan (safe mode)
Found and "fixed" 20 problems, mostly in Registry. I haven't checked to see if they have returned.

CWShredder, Kill2me, about:Buster and HSREmove found nothing.

Update. After drafting the, I began to have three new problems. First, when I log on to my ISP I receive a message that IE is infected with Startpage and references the following files: Content.IE5\UHXA98Q9\zona02[1].exe, Content.IE5\YHl1234NTC7ZOI\zona02[1].exe and Content.IE5\UL5DOGMO\zona[2].exe (UHXA9809, UL5DOGMO, etc seem to change each time I start IE). All are in \Documents and Setting\Owner\LocalSettings\Tempporary Internet Files\. If I click OK a big upload automatically begins. The first time the upload happened was while I was downloading McAfee Stinger. Second, I have also started to get messages that Explorer needs to shut down. When I press OK, the screen blinks off then comes back on. It occured twice while I was composing this in Notepad. Notepad was not closed and I don't seem to have lost any data. Also, if I use Exployer Search or click on My Computer, I receive a message that the web page is not available. If I press the Back or Work Offline button, everything seems to work mormally. Third, contrary to what I said in the first paragraph above, Winlogin.exe and 9z4zfe1yi4y3c.dll now appear in Registry.

BTW, I am using an old clunker for this correspondence. I don't intend to use IE on the infected machine until I am confident that the virus is irradicated.

Any recommendations before I try to apply the procedures of the PhiliePhan/pace dialog?

Glen

 

Hi Glen,

The example you cite is probably not the best one to follow in this case - There are quite a few more recent ones which are more concise. Your problem will probably be different, though - Plus ther may be additional Malware on your machine.

I suggest that, since you have already worked the Tutorial, you should go ahead and send us a fresh HijackThis Log as per the directions below:

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Chaslang or I will take a look when we get a chance - Likely in the evening.

Best

PP

 

The log is attached as NormalBoot. I also have a log created in safe boot and a startup log if you want to see them as well.

Thanks

 

Hi Glen,

BEFORE you do ANY of this you MUST Extract HijackThis to its own SAFE Folder – C:\Program Files\HijackThis. This is EXTREMELY Important!!

Once HJT is properly situated:

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

FIRST:
Run Pocket Killbox and select the Delete on Reboot option. Then, Copy and Paste the following into the Box: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

Then, Click Delete (red X) and then Yes or OK until your machine reboots.

THEN, navigate to C:\WINDOWS\System32\9z4zfe1yi4y3c.dll and verify that this is the correct path for the DLL.
If it is not there, try looking for it here: C:\WINDOWS\9z4zfe1yi4y3c.dll

After you find the correct path, run Pocket Killbox and again choose the Delete on Reboot option. Navigate to 9z4zfe1yi4y3c.dll and press the Delete button (red X) and then Yes or OK until your machine reboots.

After your machine reboots, navigate to where the file should be and make sure it is gone.

Once it is gone, look for this running process in Task Manager (Ctrl – Alt – Del) and end it if found:

dyik3sbfmxthd.exe

THEN, scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\RB1HGF~1.DLL

O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\dyik3sbfmxthd.exe

O4 - Global Startup: winlogin.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O20 - AppInit_DLLs: 9z4zfe1yi4y3c.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

Now boot into Safe Mode and DELETE the following if they should remain:

C:\WINDOWS\System32\dyik3sbfmxthd.exe
C:\WINDOWS\System32\RB1HGF~1.DLL

Reboot to Normal Windows and Scan with HijackThis and attach that log. I will check back when I get a chance.

Best Luck
PP

*** Also, I would recommend Uninstalling WeatherBug. In addition, AFTER you get cleaned up, swing by Windows Updates and get Updated.

 

I found and checked all the items in the HJT log except O4 - Global Startup: winlogin.exe and AppInit_DLLs: 9z4zfe1yi4y3c.dll. However, I did find a new item ApptInit_DLLs: 9knxpztovgez.dll. Should I be concerned about it? Will wait for your response before clicking on Fix. Meanwhile, I am communicating with an old Win98 machine. I don't feel safe using IE on the infected PC.

 

You should do the same procedure with KillBox for 9knxpztovgez.dll and fix the entry with HijackThis.
If there is no winlogin.exe entry, that is good.

Attach a fresh log & we'll see where you stand. I'll check back when I get some free time.

PP

 

OK. Here is a new log, hijackthis1. I uninstalled Weather Bug, but I couldn't find RB1HGF~1.DLL in c:\windows\system32 on elsewhere on the PC.

Glen

 

Hi Glen,

Is this something you need and want to keep?
C:\PROGRA~1\EZN\EASYIN~1\eznorun.exe
It is likely legit - I'm just curious.

Please run HijackThis and fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL

Make sure All Browser windows are Closed when you click FIX.

Reboot, Rescan and attach a fresh log & we'll see if we got it this time. Not that you can reset your homepage, so go ahead and fix all of the R1 items I listed. I also wonder about the aforementioned www.eznsearch.com Do you want to keep this? Again, not worried - Just curious.

Best

PP

 

All the EZN stuff was OEM installed as an aid to setting up an internet conection. I don't need and can uninstall if you think it best. For the first time in 3 days I am not getting the "Problem with Exployer..." message when I navigate, so maybe we're making progress. Anyway, here is the next log.

Thanks
Glen

 

Hi Glen,

Your HJT Log looks good! Looks like you got everything
You can go ahead and reset you homepage to whatever you want.

Regarding EZN, if it never gave you trouble before, there is no reason to dump it now.

I do suggest that you implement some of Chaslang's recommendations, if you haven't already: How to protect yourself from malware!

I definitely recommend that you continue to use the following tools from the tutorial:
Ad-Aware SE Personal

SpyBot-Search & Destroy - Remember to use the "Immunize" feature

SpywareBlaster

These are all FREE! Just remember to Internet Update them regurlarly! They, along with a good Anti-Virus and Firewall & keeping your Windows up-to-date will do wonders in helping to keep Malware off your computer!

Best
PP

 

Things are looking up. I am most grateful for your help but I may not be entirely out of the woods quite yet. I have repeatedly run Ad-Aware with quarantine and Spybot with fix problem, re-booting between each run. Adware at first reported 30 objects, then 13 and finally 0. Spybot initially reported 20 problems and now is down to 5, all HKUs (see attached log), which it can't seem to fix. Also, when I changed the IE startup page, "about.Blank" was in the address box. Change to my usual home page seemed sucessful. Should I be concerned about the possibility of aout.Blank infection?

Glen

 

Thanks, Chas

Glen - Keep us posted. If you still have more questions or think an issue with your machine remains, let us know!

Regards,
PP