Reply
 
Thread Tools Search this Thread
 
Old 02 February 2007, 16:51   #1
Member
 
Country: Ireland
Town: Cork
Boat name: Dalesman
Make: Excalibur 6.8
Length: 6m +
Engine: Merc 1.7 diesel
Join Date: Feb 2004
Posts: 167
HELP! I'm Infected !

Any computer buffs out there. My homepage has been hijacked by the page
allsecuritynotes.com/ complete with a bogus microsoft pop up to download (not) . tried changing the homepage in the browser ...no good, cleared temp int files, ran AdAware, ran AVG anti Virus and McAfee anti virus. All coming up clear. The pesky beast is in there somewhere! How do I get it out??? suggestions please
__________________

__________________
Wise men have something to say
Fools have to say something - Cicero
Cork Rib is offline   Reply With Quote
Old 02 February 2007, 18:42   #2
RIBnet admin team
 
Poly's Avatar
 
Country: UK - Scotland
Boat name: imposter
Make: FunYak
Length: 3m +
Engine: 2 stroke YAM 20 HP
MMSI: 235089819
Join Date: Sep 2005
Posts: 10,114
You really need to work out what is causing it. Sometimes you can do this by quoting exactly what the fake dialogue box / webpage is saying in google (inside " "). If you look in task manager you can also search google for any applications you aren't sure what they do and see if one of them is known to be a problem.

You could try panda active scan its free to run a system check, and will spot viruses and spyware stuff. The free version will remove most viruses but not spyware. Spyware upgrade is relatively cheap - and worked for me a year ago with similar "hijacked" home page etc.

But its tricky...
__________________
Poly is offline   Reply With Quote
Old 02 February 2007, 19:20   #3
RIBnet admin team
 
Nos4r2's Avatar
 
Country: UK - England
Town: The wilds of Wiltshire
Boat name: WhiteNoise/Dominator
Make: Ballistic 7.8/SR5.4
Length: 7m +
Engine: Opti 225/Yam 85
MMSI: 235090687/235055163
Join Date: Jul 2005
Posts: 12,645
RIBase
Download HijackThis from Here

Run a scan of your PC with it and copy/paste the results in here. I should be able to tell you what to delete to get rid of the browser hijacker.
__________________
Need spares,consoles,consumables,hire,training or even a new boat?

Please click HERE and HERE and support our Trade Members.

Join up as a Trade member or Supporter HERE
Nos4r2 is offline   Reply With Quote
Old 02 February 2007, 20:12   #4
Member
 
Country: UK - Wales
Town: swansea
Boat name: Too Blue
Make: BLANK
Length: 8m +
Engine: Suzuki DT225
Join Date: Mar 2004
Posts: 12,791
Try spybot and use Firfox instead of IE - both free - quicker and easier than trying to find the cause.

http://www.download.com/3000-8022-10122137.html
__________________
codprawn is offline   Reply With Quote
Old 02 February 2007, 20:19   #5
RIBnet admin team
 
Nos4r2's Avatar
 
Country: UK - England
Town: The wilds of Wiltshire
Boat name: WhiteNoise/Dominator
Make: Ballistic 7.8/SR5.4
Length: 7m +
Engine: Opti 225/Yam 85
MMSI: 235090687/235055163
Join Date: Jul 2005
Posts: 12,645
RIBase
Quote:
Originally Posted by codprawn View Post
Try spybot and use Firfox instead of IE - both free - quicker and easier than trying to find the cause.

http://www.download.com/3000-8022-10122137.html
Spybot actually seems to be toothless with this one. (it's usually really good).
__________________
Need spares,consoles,consumables,hire,training or even a new boat?

Please click HERE and HERE and support our Trade Members.

Join up as a Trade member or Supporter HERE
Nos4r2 is offline   Reply With Quote
Old 03 February 2007, 07:33   #6
Member
 
Country: Ireland
Town: Cork
Boat name: Dalesman
Make: Excalibur 6.8
Length: 6m +
Engine: Merc 1.7 diesel
Join Date: Feb 2004
Posts: 167
I've done a system restore to a week ago and everything seems fine now. Is it still in there or has system restore cleared it out. Ad Aware has gone for example (loaded yesterday) or do I need to do more??

Jon
__________________
Wise men have something to say
Fools have to say something - Cicero
Cork Rib is offline   Reply With Quote
Old 03 February 2007, 09:48   #7
RIBnet admin team
 
Poly's Avatar
 
Country: UK - Scotland
Boat name: imposter
Make: FunYak
Length: 3m +
Engine: 2 stroke YAM 20 HP
MMSI: 235089819
Join Date: Sep 2005
Posts: 10,114
Quote:
Originally Posted by Cork Rib View Post
I've done a system restore to a week ago and everything seems fine now. Is it still in there or has system restore cleared it out. Ad Aware has gone for example (loaded yesterday) or do I need to do more??

Jon
Depends when you caught the "infection" - it might have been sitting dormant for a while anyway. I suspect the files will also still be on your drive somewhere (even if they aren't causing a problem).

Make sure you do a full virus / spyware scan etc.
__________________
Poly is offline   Reply With Quote
Old 03 February 2007, 10:09   #8
Member
 
Pete7's Avatar
 
Country: UK - England
Town: Gosport
Boat name: April Lass
Make: Moody 31
Length: 9m +
Join Date: Aug 2001
Posts: 4,850
As Matt said, I really would run hijack to see whats running. Post the list of apps running. Once sorted, download the free version of AVG and Zonealarm firewall and that should keep you safe, but you need to certain you have a clean PC as a first step though.

http://www.zonelabs.com/store/conten...try=US&lang=en

Pete
__________________
.
Ribnet is best viewed on a computer of some sort
Pete7 is offline   Reply With Quote
Old 03 February 2007, 11:02   #9
Member
 
Country: UK - Scotland
Make: Ribcraft
Length: 5m +
Engine: 90hp
Join Date: Aug 2006
Posts: 380
Have a look at this

http://www.spynomore.com/aprotectedpage-com.htm. It may help although I am not familiar with this software!

Some trojans / spyware / viruses are very clever at hiding themselves in caches and even tho you appear to have deleted them, they come back. I recall working on one machine that I think I had to delete the windows restore points and disable drive indexing before the trojan eventually was removed.

Good advice on Zone alarm, Firefox and Spybot. You can run a TSR in spybot by the way so it continually monitors your PC (can't check what you have to do to enable this as I had to remove spybot before installing Norton IS).

Good luck!
__________________
al40 is offline   Reply With Quote
Old 03 February 2007, 13:17   #10
Member
 
Country: Ireland
Town: Cork
Boat name: Dalesman
Make: Excalibur 6.8
Length: 6m +
Engine: Merc 1.7 diesel
Join Date: Feb 2004
Posts: 167
Ok .....here is the log from Hijack...load of gobledegook to me though

Logfile of HijackThis v1.99.1
Scan saved at 18:12:53, on 03/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\DOCUME~1\JONMAT~1\LOCALS~1\Temp\clclean.0001
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\JONMAT~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/de...=ie&l=en&s=gen
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.euro.dell.com/content/de...=ie&l=en&s=gen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F 2.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\JONMAT~1\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1156605033833
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
__________________

__________________
Wise men have something to say
Fools have to say something - Cicero
Cork Rib is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off





Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 20:37.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.