Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Looking for specific911 hijack "get me back to normal" help


  • Please log in to reply
2 replies to this topic

#1 shawnf

shawnf

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 16 August 2005 - 06:40 PM

Ok, so hi! Well, my name is Shawn and I got a problem.

A few days ago, my IE got hijacked. The target was specific911.com. Things are mostly back to normal now (thanks to the many guides here) but I stll have a few issues to clear up. What's the best forum in which to address this?

Windows 2000 Pro.
IE 6 SP1

Pretty much plain vanilla. Simple network, hardware firewall/router and that's about it. IIS is serving a web & ftp site if that makes any difference.
-SHAWN-

BC AdBot (Login to Remove)

 


m

#2 shawnf

shawnf
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 17 August 2005 - 10:30 AM

Ok, we're here. Thank you -- whoever you are.

Now, specifics.

The original agent was a script. I unwisely said it was ok to run it before I got skeptical about the address.

SYMPTOMS:
Desktop instantly got plastered with porn.
Trying to launch nearly anything at all caused browser to open to specific911.com

WHAT I HAVE DONE SO FAR:
Rebooted to Safe Mode, Command Prompt Only.
CD to WINNT
start regedit
Search for and delete all references to specific911
Checked Run, RunOnce, RunServices and RunServicesOnce, nothing found.
Rebooted to Safe Mode
Ran Ad-Aware, removed all new critical objects.
Ran HijackThis, no maleware found. Three prevention policies removed.
Disconnected Internet pipe, rebooted normally.
Problem still existed, but this time browser first tried to DNS "Dimattic.com"
Reran HijackThis, found winsys.hta - deleted it.
Reran Ad-Aware, nothing found.
Rebooted normally, opened browser and hit Stop right away. Changed start page to about:blank. Reconnected pipe and rebooted. No more incidents of hijack.
Deleted nasty desktop items, cleaned up favorites, checked for bogus toolbars - none found.

RESIDUAL PROBLEMS:
Start-Run produces error message: "The Internet Shortcut cannot be run because failed to run." (That's a blank there between 'because' and 'failed').

Right clicking a "special" desktop icon (i.e. computer, network, explorer) and selecting Properties produces error message: "Cannot find the file 'rundll32.exe' (or one of it's components). Make sure the path and filename are correct and all required libraries are available." Rundll is in it's usual location, the path looks good to me and I can't imagine what libraries it's talking about. Depends shows no external dependencies apart from the usual (which btw are all there).

Double clicking a folder shortcut on the desktop opens a default instance of Windows Explorer, not the target of the shortcut.

From Conrol Panel, Add Remove programs, cannot switch to "Add or Remove Windows Components".

FURTHER ACTIONS:
Reinstalled Internet Explorer SP1, reinstalled all patches. Problem still exists.

So, that's just about the whole story in a nutshell. I don't think there are any other lingering problems, but it's only been a day or two. I haven't noticed anything else. I *have* used most of the software that I consider "critical" and found it in working order. I would much rather fix these issues than wipe the whole thing out and reload everything. It takes a couple weeks to get everything tweaked right.

I do run a web site also. It's served by IIS 5. I use PHP 4.3.9 and MySQL 4.1.7. None of it's functionality was affected.

TIA for any advice or solutions.
-SHAWN-

#3 shawnf

shawnf
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 18 August 2005 - 08:52 AM

Man, don't everbody jump in all at once, K?

FURTHER ACTIONS:
Found that all registry references to Internet Explorer had been changed to 8.3 names and this was causing problems launching Internet shortcuts. Changed 'em back and that much is better now, but the major problems still exist.

Another symptom. My Platform SDK doesn't work any more. Well, it works but there's nothing in the contents and the index only lists some general purpose dotNET info. Previously I had nearly everything in there. This particular failure is absolutely unacceptable. I reinstalled it but that didn't help. Since when does reinstalling something not fix it?

This is the killer. If somebody doesn't come up with some kind of clue it's getting wiped. I'd rather spend a week tweaking than just do without the PSDK.
-SHAWN-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users