Sponsor for PC Pals Forum

Author Topic: Been Hijacked  (Read 865 times)

Offline spooner

  • Regular Member
  • **
  • Posts: 61
Been Hijacked
« on: April 23, 2004, 18:16 »
hi guys,
been hijacked, this is the log, can anybody tell me what to delete as i`ve not got a clue  :-\
cheers
Logfile of HijackThis v1.97.7
Scan saved at 18:10:26, on 23/04/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\System32\SiSAudUt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\msreg.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Sue`s Documents\ovucal.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\INCRED~1\bin\IMAPP.EXE
C:\WINDOWS\System32\devldr32.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\WINDOWS\System32\svchosts.exe
C:\WINDOWS\System32\svchostc.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Simon\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\WINDOWS\start.chm::/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=webcache.blueyonder.co.uk:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-space.com/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?seojz (obfuscated)
sed all my sick, t`morra i`m ringing in dead !

Offline TR

  • Forum Fanatic
  • ******
  • Posts: 7150
Re:Been Hijacked
« Reply #1 on: April 23, 2004, 18:23 »
Spooner hi.

All the HJL is not there it should read down to 16, try cut n pasting it all again please.

Hookstar

Offline Simon

  • Administrator
  • *****
  • Posts: 77940
  • First to score 7/7 in Quiz of The Week's News 2017
Re:Been Hijacked
« Reply #2 on: April 23, 2004, 18:24 »
I think C:\WINDOWS\System32\sistray.EXE is definitely one to remove (Google it and see for yourself), and these two look suspect as well:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\WINDOWS\start.chm::/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-space.com/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?seojz (obfuscated)


Before you do anything else, have you tried running Ad Aware and Spybot in Safe Mode, with System Restore temporarily disabled?  They might just do the job for you.  Make sure you update them first (before you go into safe mode!), then install Spyware Blaster, when your system is clean and it should prevent further infestations, providing you keep it updated regularly.  Make sure you back up anything you 'fix' with Hijack This, in case you need to revert it, and as Hookstar said, it would be best of you posted the whole log, as there may be other stuff we can't see.

Ad Aware
Spybot S&D
Spyware Blaster
Many thanks to all our members, who have made PC Pals such an outstanding success!   :thumb:

Offline spooner

  • Regular Member
  • **
  • Posts: 61
Re:Been Hijacked
« Reply #3 on: April 23, 2004, 18:27 »
thx chaps, off to work now, will try tmorra and let you know how i get on

cheers
sed all my sick, t`morra i`m ringing in dead !


Show unread posts since last visit.
Sponsor for PC Pals Forum