1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

I've been hijacked (again) please help?

Discussion in 'Virus & Other Malware Removal' started by vron0409, Sep 7, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. vron0409

    vron0409 Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    8
    Hello
    I hope you can help me. I have been hijacked a few times and thought I got rid of them but now I'm stuck again. I have been reading posts on this site but am not sure what I have attacking me at this point. I am running Windows 98 and used Ad-Aware and it says there are no more files that are bad but am still having this page come up when I use Internet Explorer:

    http://296f8.ilxt.info/index.php?aid=20038

    I have stopped using IE altogether but would like to get my computer back. I'm just too fed up and perhaps too inexperienced to fix this myself. Please help! Thanks!

    Here is my Hijack This log:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:27:59 PM, on 9/6/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\OPERA\OPERA.EXE
    C:\MY DOCUMENTS\DOWNLOADS\HIJACK THIS & ABOUT BUSTER\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .slx: C:\PROGRA~1\INTERN~1\PLUGINS\npsl232.dll
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/autocomplete.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38205.8633680556
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Close the IE browser then check and fix all those R0 entries. Then go to Internet Options (through the Control Panel) and select Programs > reset web settings.

    Reboot and go to c:\windows\temp.

    Select Edit > Select All and then delete all the contents.

    Download this version of HijackThis (1.98.2) and provide a new HijackThis scan using it:

    http://www.net-integration.net/tools/hijackthis.html

    Also download and run the Coolwebshredder which is available on that same page.

    And what version of Ad-aware did you use? There is a new SE version that supercedes the old Ad-aware 6.
     
  3. vron0409

    vron0409 Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    8
    Thanks for replying so quickly!

    I closed everything and ran hijack this to fix all the RO entries.

    I went to Internet Options, programs, and reset my web settings.

    I rebooted and went to c:\windows\temp and tried to delete all the files however these five would not allow me to delete them:

    ~dbdbc3c
    ~wrf0000
    ~dfb290
    ~dfb89f
    ~dfbffa

    I downloaded coolwebshredder and ran the scan which I will post here and downloaded the newest version of highjack this and ran scan which I will post here. I have adaware SE.

    Here are the scans:

    Windows 98 (4.10.1998 )
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\SYSTEM
    AppData folder: C:\WINDOWS\Application Data
    Username:

    Hosts file not present
    Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
    Found Win.ini file: C:\WINDOWS\win.ini (8923 bytes, A)
    Found line in Win.ini: load=
    Found System.ini file: C:\WINDOWS\system.ini (2341 bytes, A)
    Found line in System.ini: shell=Explorer.exe

    - END OF REPORT –


    Logfile of HijackThis v1.98.2
    Scan saved at 11:10:22 PM, on 9/6/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\MY DOCUMENTS\DOWNLOADS\HIJACK THIS NEW\HIJACKTHIS.EXE

    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O12 - Plugin for .slx: C:\PROGRA~1\INTERN~1\PLUGINS\npsl232.dll
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


    Awaiting further instructions.... : )
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I don't see any further issues in the current scanlog. Are you continuing to experience any?
     
  5. vron0409

    vron0409 Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    8
    So far so good. Thanks so much for the help : ) I am almost nervous to surf more because it seems like sometimes they pop up at a later time. Or maybe I just keep getting reinfected? I am now going to download all the recent fixes/patches for windows and plan on updating my anti-virus software. Are there any other crucial programs to have that can help prevent hijacking in particular? Thanks again!
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You're welcome for the help. The suggestions on this page will help many...

    http://forums.techguy.org/t208517.html

    The best defense is conservative browsing and downloading habits. And unless you are adept at knowing just what Windows updates are super critical, it's best to install all the critical ones.
     
  7. vron0409

    vron0409 Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    8
    I knew it was too good to be true lol. I opened Internet Explorer and visited a page. Then I clicked on home to get back to my homepage and that about:blank homepage came up instead as well as a popup saying my computer was infected. (no kidding)

    Here is the scan with the new hijack this... what should I do?

    Logfile of HijackThis v1.98.2
    Scan saved at 10:57:01 PM, on 9/9/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\OPERA\OPERA.EXE
    C:\MY DOCUMENTS\DOWNLOADS\HIJACK THIS NEW\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {8B334B63-02AE-11D9-B66D-000466D1FFE4} - C:\WINDOWS\SYSTEM\CKNLN.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O12 - Plugin for .slx: C:\PROGRA~1\INTERN~1\PLUGINS\npsl232.dll
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O18 - Filter: text/html - {8B334B62-02AE-11D9-B66D-0004099D5A7F} - C:\WINDOWS\SYSTEM\CKNLN.DLL
    O18 - Filter: text/plain - {8B334B62-02AE-11D9-B66D-0004099D5A7F} - C:\WINDOWS\SYSTEM\CKNLN.DLL
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Since it doesn't appear the reinfection occured as a result of a file remaining on the system, you must have repeated some behavior which caused the original infection. If your Internet Explorer and and other updates are not current, this can happen simply by clicking on an untrustworth url.

    Basically we want to follow the same instructions.

    [​IMG] Have these instructions printed or in a convenient Notepad (or Wordpad) file so you can view them in Safe Mode. Have "show hidden (or all) files" checked in Folder Options > View in case you have to search for any hidden files to delete. Also ensure you do NOT have "hide file extensions..." enabled in Folder Options > View

    Download and unzip to a convenient location the CoolWebShredder, CWShredder.exe available here: http://www.computercops.biz/downloads-cat-14.html

    Then:

    1 >> Restart in Safe Mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    2 >> In Safe Mode run the CoolWebShredder and have it "fix" detected problems. Then run HijackThis and check and "fix" the following entries:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {8B334B63-02AE-11D9-B66D-000466D1FFE4} - C:\WINDOWS\SYSTEM\CKNLN.DLL

    O18 - Filter: text/html - {8B334B62-02AE-11D9-B66D-0004099D5A7F} - C:\WINDOWS\SYSTEM\CKNLN.DLL
    O18 - Filter: text/plain - {8B334B62-02AE-11D9-B66D-0004099D5A7F} - C:\WINDOWS\SYSTEM\CKNLN.DLL


    3 >> Manually search for and ensure this file gets deleted

    C:\WINDOWS\SYSTEM\CKNLN.DLL

    Additional cleanup instructions: Go to the Control Panel > Internet Options applet. Clear the Temporary Internet Cache, History and Offline Content. Go to the Programs tab and select "reset web settings", including your home page if it has been altered. You can reset that later to what you desire.

    Go to Start > Run, enter %temp% and then click Edit > Select All. Right click on the selected files and folders and delete them

    4 >> Reboot

    Update and run another full drive Ad-Aware SE scan.

    Make sure your Security settings meet the criteria described on this page:

    http://forums.techguy.org/showpost.php?p=1479174&postcount=1

    Note: You are running an old version of Internet Explorer. You either need to update to the latest version and install the cumulative update or switch to another browser such as Opera 7 or Mozilla Firefox.

    After you update IE, and before installing the Cumulative Updates, you must FIRST install this Security patch, or you will lose the "Troubleshooter" features in Win98:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;811630
    http://www.microsoft.com/windows98/downloads/contents/WUCritical/q811630/default.asp
     
  9. vron0409

    vron0409 Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    8
    I have been busy today!

    I entered safe mode and ran cwshredder and had it fix whatever it found.

    I ran hijack this and fixed the items you specified, though some were no longer on the list.

    I searched for CKNLN.DLL but could not find it to delete.

    When I went to delete the temp files in windows there were five that would not allow me to delete them:

    ~dff75c
    ~dff9f5
    ~dff80b
    ~dffccf
    ~wrf0000

    But I found a neat trick on www.langa.com I placed the following lines in Notepad:

    c:\windows\command\deltree /y c:\windows\temp
    del c:\windows\tempor~1\*.zip
    del c:\windows\tempor~1\*.exe

    and saved it as c:\cleanup.bat

    Then I ran it in DOS and it deleted those files.

    Ran adaware se again and had it fix the one critical item it found.

    I got the newest version of IE and went to the link you gave so I wouldn't lose troubleshooting in 98. Also set the security settings per the link you gave.

    I installed all critical updates for IE and downloaded spyware blaster,spyware guard, and ie-spyad.

    Tried just now to run a new hijack this scan but it won't complete the scan and I'm wondering if there is a conflict with the new stuff I downloaded? Should I uninstall any of it? Hate to lose hijack this...

    So far popups and redirected home page has not happened. (keeping my fingers crossed!)
     
  10. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Try downloading a new copy of HijackThis. If it still doesn't complete, try running it in Safe Mode, it won't show all the processes which would run in normal mode, but it will still show the IE related entries and startups.
     
  11. vron0409

    vron0409 Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    8
    I deleted all old copies of hijack this and downloaded a new copy. It still would not complete scan even in safe mode. At the top of the window it said:

    O15 - trusted zone enumeration

    Not sure what that means...

    I would happily give up one of the new items I downloaded to make sure I have hijack this. Any ideas which one is causing problems?
     
  12. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    It may have something to do with one of the installed programs, but I'm not sure which one.

    Go to Internet Options > Security. You will see Trusted and Restricted site zones there. Select trusted first and then click "sites". What is in there?

    Do the same for "Restricted" -- which is really where I expect the problem is occuring. One or more of the new programs has populated the "restricted" zone. Perhaps there are too many entries or the registry key has become excessively long. You may need to delete what is in there, uninstall the new programs, and just reinstall one -- since they are really duplicative in what they do.
     
  13. vron0409

    vron0409 Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    8
    In my trusted sites there is just microsoft updates. I think you are right about the restricted sites. I downloaded something called ie spyad that is supposed to have a few thousand known offending sites and adds them to your restricted list to protect you. Maybe I've gone a bit overboard lol. I will get rid of them and not reinstall that item.
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/271281

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice