A homepage hijacker that re-diverts the victims browser to Search For (http://t.swapx.cc/). CWS Variant. Recognised by  HJT Log entries similar to these:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=31403

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\WV2PHP~1.DLL

O20 - AppInit_DLLs: botxnknn8w6j.dll


Removal Instructions:


Click here to download TheKillbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. In the 'Paste Full Path of File to Delete' box, copy and paste this entry:

   The file identified in AppInit_DLLs key - C:\WINDOWS\system32\******.dll 

Don't click any of the buttons though, instead click on the Action menu and choose "Delete on Reboot". In the window that opens up, click on the File menu and choose "Add File". The file should show up in the window. Then in the same window choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so. 

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.

Using HijackThisclose all browser windows, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

   The R0 - HKCU value redirecting to http://www.windowws.cc/hp.htm 
   The O2 - BHO: random CLSID with concatenated filename
   The O20 - AppInit_DLLs: dll entry

Reboot when done. Rescan with HJT and check the new log.