Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijacked;


  • This topic is locked This topic is locked

#1
odd

odd

    New Member

  • Member
  • Pip
  • 2 posts
I seem to hijacked by

http://www.rcdaztuiu...6fb0rc62Vg.html

(always changing content of this string)

The following Hijcakthisreport is generated:

Logfile of HijackThis v1.97.7
Scan saved at 23:02:24, on 15.09.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Anne Gunhild\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rcdaztuiu...6fb0rc62Vg.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Documents and Settings\TEMP\My Documents\My Pictures\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab

Can anybody help?
  • 0

Advertisements


#2
Smokey

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
Welcome to GTG odd <_<

You may wish to print out a copy of these instructions to follow while you complete this procedure. Please move Hijack This to a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Reboot in safe mode (by tapping F8 at startup and select safe mode from the menu). Be sure you're able to view hidden files, and remove the following:

C:\Documents and Settings\TEMP\My Documents\My Pictures\MsgPlus.exe

Next, please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rcdaztuiu...6fb0rc62Vg.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Documents and Settings\TEMP\My Documents\My Pictures\MsgPlus.exe" /WinStart

If you don't use MSN/Windows Messenger, fix these too:

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background <- MSN Messneger
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background <- Windows Messenger

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log, and let us know how your system's working. :D
  • 0

#3
odd

odd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
The result is the following log. To of the 3 "suspected" lines are still in place? Is this OK?

Logfile of HijackThis v1.97.7
Scan saved at 12:28:56, on 16.09.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Anne Gunhild\Desktop\HijackThis.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rcdaztuiu...6fb0rc62Vg.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab

Best regards
Odd
  • 0

#4
Yarnouth

Yarnouth

    Visiting Staff

  • Member
  • PipPipPip
  • 508 posts
Congratulations! Your system is CLEAN <_<

You need an update Windows Service Pack 2
Link to Microsoft Update:
http://www.microsoft...&displaylang=en

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use).

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.
Link to SpywareBlaster: http://www.geekstogo...tion=show&id=12

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend Firefox.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. :D
  • 0

#5
Smokey

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
After installling SpywareBlaster, fix these lines in HJT:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.rcdaztuiu...6fb0rc62Vg.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

Restart, then post back with a new log. <_<
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP