Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help i've been Hijacked


  • Please log in to reply
6 replies to this topic

#1 Dory

Dory

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:The Top End
  • Local time:06:43 AM

Posted 04 December 2004 - 08:30 AM

cannot get rid of the kita-search.com web address as my homepage, could someone please check my log and advise me what to delete. Thanking you in advance.

Attached Files


Edited by Dory, 05 December 2004 - 01:23 AM.


BC AdBot (Login to Remove)

 


m

#2 Nirvana

Nirvana

    In Utero


  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 04 December 2004 - 02:15 PM

Be glad to, would you like to post it? :thumbsup:
"Computers are useless. They can only give you answers." <span style='color:red'>Pablo Picasso</span>

#3 Dory

Dory
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:The Top End
  • Local time:06:43 AM

Posted 05 December 2004 - 01:27 AM

Thanks for the offer, i think i've posted the log (had to edit my msg). i am only new to this stuff so bare with me if im slow. I also continually get a security notice saying that C:\WINDOWS\system32\svchost.exe is trying to access the net, could this be related to nasties and should i block it? Thanks again.

Logfile of HijackThis v1.98.2
Scan saved at 1:55:38 PM, on 6/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\UMonit2K.exe
C:\WINDOWS\System32\t7u73735l1yzozthd.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\sllights.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\kononen\Local Settings\Temp\Temporary Directory 2 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\PFULNV~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WINPROC AUDIT] C:\OEMCUST\TOOLS\WIN32\WINPROC.EXE C:\CABS\SCRIPTS\PROCESS\AUDIT.SCR C:\DRIVERS\PROCESS.TXT /TRACE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\UMonit2K.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\t7u73735l1yzozthd.exe
O4 - HKLM\..\RunOnce: [KB840987] rundll32.exe apphelp.dll,ShimFlushCache
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O4 - Global Startup: winlogin.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{C32952F4-9EAC-4743-AE70-4BA410694E99}: NameServer = 192.189.54.26 192.189.54.37
O20 - AppInit_DLLs: tf6r6559c5rlu7l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

Edited by Dory, 05 December 2004 - 11:32 PM.


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:13 PM

Posted 16 December 2004 - 04:44 PM

Hi if you are still having a problem:

You are using an outdated version of hijackthis. Please download the newer version.

Download HijackThis from:

HijackThis Download Site

Then post a new log

#5 Dory

Dory
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:The Top End
  • Local time:06:43 AM

Posted 18 December 2004 - 08:03 PM

thanks for the offer, cryo already helped fix problem
we up dated windows xp ,highjackthis , spybot , adaware and spyblaster.
thanks anyway. :thumbsup:

#6 icyfire

icyfire

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 18 December 2004 - 08:17 PM

hi dory, i am facing the same problem - cannot change homepage. since u already solve the problem, can help me?

thanks

#7 Dory

Dory
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:The Top End
  • Local time:06:43 AM

Posted 19 December 2004 - 08:14 AM

hi icyfire, in reply to your request, i am not a pro when it comes to computers so i suggest that it be best if you post your own topic and wait for one of the HJT team to answer it. it may take a little time but usually they are pretty quick at helping.
down load Hijackthis and copy and paste it in your topic so that whom ever respond can help you straight away.

If you can't wait, the topic i posted that has all the problem solving in it was posted on the 8th Dec @ 915pm "Help...i've been hijacked" it is now a locked topic but you may be able to read it if you can find it.
we had to upgrade our Windows XP which helped, downloaded ad-aware and spybot, plus killbox and AVG Antivirus.

but i think the best would be as previously suggested and post your own topic as each log maybe different and require a different solution.

in the mean time you might want to read the topics posted by the team on computer security. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users