Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How to resolve a hijack problem with hijackthis software

Posted on 2006-04-18
9
Medium Priority
?
1,159 Views
Last Modified: 2010-04-11
A two part question:

The most pressing issue is that every time the user goes to IE, it opens a page entitled 'securitybulletin.net' with a bunch of apparently fake security warnings, even though his home page is msn.com.  I ran hijack this, and looked through the log, searching on part of that website name, thinking maybe I could find some registry entry I needed to change, or a file to delete, etc.

But I'm not finding anything obvious, so I need guidance on how to resolve this.

The background, that leads to my second question, is that this is an XP computer on a small office network that has been working fine for two years with no problems at all.  Yesterday he was on msn messenger with a guy for a few minutes, and all of a sudden he got blasted with all kinds of 'stuff'...fake warnings about spyware (complete with misspellings) telling him someone had invaded his computer, offers for all kinds of spyware and virus protection, and so many popups that he could not use his computer.

He was on XP SP1 at that time, with a current version of Trend Micro running.  I cleaned up quite a few viruses, and purchased  CounterSpy for him, which also found many problems and cleaned them up.  I also updated him to SP2 and applied all the updates.  And, with the exception of this seeming IE hijack, his problems seem to be solved.

But now he's asking me if it is possible that could have gotten all this stuff on his computer just by having talked with someone on msn messenger.  Knowing little about that app, I couldn't tell him for sure.  So my question is whether it seems likely or even possible that he could gotten all these problems as a result of using msn messenger--and is there anything specific to do or to avoid when using this program.
0
Comment
Question by:sasllc
  • 5
  • 3
9 Comments
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 200 total points
ID: 16477843
hello there,

You can input your log into the textbox at the following link. This will then tell you what is good and bad.

http://www.hijackthis.de/

Hope this helps
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16478133
A lot of viruses can crawl to your system by using MSN Messenger or any messenger for that matter but specially MSN.
A person doesn't even have to chat but by just clicking on a link that is displayed in his buddy list. Clicking on a link can install viruses into his computer.

Let us look at his Hijackthis log, it will show bad entries especially the hijack homepage etc, we can then tell you which entries to fix.

Copy and paste the hijackthis log at;
http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.
0
 
LVL 3

Author Comment

by:sasllc
ID: 16478419
Most everything on the analysis came back safe.  All I got is on unknown that it says is suspect:

 O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\System32\hp7981.tmp    
Unknown   Entries found in this registry zone are potentially nasty. This application ([8d83b16e-0de1-452b-ac52-96ec0b34aa4b] - Result: ) has been checked. Hit rate: 0,00%
   Unknown application.

Does this mean anything?

Is there someplace in the registry that I can look that would somehow be holding this information, telling it to go this 'www.security.bulletin.net' every time?

I think at this point things are cleaned up to the point where the only problem I'm having is when I open a new IE page, it goes to that site, but as long as I keep that browser page open, and key in other web addresses, I'm OK.  But if I open a new IE windows, I get that same bogus address coming up automatically.

Anything else to try at this point?

0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 47

Accepted Solution

by:
rpggamergirl earned 1800 total points
ID: 16478508
>>O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\System32\hp7981.tmp <<

that entry above belongs to smitfraud family infection.

Please download smitrem:
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Next, please reboot your computer in Safe Mode:

Open the "smitRem" folder, then double click the "RunThis.bat" file to start the tool. Follow the prompts on screen.  Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.

Restart your computer in normal mode.  
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16478569
>>Most everything on the analysis came back safe.  All I got is on unknown that it says is suspect:<<

can we please look at the saved analysis. Personally I don't trust any automated analyzer because it always has false positives. Many times it says "Safe" to an entry that is totally malware. An automated analyzer is only as good as their database.

EE doesn't recommend posting Hijackthis logs to the topic, that's why we ask Askers to upload their logs somewhere else and just post the link.
Can we look at the saved analysis please?
0
 
LVL 3

Author Comment

by:sasllc
ID: 16478646
Where and how would I go about putting the log somewhere and providing a link to it?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16478741
I'm terribly sorry for mising to give the link.

paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.
0
 
LVL 3

Author Comment

by:sasllc
ID: 16478839
OK, here is the link to the analysis.  There are several 'unknowns' in here that are related to the Kaseya remote support program, which is perfectly legit...that's the program we use to connect remotely to our customers.

http://www.hijackthis.de/logfiles/7f4b0fe0df62e9e74eb0618d2f8c9fc6.html


And here is the link to the actual log:

http://www.rafb.net/paste/results/cyYc3q55.html


It will be later this afternoon before I can get on the customer's computer and try the smitrem cleanup.

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16482857
The only entry I could see that shouldn't be there is that same entry that you picked:
O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\System32\hp7981.tmp    
 that one points to smitfraud and smitrem should get rid of it.

If smitrem won't fix it, you might need to clear up trusted/restricted zones as well.
http://www.mvps.org/winhelp2002/DelDomains.inf
Right-click on the deldomains.inf file and select 'Install'

Let us know how it goes.
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
2017 was a scary year for cyber security.  Hear what our security experts say that hackers have in store for us in 2018.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question