I've been hijacked (again) please help?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

vron0409

Thread Starter
Joined
Sep 7, 2004
Messages
8
Hello
I hope you can help me. I have been hijacked a few times and thought I got rid of them but now I'm stuck again. I have been reading posts on this site but am not sure what I have attacking me at this point. I am running Windows 98 and used Ad-Aware and it says there are no more files that are bad but am still having this page come up when I use Internet Explorer:

http://296f8.ilxt.info/index.php?aid=20038

I have stopped using IE altogether but would like to get my computer back. I'm just too fed up and perhaps too inexperienced to fix this myself. Please help! Thanks!

Here is my Hijack This log:

Logfile of HijackThis v1.97.7
Scan saved at 3:27:59 PM, on 9/6/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\OPERA\OPERA.EXE
C:\MY DOCUMENTS\DOWNLOADS\HIJACK THIS & ABOUT BUSTER\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .slx: C:\PROGRA~1\INTERN~1\PLUGINS\npsl232.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/autocomplete.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38205.8633680556
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
 
Joined
Dec 9, 2000
Messages
45,855
Close the IE browser then check and fix all those R0 entries. Then go to Internet Options (through the Control Panel) and select Programs > reset web settings.

Reboot and go to c:\windows\temp.

Select Edit > Select All and then delete all the contents.

Download this version of HijackThis (1.98.2) and provide a new HijackThis scan using it:

http://www.net-integration.net/tools/hijackthis.html

Also download and run the Coolwebshredder which is available on that same page.

And what version of Ad-aware did you use? There is a new SE version that supercedes the old Ad-aware 6.
 

vron0409

Thread Starter
Joined
Sep 7, 2004
Messages
8
Thanks for replying so quickly!

I closed everything and ran hijack this to fix all the RO entries.

I went to Internet Options, programs, and reset my web settings.

I rebooted and went to c:\windows\temp and tried to delete all the files however these five would not allow me to delete them:

~dbdbc3c
~wrf0000
~dfb290
~dfb89f
~dfbffa

I downloaded coolwebshredder and ran the scan which I will post here and downloaded the newest version of highjack this and ran scan which I will post here. I have adaware SE.

Here are the scans:

Windows 98 (4.10.1998 )
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\SYSTEM
AppData folder: C:\WINDOWS\Application Data
Username:

Hosts file not present
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
Found Win.ini file: C:\WINDOWS\win.ini (8923 bytes, A)
Found line in Win.ini: load=
Found System.ini file: C:\WINDOWS\system.ini (2341 bytes, A)
Found line in System.ini: shell=Explorer.exe

- END OF REPORT –


Logfile of HijackThis v1.98.2
Scan saved at 11:10:22 PM, on 9/6/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\MY DOCUMENTS\DOWNLOADS\HIJACK THIS NEW\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .slx: C:\PROGRA~1\INTERN~1\PLUGINS\npsl232.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


Awaiting further instructions.... : )
 
Joined
Dec 9, 2000
Messages
45,855
I don't see any further issues in the current scanlog. Are you continuing to experience any?
 

vron0409

Thread Starter
Joined
Sep 7, 2004
Messages
8
So far so good. Thanks so much for the help : ) I am almost nervous to surf more because it seems like sometimes they pop up at a later time. Or maybe I just keep getting reinfected? I am now going to download all the recent fixes/patches for windows and plan on updating my anti-virus software. Are there any other crucial programs to have that can help prevent hijacking in particular? Thanks again!
 
Joined
Dec 9, 2000
Messages
45,855
You're welcome for the help. The suggestions on this page will help many...

http://forums.techguy.org/t208517.html

The best defense is conservative browsing and downloading habits. And unless you are adept at knowing just what Windows updates are super critical, it's best to install all the critical ones.
 

vron0409

Thread Starter
Joined
Sep 7, 2004
Messages
8
I knew it was too good to be true lol. I opened Internet Explorer and visited a page. Then I clicked on home to get back to my homepage and that about:blank homepage came up instead as well as a popup saying my computer was infected. (no kidding)

Here is the scan with the new hijack this... what should I do?

Logfile of HijackThis v1.98.2
Scan saved at 10:57:01 PM, on 9/9/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\OPERA\OPERA.EXE
C:\MY DOCUMENTS\DOWNLOADS\HIJACK THIS NEW\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {8B334B63-02AE-11D9-B66D-000466D1FFE4} - C:\WINDOWS\SYSTEM\CKNLN.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .slx: C:\PROGRA~1\INTERN~1\PLUGINS\npsl232.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Filter: text/html - {8B334B62-02AE-11D9-B66D-0004099D5A7F} - C:\WINDOWS\SYSTEM\CKNLN.DLL
O18 - Filter: text/plain - {8B334B62-02AE-11D9-B66D-0004099D5A7F} - C:\WINDOWS\SYSTEM\CKNLN.DLL
 
Joined
Dec 9, 2000
Messages
45,855
Since it doesn't appear the reinfection occured as a result of a file remaining on the system, you must have repeated some behavior which caused the original infection. If your Internet Explorer and and other updates are not current, this can happen simply by clicking on an untrustworth url.

Basically we want to follow the same instructions.

Have these instructions printed or in a convenient Notepad (or Wordpad) file so you can view them in Safe Mode. Have "show hidden (or all) files" checked in Folder Options > View in case you have to search for any hidden files to delete. Also ensure you do NOT have "hide file extensions..." enabled in Folder Options > View

Download and unzip to a convenient location the CoolWebShredder, CWShredder.exe available here: http://www.computercops.biz/downloads-cat-14.html

Then:

1 >> Restart in Safe Mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

2 >> In Safe Mode run the CoolWebShredder and have it "fix" detected problems. Then run HijackThis and check and "fix" the following entries:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {8B334B63-02AE-11D9-B66D-000466D1FFE4} - C:\WINDOWS\SYSTEM\CKNLN.DLL

O18 - Filter: text/html - {8B334B62-02AE-11D9-B66D-0004099D5A7F} - C:\WINDOWS\SYSTEM\CKNLN.DLL
O18 - Filter: text/plain - {8B334B62-02AE-11D9-B66D-0004099D5A7F} - C:\WINDOWS\SYSTEM\CKNLN.DLL


3 >> Manually search for and ensure this file gets deleted

C:\WINDOWS\SYSTEM\CKNLN.DLL

Additional cleanup instructions: Go to the Control Panel > Internet Options applet. Clear the Temporary Internet Cache, History and Offline Content. Go to the Programs tab and select "reset web settings", including your home page if it has been altered. You can reset that later to what you desire.

Go to Start > Run, enter %temp% and then click Edit > Select All. Right click on the selected files and folders and delete them

4 >> Reboot

Update and run another full drive Ad-Aware SE scan.

Make sure your Security settings meet the criteria described on this page:

http://forums.techguy.org/showpost.php?p=1479174&postcount=1

Note: You are running an old version of Internet Explorer. You either need to update to the latest version and install the cumulative update or switch to another browser such as Opera 7 or Mozilla Firefox.

After you update IE, and before installing the Cumulative Updates, you must FIRST install this Security patch, or you will lose the "Troubleshooter" features in Win98:

http://support.microsoft.com/default.aspx?scid=kb;en-us;811630
http://www.microsoft.com/windows98/downloads/contents/WUCritical/q811630/default.asp
 

vron0409

Thread Starter
Joined
Sep 7, 2004
Messages
8
I have been busy today!

I entered safe mode and ran cwshredder and had it fix whatever it found.

I ran hijack this and fixed the items you specified, though some were no longer on the list.

I searched for CKNLN.DLL but could not find it to delete.

When I went to delete the temp files in windows there were five that would not allow me to delete them:

~dff75c
~dff9f5
~dff80b
~dffccf
~wrf0000

But I found a neat trick on www.langa.com I placed the following lines in Notepad:

c:\windows\command\deltree /y c:\windows\temp
del c:\windows\tempor~1\*.zip
del c:\windows\tempor~1\*.exe

and saved it as c:\cleanup.bat

Then I ran it in DOS and it deleted those files.

Ran adaware se again and had it fix the one critical item it found.

I got the newest version of IE and went to the link you gave so I wouldn't lose troubleshooting in 98. Also set the security settings per the link you gave.

I installed all critical updates for IE and downloaded spyware blaster,spyware guard, and ie-spyad.

Tried just now to run a new hijack this scan but it won't complete the scan and I'm wondering if there is a conflict with the new stuff I downloaded? Should I uninstall any of it? Hate to lose hijack this...

So far popups and redirected home page has not happened. (keeping my fingers crossed!)
 
Joined
Dec 9, 2000
Messages
45,855
Try downloading a new copy of HijackThis. If it still doesn't complete, try running it in Safe Mode, it won't show all the processes which would run in normal mode, but it will still show the IE related entries and startups.
 

vron0409

Thread Starter
Joined
Sep 7, 2004
Messages
8
I deleted all old copies of hijack this and downloaded a new copy. It still would not complete scan even in safe mode. At the top of the window it said:

O15 - trusted zone enumeration

Not sure what that means...

I would happily give up one of the new items I downloaded to make sure I have hijack this. Any ideas which one is causing problems?
 
Joined
Dec 9, 2000
Messages
45,855
It may have something to do with one of the installed programs, but I'm not sure which one.

Go to Internet Options > Security. You will see Trusted and Restricted site zones there. Select trusted first and then click "sites". What is in there?

Do the same for "Restricted" -- which is really where I expect the problem is occuring. One or more of the new programs has populated the "restricted" zone. Perhaps there are too many entries or the registry key has become excessively long. You may need to delete what is in there, uninstall the new programs, and just reinstall one -- since they are really duplicative in what they do.
 

vron0409

Thread Starter
Joined
Sep 7, 2004
Messages
8
In my trusted sites there is just microsoft updates. I think you are right about the restricted sites. I downloaded something called ie spyad that is supposed to have a few thousand known offending sites and adds them to your restricted list to protect you. Maybe I've gone a bit overboard lol. I will get rid of them and not reinstall that item.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top