http://296f8.ilxt.info /index.php?aid=632....hijacking?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

phazerkid

Thread Starter
Joined
Sep 5, 2004
Messages
10
hai, sorry I don't know if you have been asked this 100 times, but here goes.....

recently when I have been trying to check my email (hotmail), i get diverted to this search engine site with this url: http://296f8.ilxt.info/index.php?aid=632

I have never been to that site before. It is veeery annoying as it prevents me from checking my email. I have tried deleting the url from my history and deleting strange looking programs on my puter. I have also scanned my computer with nortons internet security program AND ad-aware virus scanner. These programs detected and deleted suspicious files but it STILL hasnt gotten rid of this....thing..... :confused:

haha sorry....im such a dits...but please help ^_^

ps: i use windows 98 and internet explorer
 

phazerkid

Thread Starter
Joined
Sep 5, 2004
Messages
10
the link you gave me won't download the program, it says the site is down or something. I can't read private messages because i couldnt activate my account due to me not being able to access my email! bbaarrgghh
 

phazerkid

Thread Starter
Joined
Sep 5, 2004
Messages
10
thankyou jeff, the link you gave me worked! I have followed the instructions of hijackthis and below is the pasted copy of my scan. haha i already see suspiscious things like super-spider....what do I do next?

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\OPWARESE2.EXE
C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\INTEL\INTEL PSNCU\CPUNUMBER.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\BACKWEB-7288971.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ANTISPYWARE\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=632
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.slotch.com/?&account_id=132702
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=hpfsched,
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\MRLI9UNJSIA.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [USBMonit.exe] "C:\WINDOWS\SYSTEM\USBMonit.exe"
O4 - HKLM\..\Run: [OpwareSE2] "c:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE2 Reminder] "C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\EREGENG\EREG.EXE" -r "C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\EREGENG\ereg.ini"
O4 - HKLM\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\STARTSVS.EXE
O4 - HKLM\..\Run: [KodakCCS] c:\windows\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWARN.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] c:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O4 - HKCU\..\Run: [IntelProcNumUtility] "C:\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
O4 - HKCU\..\Run: [HJ95 Sernum Check] C:\PROGRAM FILES\HJPRO\bin\keycheck.exe
O4 - HKCU\..\Run: [SHCenter.exe] C:\PROGRAM FILES\HJPRO\bin\shcenter.exe
O4 - HKCU\..\Run: [runner.exe] C:\PROGRAM FILES\HJPRO\bin\shcenter.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www.webcam101.com/pic/lsdialer.cab
 
Joined
May 26, 1999
Messages
994
When you posted the hijackthis log you left off the first four lines. Please post them.
I see you are running windows 98 so do the following and await further instructions as this will take a few steps.

Removal procedure for 9x:


Identify the file by doing this:

Download StartDreck from: http://www.niksoft.at/_data/startdreck.zip

UnZip the startdreck.zip file first. DoubleClick: 'StartDreck.exe'
First click on the config button.
Now click the Unmark all button
Put a check by these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Now click the Save button to save that log.

Copy and Paste the contents of that log back here and await further instructions.

I have identified all the following to remove later but if you don't follow the correct steps they will most likely just reload from a hidden file.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=632
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.slotch.com/?&account_id=132702
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} -
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
You have more to remove so please post another log.

If you are not using version 1.98.2 download that before you post.
Click here: Hijackthis
 

phazerkid

Thread Starter
Joined
Sep 5, 2004
Messages
10
Logfile of HijackThis v1.98.2
Scan saved at 5:43:22 PM, on 6/09/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
(those are the four lines i left out)

below is the scan from the stardreck scan...thankyou for your help ^_^

StartDreck (build 2.1.7 public stable) - 2004-09-07 @ 11:41:12 (GMT +10:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as monsar at 1319700207

»Registry
»Run Keys
»Current User
»Run
*IntelProcNumUtility="C:\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
*HJ95 Sernum Check=C:\PROGRAM FILES\HJPRO\bin\keycheck.exe
*SHCenter.exe=C:\PROGRAM FILES\HJPRO\bin\shcenter.exe
*runner.exe=C:\PROGRAM FILES\HJPRO\bin\shcenter.exe
*Yahoo! Pager=C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
*MsnMsgr="c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
*romahere=C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
*uninstal=regsvr32 /u /s image.dll
»RunOnce
»Default User
»Run
*IntelProcNumUtility="C:\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
*HJ95 Sernum Check=C:\PROGRAM FILES\HJPRO\bin\keycheck.exe
*SHCenter.exe=C:\PROGRAM FILES\HJPRO\bin\shcenter.exe
*runner.exe=C:\PROGRAM FILES\HJPRO\bin\shcenter.exe
*Yahoo! Pager=C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
*MsnMsgr="c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
*romahere=C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
*uninstal=regsvr32 /u /s image.dll
»RunOnce
»Local Machine
»Run
*ScanRegistry=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*LoadQM=loadqm.exe
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*USBMonit.exe="C:\WINDOWS\SYSTEM\USBMonit.exe"
*OpwareSE2="c:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
*OPSE2 Reminder="C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\EREGENG\EREG.EXE" -r "C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\EREGENG\ereg.ini"
*romahere=C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
*pnpsvc_lock=C:\WINDOWS\STARTSVS.EXE
*KodakCCS=c:\windows\System32\Drivers\KodakCCS.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*Plugin6.DNSErrObj.1/{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}
`InprocServer32=C:\WINDOWS\SYSTEM\MRLI9UNJSIA.DLL
»Files
»System/Drivers
»Running Processes
+FFEF3483=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFC01B=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFF7EB=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE4DB3=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFF855F=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE075F=C:\WINDOWS\EXPLORER.EXE
+FFFED70B=C:\WINDOWS\TASKMON.EXE
+FFFD159B=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFD2A4B=C:\WINDOWS\LOADQM.EXE
+FFFD7B47=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFDD863=C:\WINDOWS\SYSTEM\USBMONIT.EXE
+FFFD97A3=C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\OPWARESE2.EXE
+FFFD9B2F=C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
+FFFDBED3=C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
+FFFDB41B=C:\INTEL\INTEL PSNCU\CPUNUMBER.EXE
+FFFDB70F=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
+FFFC26EF=C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
+FFFD2DAF=C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
+FFFDDE9F=C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
+FFFB3277=C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\BACKWEB-7288971.EXE
+FFFA5A9B=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF8E69B=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF73703=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF7EBAB=C:\WINDOWS\NOTEPAD.EXE
+FFF773C7=C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
+FFF6109F=C:\ANTISPYWARE\STARTDRECK.EXE
»Application specific
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Run HJT again and put a check in the following:

O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www.webcam101.com/pic/lsdialer.cab

Close all applications and browser windows before you click "fix checked".


Restart in Safe Mode

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these files:
C:\WINDOWS\bad3074.exe
C:\WINDOWS\SYSTEM\MATRIXHERE.EXE

Reboot.

I can't see the rest until you get the new version of HJT.
 
Joined
May 26, 1999
Messages
994
Thanks for stepping in Cybertech. She has posted the first four lines which were not with the first log and it shows she is using the current Hijackthis. I appreciate any help as I was just trying to get her started on the right path.
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
jm100dm, My pleasure, please continue to assist as we still have not seen a full HJT log.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top