SwapX has hijacked me....

http://t.swapx.cc/h.php?aid=20009

I keep getting sent to this web page and it keeps replacing my homepage with itself. The page is directing to some anti-virus site. How can I get rid of this thinkg, I have tried SpyBot and Adaware plus I have Norton on my Puter and nothing seems to work. I have also deleted all of my files. One of the files that Adaware keeps finding is CoolSearch. I have ran the scan several times and they keep coming back, last time I had 42 infected files, most of them CoolSearch

Thanks

Shannon

 

Hi Shannon,

It is always a good idea to start with the Cleanup Tutorial HERE:
READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

Please note the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF (if you have it - you didn't give OS) and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

Post back and let us know how you fared. I'll check back when I get a chance.

Best luck
PP

 

Re: SwapX has hijacked me....UPDATE

I am still having problems. I went through the Safe Mode process and got rid of some files but I am still getting hijacked. The last time I ran AdAware it identified 661 infected files and they were all associated with a file called Melcosoft. I can get to this file by going to:

Start>Run>REGEDIT>ENTER>HKEY-LOCAL-MACHINE>Software>Melcosoft

If I delete this file will it eliminate the problem or do I need to delete more stuff than just this. I am still being sent to the KitaSearch.com site and my home page keeps getting taken over.

Thanks

 

Hi Shannon,

Melcosoft comes across as shady to me. Use windows Explorer to run a search of your computer for their software.
Make sure you follow the Tutorial carefully and thoroughly. If you have exhausted all of the options in the tutorial, then send us a HijackThis log. Please follow the instructions below.

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Send us a log and we'll go from there I'm tied up right now, but will try to check back.

Best
PP

 

Still no luck, I am hi-jacked. I have tried the "cocktail" of virus removers and scanners, Ad-Aware keeps finding selection for COOLWEBSEARCH and I delete but they keep coming back. I have also ran the TSC and SYSCLEAN programs with no luck. Also, when running CCleaner should I click on the Issues tab and search for issues and then click the "Fix all Issues" tab at the bottom. It appears to be cleaning issues associated with deleted software.

Thanks,

Shannon

 

I would NOT recommend that you have CCleaner scan for Issues. Or, if you do, make sure that you have it save the backups and make sure that they are in a safe place!

If you are still having problems, send us a HijackThis log as per the instructions in my last post - we'll see what it has to say

Best,
PP

 

Here is the HJT file. Thanks for all your help on this so far, I do appreciate it!

 

Shannon - Please Extract HijackThis to its own safe folder - C:\Program Files\HijackThis - This is important!

Also, please download this tool: http://www.cexx.org/lspfix.zip

Please attach a new log once you have done the above. I'll check back when I get a chance.

PP

 

Trying it again

 

Hi Shannon,

I'll try to have something posted for you by tomorrow evening.

Please take a look and see if you still have a HOSTS file. It should be here: C:\Windows\system32\drivers\etc

I'll check back tomorrow.

PP

 

Yes I do still have the HOSTS file. It is the first file in the etc. folder and says it is 1kb.

Shannon

 

That sounds about right - One less thing to worry about!

'til tomorrow,
PP

 

Hi Shannon,

Another thing before we get started. I need you to verify the path for this DLL - 76rrldkml69.dll

It should be found either here - C:\WINDOWS\System32\76rrldkml69.dll

or here - C:\WINDOWS\76rrldkml69.dll

If it is not in either of those, use Windows Explorer to search your machine for it and let me know the complete path for it. You will probably have to Enable the Viewing of Hidden Files as per the Tutorial.

PP

 

76rrldkml69.dll

is in the following location:

C:\WINDOWS\System32\

Thanks,

Shannon

 

Hi Shannon,

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the Tutorial.

NOW:
Open HijackThis and look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\System32\76rrldkml69.dll and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

Stay in safe mode and scan with HijackThis again. Check the Boxes for the following:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=9

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\KZLDE3~1.DLL

O4 - Global Startup: winlogin.exe

O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab

O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab

O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab

O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O20 - AppInit_DLLs: 76rrldkml69.dll

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)

Again, make sure All Browser Windows are Closed when you Click FIX.

Now, Navigate to and DELETE the following (if they Remain):

C:\WINDOWS\System32\KZLDE3~1.DLL
C:\WINDOWS\System32\76rrldkml69.dll

Now, Run SpybotSD and CCleaner again and have SpybotSD Fix what it finds.

Reboot to Normal Windows and Scan with HijackThis and attach that log. Let me know of any problems you may have encountered with the above instructions and tell me how things are working now.

Best luck
PP

 

Attached is the latest HJT log. Also, it wouldn't let me delete:
04-Global Startup: winlogin.exe

and in Saft Mode the following didn't show up:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=9

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

Should I delete these in normal mode or do I need to look for them again in Safe Mode?

HJT told me I needed to shut down 04-Global Startup: Winlogin.exe in task manager before I could delete it, but I could only find Winlogin.exe in task manager and it wouldn't let me shut that down.

I couldn't find the last two files on the computer:
C:\WINDOWS\System32\KZLDE3~1.DLL
C:\WINDOWS\System32\76rrldkml69.dll

Thanks,

Shannon

 

You log didn't attach.

Go ahead and scan for those in normal mode and have HJT fix them if found. Reboot and attach a new log.

Also, use Windows Explorer to search for Winlogin.exe and let me know the full path to where you find it. Do not confuse it with the legitimate Winlogon.

I'll check back when I get a chance.

PP

 

Here is the latest HJT file. When I ran winlogin.exe in windows explorer the only matches that came up were linked to the hijack this file. I ran it a second time and it said no files matched, but it still shows up in the HJT log.

I attached the last two HJT files. The one labeled Hijackthis4 is the one ran after the Safe Mode scan. The one labeled HiJackThis5 is the one ran after the items were deleted in normal mode and the system was scanned in normal mode.

Thanks,

Shannon

 

Hi Shannon,

Working on two toughies at once is too much for my tiny brain!!

Let's try this - Click START > RUN > then type in msconfig > OK

Now Click the Startup Tab and look for Winlogin.exe under "Global Startup" or "Common Startup" and UNCHECK its Box.

Reboot and scan with HJT, Check the box for Winlogin and click Fix. Let's see if that does it! Also, check and see if a path for it is listed.

Let me know the results. It's getting late - I'll try to check back tomorrow evening.

Other than this, log #5 looks OK.

Best
PP

 

I tried that but it still wouldn't let me delete it. I unchecked the box but it still said it was in use when I tried deleting, plus it added a second winlogin under common startup box when I logged back on.

Thanks,

Shannon

 

Let's try this. I've not used this before, so it's a "use at your own risk" type of thing.

WinloginRemove.exe

It is from this site - http://www.dougknox.com/

Let me know if it does the job!

Here's more info: http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.e.html

I'm not the night owl I used to be!!

PP

 

When I ran that program it said no instances of winlogin.exe found.

Shannon

 

Let's try this:

Open HijackThis and look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\System32\winlogin.exe and click OPEN.
A message will ask you if you want to reboot now. Click YES and reboot. You may receive an error message after rebooting that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN. (Same deal as last time)

Run a fresh scan and attach the log.

I am definitely hitting the sack this time!!

PP

 

I tried that and it stayed on there, and I didn't receive the error message saying Windows could not find the file. Attached is the latest HJT log.

Thanks,

Shannon

 

Hi Shannon,

Yes, I see Winlogin is still there. It is proving to be a real beast!

Try looking for it here: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
Again, it may be a hidden file.

If you find it, try to delete it. If it won’t let you delete it, try dragging it to the Desktop and deleting it.

Or, if you find it there, try the same Delete a File on Reboot we’ve been trying with HijackThis, but enter this path: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

I’m starting to run out of ideas about how to get rid of this bugger!!
If you do not find it, try one more search for Winlogin with Windows Explorer. Make sure that, under More Advanced Options, you check the boxes for: Search System Folders, Search Hidden Files and Folders and Search Subfolders.

We are running out of options - We have to somehow locate this file.
I’ll try to check back tonight.

Best
PP

 

HI Again,

Still no luck finding it.

Thanks for your help,

Shannon

 

have you tried Giant Anti Spyware yet?
www.giantcompany.com

 

I ran RegEdit and found winlogin.exe in the following areas:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\Comdig32\Open Save MRU\*
In the right panel the following appeared
Name Type Data
ab(In a box) b RegSz C:\Windows\System32winlogin.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\Comdig32\Open Save MRU\exe
In the right panel the following appeared
Name Type Data
(ab)a RegSz C:\Windows\System32winlogin.exe

HKEY_USERS\S-1-5-21-2882691268-2289149484-633614638-1005\Software\Microsoft\Search Assistant\ACMru\5603
In the right panel the following appeared
Name Type Data
(ab)000 RegSz winlogin

HKEY_USERS\S-1-5-21-2882691268-2289149484-633614638-1005\Software\Microsoft\Search Assistant\ACMru\5604
In the right panel the following appeared
Name Type Data
(ab)000 RegSz winlogin

The ab that appears in parenthesis here appeared as a white box with the letters ab in red and in lower case.

This was the only place I could find any instances of winlogin.

Shannon

 

Hi Shannon,

I'm not really comfortable advising somebody to hack their registry (although that is essentially what HJT does).

Let's try the familiar drill one more time - I'll just copy & paste:

Open HijackThis and look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

While in Safe mode, check the box for O4 - Global Startup: winlogin.exe and Click Fix.

Reboot to Normal Windows and attach a fresh log.

I did a little research on this and it seems to be a universal beast!! But, it all seems to boil down to people finding it here: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

If this doesn't work, open HijackThis > Under "Other Stuff", select Config > Misc Tools > Generate StartupList Log and attach that log along with the other one.

As usual, I'll check back!

PP

 

I received the same message that winlogin.exe was in use and to shut it down using the task bar. I have attached both the latest hjt log and the startup log.

Thanks,

Shannon

 

Hi Shannon,

Just checking in quickly before heading back out the door

According to the Startuplist log, winlogin is here, as suspected:

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]Billminder.lnk = C:\Program Files\Quicken\billmind.exe
Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
winlogin.exe

Please download this tool: Pocket KillBox

Unzip it and run it and select Delete a File on Reboot and enter all instances of C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

and see if you are able to kill it that way.

I will check back tomorrow evening - Try to enjoy what's left of the weekend!!!

Best
PP

 

I think you may have killed it! I have attached the latest HJT log and Startup log for you to review. Thanks a ton for your help on this, it has been appreciated.

Shannon

 

Since I have done all of this I cannot sign onto Ebay. I can do everything else on the web that I usually do, I can also look at Ebay auctions and pull up most of their support pages and services, but if I try to bid or sign in I get "Page Cannot be Displayed". IS this something that I may have changed when trying to kill the virus or is it just something on Ebays end. It has been happening since last night.

Thanks,

Shannon

 

I don't know. It could be that something might have been removed by one of the cleanup tools. They flush a lot of marginal things like cookies, etc. . . It could very well be something on Ebay's end.

I do not think that anything we removed via HJT would contribute to this. I certainly do not believe that it is related to the removal of winlogin.

Good job with that, by the way. That was a BEAST! Not much escapes the Pocket Killbox though So it looks like your machine, or at least your HijackThis log, is clean!

I'll take another look at your old HJT log and see if anything jumps out at me regarding Ebay.

Best,
PP

 

Thanks for all of your help on this, it was a hard one to kill. I emailed Ebay and they said it was on my end, they told me to go to search, files and folders, type in cookies and open each folder and delete anything that said ebay, then go to internet options on Explorer and delete all temporary files, cookies and history and it should cure the problem. I tried that and it still didn't work(I didn't think it would), so I guess I will keep digging.

Thanks Again,

Shannon

 

try readjusting your security settings in IE. For the internet zone, move it to maximum.. hit apply , then change it to medium and hit apply , then try ebay again.

Here is where I plug FireFox instead of IE

http://www.majorgeeks.com/download.php?det=2248

 

Kodo -Thanks for the assist!

Shannon - Glad to be able to help. Sorry about the Ebay; wish I knew what the cause was. I doubt it was as a result of anything we directly removed.

As for Malware, you can do a bit to prevent it from coming back. Check out Chaslangs recommendations: How to protect yourself from malware!

Best
PP