1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

http://296f8.ilxt.info /index.php?aid=632....hijacking?

Discussion in 'Virus & Other Malware Removal' started by phazerkid, Sep 5, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. phazerkid

    phazerkid Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    10
    hai, sorry I don't know if you have been asked this 100 times, but here goes.....

    recently when I have been trying to check my email (hotmail), i get diverted to this search engine site with this url: http://296f8.ilxt.info/index.php?aid=632

    I have never been to that site before. It is veeery annoying as it prevents me from checking my email. I have tried deleting the url from my history and deleting strange looking programs on my puter. I have also scanned my computer with nortons internet security program AND ad-aware virus scanner. These programs detected and deleted suspicious files but it STILL hasnt gotten rid of this....thing..... :confused:

    haha sorry....im such a dits...but please help ^_^

    ps: i use windows 98 and internet explorer
     
  2. jm100dm

    jm100dm

    Joined:
    May 26, 1999
    Messages:
    994
  3. phazerkid

    phazerkid Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    10
    the link you gave me won't download the program, it says the site is down or something. I can't read private messages because i couldnt activate my account due to me not being able to access my email! bbaarrgghh
     
  4. jm100dm

    jm100dm

    Joined:
    May 26, 1999
    Messages:
    994
  5. jm100dm

    jm100dm

    Joined:
    May 26, 1999
    Messages:
    994
  6. phazerkid

    phazerkid Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    10
    thankyou jeff, the link you gave me worked! I have followed the instructions of hijackthis and below is the pasted copy of my scan. haha i already see suspiscious things like super-spider....what do I do next?

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\USBMONIT.EXE
    C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\OPWARESE2.EXE
    C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
    C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
    C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
    C:\INTEL\INTEL PSNCU\CPUNUMBER.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
    C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\BACKWEB-7288971.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\ANTISPYWARE\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=632
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=632
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=632
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=632
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=632
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.slotch.com/?&account_id=132702
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F1 - win.ini: run=hpfsched,
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\MRLI9UNJSIA.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [USBMonit.exe] "C:\WINDOWS\SYSTEM\USBMonit.exe"
    O4 - HKLM\..\Run: [OpwareSE2] "c:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    O4 - HKLM\..\Run: [OPSE2 Reminder] "C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\EREGENG\EREG.EXE" -r "C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\EREGENG\ereg.ini"
    O4 - HKLM\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
    O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\STARTSVS.EXE
    O4 - HKLM\..\Run: [KodakCCS] c:\windows\System32\Drivers\KodakCCS.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
    O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWARN.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [ccProxy] c:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
    O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
    O4 - HKCU\..\Run: [IntelProcNumUtility] "C:\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
    O4 - HKCU\..\Run: [HJ95 Sernum Check] C:\PROGRAM FILES\HJPRO\bin\keycheck.exe
    O4 - HKCU\..\Run: [SHCenter.exe] C:\PROGRAM FILES\HJPRO\bin\shcenter.exe
    O4 - HKCU\..\Run: [runner.exe] C:\PROGRAM FILES\HJPRO\bin\shcenter.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www.webcam101.com/pic/lsdialer.cab
     
  7. jm100dm

    jm100dm

    Joined:
    May 26, 1999
    Messages:
    994
    When you posted the hijackthis log you left off the first four lines. Please post them.
    I see you are running windows 98 so do the following and await further instructions as this will take a few steps.

    Removal procedure for 9x:


    Identify the file by doing this:

    Download StartDreck from: http://www.niksoft.at/_data/startdreck.zip

    UnZip the startdreck.zip file first. DoubleClick: 'StartDreck.exe'
    First click on the config button.
    Now click the Unmark all button
    Put a check by these boxes only:
    *Registry->run keys
    *Registry->Browser helper objects
    *System/drivers> Running processes
    hit >ok.

    Now click the Save button to save that log.

    Copy and Paste the contents of that log back here and await further instructions.

    I have identified all the following to remove later but if you don't follow the correct steps they will most likely just reload from a hidden file.

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=632
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=632
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=632
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=632
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=632
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.slotch.com/?&account_id=132702
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} -
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    You have more to remove so please post another log.

    If you are not using version 1.98.2 download that before you post.
    Click here: Hijackthis
     
  9. phazerkid

    phazerkid Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    10
    Logfile of HijackThis v1.98.2
    Scan saved at 5:43:22 PM, on 6/09/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    (those are the four lines i left out)

    below is the scan from the stardreck scan...thankyou for your help ^_^

    StartDreck (build 2.1.7 public stable) - 2004-09-07 @ 11:41:12 (GMT +10:00)
    Platform: Windows 98 SE (Win 4.10.2222 A)
    Internet Explorer: 6.0.2800.1106
    Logged in as monsar at 1319700207

    »Registry
    »Run Keys
    »Current User
    »Run
    *IntelProcNumUtility="C:\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
    *HJ95 Sernum Check=C:\PROGRAM FILES\HJPRO\bin\keycheck.exe
    *SHCenter.exe=C:\PROGRAM FILES\HJPRO\bin\shcenter.exe
    *runner.exe=C:\PROGRAM FILES\HJPRO\bin\shcenter.exe
    *Yahoo! Pager=C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    *MsnMsgr="c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    *romahere=C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
    *uninstal=regsvr32 /u /s image.dll
    »RunOnce
    »Default User
    »Run
    *IntelProcNumUtility="C:\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
    *HJ95 Sernum Check=C:\PROGRAM FILES\HJPRO\bin\keycheck.exe
    *SHCenter.exe=C:\PROGRAM FILES\HJPRO\bin\shcenter.exe
    *runner.exe=C:\PROGRAM FILES\HJPRO\bin\shcenter.exe
    *Yahoo! Pager=C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    *MsnMsgr="c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    *romahere=C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
    *uninstal=regsvr32 /u /s image.dll
    »RunOnce
    »Local Machine
    »Run
    *ScanRegistry=c:\windows\scanregw.exe /autorun
    *TaskMonitor=c:\windows\taskmon.exe
    *SystemTray=SysTray.Exe
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *LoadQM=loadqm.exe
    *QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    *StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
    *USBMonit.exe="C:\WINDOWS\SYSTEM\USBMonit.exe"
    *OpwareSE2="c:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    *OPSE2 Reminder="C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\EREGENG\EREG.EXE" -r "C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\EREGENG\ereg.ini"
    *romahere=C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
    *pnpsvc_lock=C:\WINDOWS\STARTSVS.EXE
    *KodakCCS=c:\windows\System32\Drivers\KodakCCS.exe
    +OptionalComponents
    +MSFS
    *Installed=1
    +MAPI
    *Installed=1
    *NoChange=1
    +MAPI
    *Installed=1
    *NoChange=1
    »RunOnce
    »RunServices
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *SchedulingAgent=mstask.exe
    »RunServicesOnce
    »RunOnceEx
    »RunServicesOnceEx
    »Browser Helper Objects (LM)
    *Plugin6.DNSErrObj.1/{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}
    `InprocServer32=C:\WINDOWS\SYSTEM\MRLI9UNJSIA.DLL
    »Files
    »System/Drivers
    »Running Processes
    +FFEF3483=C:\WINDOWS\SYSTEM\KERNEL32.DLL
    +FFFFC01B=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    +FFFFF7EB=C:\WINDOWS\SYSTEM\MPREXE.EXE
    +FFFE4DB3=C:\WINDOWS\SYSTEM\MSTASK.EXE
    +FFFF855F=C:\WINDOWS\SYSTEM\mmtask.tsk
    +FFFE075F=C:\WINDOWS\EXPLORER.EXE
    +FFFED70B=C:\WINDOWS\TASKMON.EXE
    +FFFD159B=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    +FFFD2A4B=C:\WINDOWS\LOADQM.EXE
    +FFFD7B47=C:\WINDOWS\SYSTEM\STIMON.EXE
    +FFFDD863=C:\WINDOWS\SYSTEM\USBMONIT.EXE
    +FFFD97A3=C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\OPWARESE2.EXE
    +FFFD9B2F=C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
    +FFFDBED3=C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
    +FFFDB41B=C:\INTEL\INTEL PSNCU\CPUNUMBER.EXE
    +FFFDB70F=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    +FFFC26EF=C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
    +FFFD2DAF=C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    +FFFDDE9F=C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
    +FFFB3277=C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\BACKWEB-7288971.EXE
    +FFFA5A9B=C:\WINDOWS\SYSTEM\WMIEXE.EXE
    +FFF8E69B=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    +FFF73703=C:\WINDOWS\SYSTEM\DDHELP.EXE
    +FFF7EBAB=C:\WINDOWS\NOTEPAD.EXE
    +FFF773C7=C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    +FFF6109F=C:\ANTISPYWARE\STARTDRECK.EXE
    »Application specific
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www.webcam101.com/pic/lsdialer.cab

    Close all applications and browser windows before you click "fix checked".


    Restart in Safe Mode

    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files".
    Now click "Apply to all folders", Click "Apply" then "OK"

    Delete these files:
    C:\WINDOWS\bad3074.exe
    C:\WINDOWS\SYSTEM\MATRIXHERE.EXE

    Reboot.

    I can't see the rest until you get the new version of HJT.
     
  11. jm100dm

    jm100dm

    Joined:
    May 26, 1999
    Messages:
    994
    Thanks for stepping in Cybertech. She has posted the first four lines which were not with the first log and it shows she is using the current Hijackthis. I appreciate any help as I was just trying to get her started on the right path.
     
  12. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    jm100dm, My pleasure, please continue to assist as we still have not seen a full HJT log.
     
  13. phazerkid

    phazerkid Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    10
    i added the four lines in a previous post already
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I would be interested in seeing a current HJT log.
     
  15. phazerkid

    phazerkid Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    10
    which version do you sugest i download
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/270372

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice