How to resolve a hijack problem with hijackthis software

A two part question:

The most pressing issue is that every time the user goes to IE, it opens a page entitled 'securitybulletin.net' with a bunch of apparently fake security warnings, even though his home page is msn.com.  I ran hijack this, and looked through the log, searching on part of that website name, thinking maybe I could find some registry entry I needed to change, or a file to delete, etc.

But I'm not finding anything obvious, so I need guidance on how to resolve this.

The background, that leads to my second question, is that this is an XP computer on a small office network that has been working fine for two years with no problems at all.  Yesterday he was on msn messenger with a guy for a few minutes, and all of a sudden he got blasted with all kinds of 'stuff'...fake warnings about spyware (complete with misspellings) telling him someone had invaded his computer, offers for all kinds of spyware and virus protection, and so many popups that he could not use his computer.

He was on XP SP1 at that time, with a current version of Trend Micro running.  I cleaned up quite a few viruses, and purchased  CounterSpy for him, which also found many problems and cleaned them up.  I also updated him to SP2 and applied all the updates.  And, with the exception of this seeming IE hijack, his problems seem to be solved.

But now he's asking me if it is possible that could have gotten all this stuff on his computer just by having talked with someone on msn messenger.  Knowing little about that app, I couldn't tell him for sure.  So my question is whether it seems likely or even possible that he could gotten all these problems as a result of using msn messenger--and is there anything specific to do or to avoid when using this program.
LVL 3
sasllcAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
hello there,

You can input your log into the textbox at the following link. This will then tell you what is good and bad.

http://www.hijackthis.de/

Hope this helps
0
rpggamergirlCommented:
A lot of viruses can crawl to your system by using MSN Messenger or any messenger for that matter but specially MSN.
A person doesn't even have to chat but by just clicking on a link that is displayed in his buddy list. Clicking on a link can install viruses into his computer.

Let us look at his Hijackthis log, it will show bad entries especially the hijack homepage etc, we can then tell you which entries to fix.

Copy and paste the hijackthis log at;
http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.
0
sasllcAuthor Commented:
Most everything on the analysis came back safe.  All I got is on unknown that it says is suspect:

 O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\System32\hp7981.tmp    
Unknown   Entries found in this registry zone are potentially nasty. This application ([8d83b16e-0de1-452b-ac52-96ec0b34aa4b] - Result: ) has been checked. Hit rate: 0,00%
   Unknown application.

Does this mean anything?

Is there someplace in the registry that I can look that would somehow be holding this information, telling it to go this 'www.security.bulletin.net' every time?

I think at this point things are cleaned up to the point where the only problem I'm having is when I open a new IE page, it goes to that site, but as long as I keep that browser page open, and key in other web addresses, I'm OK.  But if I open a new IE windows, I get that same bogus address coming up automatically.

Anything else to try at this point?

0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

rpggamergirlCommented:
>>O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\System32\hp7981.tmp <<

that entry above belongs to smitfraud family infection.

Please download smitrem:
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Next, please reboot your computer in Safe Mode:

Open the "smitRem" folder, then double click the "RunThis.bat" file to start the tool. Follow the prompts on screen.  Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.

Restart your computer in normal mode.  
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rpggamergirlCommented:
>>Most everything on the analysis came back safe.  All I got is on unknown that it says is suspect:<<

can we please look at the saved analysis. Personally I don't trust any automated analyzer because it always has false positives. Many times it says "Safe" to an entry that is totally malware. An automated analyzer is only as good as their database.

EE doesn't recommend posting Hijackthis logs to the topic, that's why we ask Askers to upload their logs somewhere else and just post the link.
Can we look at the saved analysis please?
0
sasllcAuthor Commented:
Where and how would I go about putting the log somewhere and providing a link to it?
0
rpggamergirlCommented:
I'm terribly sorry for mising to give the link.

paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.
0
sasllcAuthor Commented:
OK, here is the link to the analysis.  There are several 'unknowns' in here that are related to the Kaseya remote support program, which is perfectly legit...that's the program we use to connect remotely to our customers.

http://www.hijackthis.de/logfiles/7f4b0fe0df62e9e74eb0618d2f8c9fc6.html


And here is the link to the actual log:

http://www.rafb.net/paste/results/cyYc3q55.html


It will be later this afternoon before I can get on the customer's computer and try the smitrem cleanup.

0
rpggamergirlCommented:
The only entry I could see that shouldn't be there is that same entry that you picked:
O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\System32\hp7981.tmp    
 that one points to smitfraud and smitrem should get rid of it.

If smitrem won't fix it, you might need to clear up trusted/restricted zones as well.
http://www.mvps.org/winhelp2002/DelDomains.inf
Right-click on the deldomains.inf file and select 'Install'

Let us know how it goes.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.