How to resolve a hijack problem with hijackthis software
A two part question:
The most pressing issue is that every time the user goes to IE, it opens a page entitled 'securitybulletin.net' with a bunch of apparently fake security warnings, even though his home page is msn.com. I ran hijack this, and looked through the log, searching on part of that website name, thinking maybe I could find some registry entry I needed to change, or a file to delete, etc.
But I'm not finding anything obvious, so I need guidance on how to resolve this.
The background, that leads to my second question, is that this is an XP computer on a small office network that has been working fine for two years with no problems at all. Yesterday he was on msn messenger with a guy for a few minutes, and all of a sudden he got blasted with all kinds of 'stuff'...fake warnings about spyware (complete with misspellings) telling him someone had invaded his computer, offers for all kinds of spyware and virus protection, and so many popups that he could not use his computer.
He was on XP SP1 at that time, with a current version of Trend Micro running. I cleaned up quite a few viruses, and purchased CounterSpy for him, which also found many problems and cleaned them up. I also updated him to SP2 and applied all the updates. And, with the exception of this seeming IE hijack, his problems seem to be solved.
But now he's asking me if it is possible that could have gotten all this stuff on his computer just by having talked with someone on msn messenger. Knowing little about that app, I couldn't tell him for sure. So my question is whether it seems likely or even possible that he could gotten all these problems as a result of using msn messenger--and is there anything specific to do or to avoid when using this program.
The most pressing issue is that every time the user goes to IE, it opens a page entitled 'securitybulletin.net' with a bunch of apparently fake security warnings, even though his home page is msn.com. I ran hijack this, and looked through the log, searching on part of that website name, thinking maybe I could find some registry entry I needed to change, or a file to delete, etc.
But I'm not finding anything obvious, so I need guidance on how to resolve this.
The background, that leads to my second question, is that this is an XP computer on a small office network that has been working fine for two years with no problems at all. Yesterday he was on msn messenger with a guy for a few minutes, and all of a sudden he got blasted with all kinds of 'stuff'...fake warnings about spyware (complete with misspellings) telling him someone had invaded his computer, offers for all kinds of spyware and virus protection, and so many popups that he could not use his computer.
He was on XP SP1 at that time, with a current version of Trend Micro running. I cleaned up quite a few viruses, and purchased CounterSpy for him, which also found many problems and cleaned them up. I also updated him to SP2 and applied all the updates. And, with the exception of this seeming IE hijack, his problems seem to be solved.
But now he's asking me if it is possible that could have gotten all this stuff on his computer just by having talked with someone on msn messenger. Knowing little about that app, I couldn't tell him for sure. So my question is whether it seems likely or even possible that he could gotten all these problems as a result of using msn messenger--and is there anything specific to do or to avoid when using this program.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Most everything on the analysis came back safe. All I got is on unknown that it says is suspect:
O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-9
Unknown Entries found in this registry zone are potentially nasty. This application ([8d83b16e-0de1-452b-ac52-
Unknown application.
Does this mean anything?
Is there someplace in the registry that I can look that would somehow be holding this information, telling it to go this 'www.security.bulletin.net' every time?
I think at this point things are cleaned up to the point where the only problem I'm having is when I open a new IE page, it goes to that site, but as long as I keep that browser page open, and key in other web addresses, I'm OK. But if I open a new IE windows, I get that same bogus address coming up automatically.
Anything else to try at this point?
O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-9
Unknown Entries found in this registry zone are potentially nasty. This application ([8d83b16e-0de1-452b-ac52-
Unknown application.
Does this mean anything?
Is there someplace in the registry that I can look that would somehow be holding this information, telling it to go this 'www.security.bulletin.net' every time?
I think at this point things are cleaned up to the point where the only problem I'm having is when I open a new IE page, it goes to that site, but as long as I keep that browser page open, and key in other web addresses, I'm OK. But if I open a new IE windows, I get that same bogus address coming up automatically.
Anything else to try at this point?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>>Most everything on the analysis came back safe. All I got is on unknown that it says is suspect:<<
can we please look at the saved analysis. Personally I don't trust any automated analyzer because it always has false positives. Many times it says "Safe" to an entry that is totally malware. An automated analyzer is only as good as their database.
EE doesn't recommend posting Hijackthis logs to the topic, that's why we ask Askers to upload their logs somewhere else and just post the link.
Can we look at the saved analysis please?
can we please look at the saved analysis. Personally I don't trust any automated analyzer because it always has false positives. Many times it says "Safe" to an entry that is totally malware. An automated analyzer is only as good as their database.
EE doesn't recommend posting Hijackthis logs to the topic, that's why we ask Askers to upload their logs somewhere else and just post the link.
Can we look at the saved analysis please?
ASKER
Where and how would I go about putting the log somewhere and providing a link to it?
I'm terribly sorry for mising to give the link.
paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
Or copy and paste the log at;
http://www.hijackthis.de/
and click "Analyse", click "Save". Post the link to the saved list here.
paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
Or copy and paste the log at;
http://www.hijackthis.de/
and click "Analyse", click "Save". Post the link to the saved list here.
ASKER
OK, here is the link to the analysis. There are several 'unknowns' in here that are related to the Kaseya remote support program, which is perfectly legit...that's the program we use to connect remotely to our customers.
http://www.hijackthis.de/logfiles/7f4b0fe0df62e9e74eb0618d2f8c9fc6.html
And here is the link to the actual log:
http://www.rafb.net/paste/results/cyYc3q55.html
It will be later this afternoon before I can get on the customer's computer and try the smitrem cleanup.
http://www.hijackthis.de/logfiles/7f4b0fe0df62e9e74eb0618d2f8c9fc6.html
And here is the link to the actual log:
http://www.rafb.net/paste/results/cyYc3q55.html
It will be later this afternoon before I can get on the customer's computer and try the smitrem cleanup.
The only entry I could see that shouldn't be there is that same entry that you picked:
O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-9
that one points to smitfraud and smitrem should get rid of it.
If smitrem won't fix it, you might need to clear up trusted/restricted zones as well.
http://www.mvps.org/winhelp2002/DelDomains.inf
Right-click on the deldomains.inf file and select 'Install'
Let us know how it goes.
O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-9
that one points to smitfraud and smitrem should get rid of it.
If smitrem won't fix it, you might need to clear up trusted/restricted zones as well.
http://www.mvps.org/winhelp2002/DelDomains.inf
Right-click on the deldomains.inf file and select 'Install'
Let us know how it goes.
A person doesn't even have to chat but by just clicking on a link that is displayed in his buddy list. Clicking on a link can install viruses into his computer.
Let us look at his Hijackthis log, it will show bad entries especially the hijack homepage etc, we can then tell you which entries to fix.
Copy and paste the hijackthis log at;
http://www.hijackthis.de/
and click "Analyse", click "Save". Post the link to the saved list here.