Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

got hijacked, need help plzzz

  • Please log in to reply
2 replies to this topic

#1 Guest_stevedella_*


  • Guests

Posted 14 November 2004 - 05:11 PM

how do i get rid of this hijacking? This is what the hijackthis progamme told me:

See attached file plz.

Attached Files

BC AdBot (Login to Remove)


#2 penmore


    Malware Sniffer

  • Members
  • 757 posts
  • Location:West Coast of Scotland

Posted 15 November 2004 - 03:49 AM

Hi stevedella,

I'll be helping you get rid of this infection but you need to do a couple of things first:

You are running HijackThis from your desktop and I need it to be running from its own folder so that HijackThis can make backups. Please put HijackThis into a permanent folder.
Full instructions on how to do this can be found here:Detailed Explanation
Brief instructions for this are:
  • To create a permanent folder:
  • Click My Computer, then C:\
  • In the menu bar, File->New->Folder.
  • That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
  • Now you have C:\HJT\ folder.
  • Put your HijackThis.exe there.
Now that you have HijackThis in its own folder I want you to run it again and copy and paste the contents of the log into a reply to this post. Please do not attach the log file to your reply.

#3 penmore


    Malware Sniffer

  • Members
  • 757 posts
  • Location:West Coast of Scotland
  • Local time:01:07 PM

Posted 15 November 2004 - 01:55 PM

Hi stevedella,

It is a good ideea to print or copy these instructions because you are not able to access the Internet in SafeMode.

1, Download CWShredder from here
After you download the program, unzip it into a directory. Don't use it yet.

2. Download Ad-aware SE: here
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items.
Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet.

3. Download System Security Suite here:System Security Suite Download & Tutorial. Unzip it to your desktop. Install the program. Don't use it yet.

4. Download the Hoster from here. Unzip the program to your desktop. Don't use it yet.

5. Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop. Don't use it yet.



6. Download KillBox here: KillBox. Unzip it to your desktop.

Start Killbox.exe

Select the Delete on reboot option.

Copy and paste the line below in the field labeled "Full path of file to delete"

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the YES button.

Your computer will reboot.
Check if the c3h66no1i6br.dll is still there. If it is repeat step no.6. If not go to the next step.

7. Reboot into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\2E9I1P~1.DLL
O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: c3h66no1i6br.dll
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\steve\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe" /startup
O4 - HKLM\..\Run: [kejfoyl] C:\WINDOWS\System32\ukrfnm.exe
O4 - HKCU\..\Run: [awo3RfJ8X] sccinv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Resource hog that launches common MS Office components to help speed up the launch of Office programs. There are doubts that there is any difference with it loaded.
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: AdsGone - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra 'Tools' menuitem: &AdsGone Settings - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm10.chm::/ieloader.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!
O16 - DPF: {E66A5764-212B-40EC-8FB8-16949F6A82CD} - http://www.ouchvideo.com/c8/svcmm32.cab

Close all other windows and browsers
, and press the Fix Checked button.

8. Search for these files and delete them if found:
C:\WINDOWS\System32\2E9I1P~1.DLL file name starts with 2E9I1P~1.DLL

9. Make sure all browser windows are closed and run cwshredder.exe to start the program and click on the FIX button (not the "Scan only" button) and let it scan your computer.

10. Run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds. When Ad-Aware has finished press the "Show Logfile" button, right click the "Results list" (log), save the log on your Desktop.

11. With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

12. Double-click on the fix.reg file you saved earlier on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.

13. Open Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button.

14. Locate Hoster on your desktop, press Restore Original Hosts and press OK. Exit Program. This will restore the Hosts file.

15. You are behind on Windows updates and one of the infections you had is likely to have been caused by not being up-to-date. It is essential that you update your Windows as the infections could reoccur. Go to http://www.windowsupdate.com and if it asks to install software, let it. Then click on the Scan link and let it do its thing.

When its done you will see on your left a section called critical updates. Click on that section and install everything that you can. When it prompts you to reboot, do so. Then repeat this process again until there are no more critical updates listed.

16. Reboot your machine once you have finished the Windows updates.

17. Run HijackThis! again and post a new log. Attach also the Ad-Aware log (press the "Browse ..." button to attach a file to your message).

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users