RetouchPRO

Go Back   RetouchPRO > Community > Salon
Register Blogs FAQ Site Nav Search Today's Posts Mark Forums Read


Salon Just hanging around...
(Social area, where non-retouching talk is encouraged)

I just been hijaaked.

Reply
 
Thread Tools
  #11  
Old 08-29-2008, 10:13 AM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Re: I just been hijaaked.

If you want to run a HijackThis scan I'll be happy to look it over for you to see if there's anything lurking that shouldn't be there.

Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
  • Don't use the Analyse This button, its findings are dangerous if misinterpreted.
  • Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Working on the basis that most keyloggers/backdoors are now rootkitted, might be as well to run a rootkit scan as well, GMER is the most thorough.

Download GMER and unzip it to your Desktop. (It will create a folder GMER)

Alternate Download Site
  • Disconnect from the Internet, and close all running programmes.
  • There is a small chance this programme may crash your computer, so save any work you have open.
  • Open the GMER folder, and double click gmer.exe
  • Let the gmer.sys driver load if asked.
  • If it gives you a warning at programme start about rootkit activity and asks if you want to run a scan ..... click OK.
  • If no warning:
    • Click Rootkit tab.
    • Ensure that All the boxes to the right of the program are checked except Show All.
    • Click Scan.
  • Do not use your computer while the scan is running.
  • Once scan is finished click Copy.
    • Click Start > Run then type Notepad.exe then click OK.
    • This will open a Notepad file.
    • Hit Ctrl+V to paste log into it.
    • Save the log to your Desktop.
  • Reconnect to internet and post the log please.

If you're running Vista, don't run the GMER scan, I'm not sure at this point whether its been updated to run on Vista.

To run HJT on Vista you need to right click on it and select Run as Administrator
Reply With Quote top
  #12  
Old 08-29-2008, 01:07 PM
lkroll's Avatar
lkroll lkroll is offline
Senior Member
Patron
 
Join Date: Jan 2005
Location: Alabama
Posts: 4,746
Re: I just been hijaaked.

Thanks Gary; use this gem almost daily, but never ran it on my own machine. lol

I took a look and see no surprizes, but I will PM you the result. Thanks for your concern.
Reply With Quote top
  #13  
Old 08-29-2008, 04:41 PM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Re: I just been hijaaked.

You're welcome, probably nothing on your machine, but always best to be sure.
Reply With Quote top
  #14  
Old 08-30-2008, 02:54 AM
lkroll's Avatar
lkroll lkroll is offline
Senior Member
Patron
 
Join Date: Jan 2005
Location: Alabama
Posts: 4,746
Re: I just been hijaaked.

Just PMed you again Gary; if you do think I have and issue, then I don't mind at all that you post it here. Forgot to mention too that I already know about the issues with Daemon Tools, but I am using the last known version that doesn't come packaged with Spyware (I like using virtual CDRoms for some of the game that I occasionally play).
Reply With Quote top
  #15  
Old 08-30-2008, 10:37 AM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Re: I just been hijaaked.

Hi Lyle,

OK, there's signs on your log that you have had an infection and therefore it's important that we ensure that it's been totally removed.

First

We need to disable Spybot S&D Teatimer as it will interfere with what we need to do.

To disable Spybot S&D TeaTimer

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
Second step:
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.

Next

Run a scan with HJT and when finished check the following items (if found).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE


Now close all open windows and click Fix Checked to remove them.

I can't find any information on this item, if you know what it is and you installed it, no problem, otherwise add it to the list of items to be removed with HJT.

O8 - Extra context menu item: &Compress Image Using Image Compressor 2008 - C:\Program Files\MasRizal\IMC2008\imcieex_compress.html

The following entry was placed by Spybot S&D when it "fixed" a DNS attack on your computer.

O17 - HKLM\System\CCS\Services\Tcpip\..\{5AF898C4-6516-4E5C-870B-ABC9FB062EF4}: NameServer = 208.67.222.222,208.67.220.220

It is NOT malicious and does not need removal, but it does show the type of infection that you had. The infection replaced your DNS server addresses which re-directs all your web lookups through a DNS server of the attackers manufacture/choice. Spybot has re-written your setting again to use Open DNS, which is a Free and safe DNS server.

Because of the remnants on your computer, I'd like you to run a scan for me. I suspect the infection has been removed but best to make sure.

Please download Malwarebytes' Anti-Malware to your Desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Click on the Malwarebytes' Anti-Malware icon to launch the programme.
    • Click the Updates tab.
      • Click Check for Updates and allow the programme to download the latest definitions.
    • Click the Scanner tab.
      • Check Perform Quick Scan.
      • Click Scan and wait for the scan to complete.
      • When the scan is complete, click OK, then Show Results.
      • Ensure all items are checked then click Remove Selected.
        • A box will pop-up telling you that files have been quarantined.
        • A log will pop-up.
      • Post the log in your next reply please.

You can also access the log by doing the following
  • Click on the Logs tab.
    • Click on the log at the bottom of those listed to highlight it.
    • Click Open

Finally

Run a new scan with HJT and post me the new log please.
Reply With Quote top
  #16  
Old 08-30-2008, 01:32 PM
lkroll's Avatar
lkroll lkroll is offline
Senior Member
Patron
 
Join Date: Jan 2005
Location: Alabama
Posts: 4,746
Re: I just been hijaaked.

Thanks Gary and appreciate your concerns. Yes, I use OpenDNS and that explains those entries (208.67.222.222,208.67.220.220). Also, the BHO's are from Yahoo Toolbar (love it or hate it, that's what it is). I also have Image Compressor but have rarely used this gem that I got from Give-a-Way of the Day, but it suppose to be a legitimate program, but maybe I should uninstall it; wait and see on this one. I'm writing this one in Safe Mode since that gets rid of a lot of the shinanigans if I needed to do some changing. Still going to run an online safemode scan to see if any issue comes up, but I think I'm fine.

Definitely appreciate the help. I really need to start investigating the various parameters in HJT logs more. What I do at work is, after running all the external and internal scans on a customer's PC, I just check the entries in the log that are missing and then eliminate them. I also check to see if I see any known rogue entries that I'm aware of (like userinit.dll with an attached pipe) and edit those entries. Still, I'd rather just rebuild if I know that a virus has infected a machine, but we get a lot of clients that insist that they have to keep their system intact, so we get the big bucks to get them clean. I'm only running 65 to 70% fix rate; the others have to be wiped (with data backup of course) anyway. Man I hate malware.

As a side note, I did have to recently recover from a pretty dated (end of May) image which I'm not happy about; the previous system may have been hit, but those remnant, if so, are gone now.
Reply With Quote top
  #17  
Old 08-30-2008, 03:17 PM
lkroll's Avatar
lkroll lkroll is offline
Senior Member
Patron
 
Join Date: Jan 2005
Location: Alabama
Posts: 4,746
Re: I just been hijaaked.

Scans complete (look how long hey took; lol). No issues (other then some cookies and some minor registry only entries) were found and all removed. Let's just hope I no longer have any issues, though I still suspect a HD issues since every once in a while, thought I safely turn my computer off, it still wants and does a chkdsk. If I do have to get a new HD, it won't be SATA if I can help it. I can't tell you how many SATA I had to replace this year. This type of HD have only been around for a couple of years now so these drives should still be viable but they aren't like the ol' IDE (now PATA; lol) drives. I still have a drive thats well over 8 years old and still works. The biggest PATA drive I found locally was 320G, but that is really not an issue (really, for my needs, 160G is really all I need). Anyway, again thanks for your concern and help Gary.
Reply With Quote top
  #18  
Old 08-30-2008, 03:41 PM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Re: I just been hijaaked.

Hi Lyle,

The R1 entries I asked you to remove are not BHOs (those are represented by 02 entries in a HJT log) and are not part of Yahoo toolbar.

R1 entries are Registry entries which control Internet Explorer search functions, they are part of IE itself, not an addition as a BHO is.

The ones I asked you to remove are part of a well known infection, which re-directs your search to Yahoo through red clients, they need to be removed if you have not already done so.

Glad to hear the MBAM scan came back clean.

If you want to understand what each of the HJT entries are for, then read the following tutorial.

http://www.bleepingcomputer.com/tuto...utorial42.html
Reply With Quote top
  #19  
Old 08-30-2008, 08:15 PM
lkroll's Avatar
lkroll lkroll is offline
Senior Member
Patron
 
Join Date: Jan 2005
Location: Alabama
Posts: 4,746
Re: I just been hijaaked.

Yeah; I do use Yahoo Toolbar too; wonder what would happen if I got rid of red.clientapps entries? May give that a go. ALCMTR is from Realtek. Not really sure if I need it anyway since I rarely touch my audio settings (audiophile no more; lol).
Reply With Quote top
  #20  
Old 08-30-2008, 08:24 PM
lkroll's Avatar
lkroll lkroll is offline
Senior Member
Patron
 
Join Date: Jan 2005
Location: Alabama
Posts: 4,746
Re: I just been hijaaked.

Well I got rid of the Red.Client entries, but not the ALCMTR yet until I do some more due diligence on that entry. Browser still works and my Yahoo toolbar's still there. I believe these entries were placed there when I used Yahoo Instant Messenger (my brother was in Alfghanistan and we use to Video communicate then). I disabled but not uninstalled YIM but will probably hose it soon. Again thanks Gary. So far so good.
Reply With Quote top
Reply

  RetouchPRO > Community > Salon


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -6. The time now is 07:19 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
Copyright © 2016 Doug Nelson. All Rights Reserved