TechSpot

I believe I've been hacked

By abe10tiger
Sep 17, 2010
  1. Ok, i believe my pc has been hacked but i was able to prevent the hacker from doing any real damage. My mouse just suddenly freezes and chrome keeps on closing. I scanned my pc with Superanti-spyware and found 46 spywares! i quarantined them and my pc worked fine! But I wanna make sure that the hacker is gone. I scanned using hijakthis and attached a log. please help. :D
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the malware. Unfortunately, HijackThis isn't enough and we don't use it to 'screen' for malware.

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .Please paste the longs into the reply and use additional posts if needed to split.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. abe10tiger

    abe10tiger TechSpot Paladin Topic Starter Posts: 770   +10

    So should i remove it? since i wont be using it.
     
  4. abe10tiger

    abe10tiger TechSpot Paladin Topic Starter Posts: 770   +10

    I was not able to attach the GMER cause an error always occurs. I've disabled my anti-virus and all the things it told me to.
     

    Attached Files:

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The antivirus program did not need to be disabled to run these preliminary programs, so it should run unless you are specifically told to disable it (as in Combofix) Try one of the following for GMER:
    1. Uncheck Devices- or>
    2. Try running it in Safe Mode.

    About HijackThis: yes, you can remove it. I will have you run it at the end, but you have an outdated version installed.

    I will finishing checking these logs. The Ask Toolbar is all over the system. This usually comes bundled with other, unrelated program. We do not recommend keeping it as it comes with adware and other potentially unwanted features. You also have the XfireXO Toolbar. IT is recommended that this be removed also. After you run the next programs, I will set up some script to run through Combofix to remove some of the bad entries.

    In the meantime, please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ====================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please paste these logs into the next reply. You may need more than one post- that's okay. This allows me to check any entry directly from my browser instead of doing a copy and paste for each one which can take a significant amount of time.
     
  6. abe10tiger

    abe10tiger TechSpot Paladin Topic Starter Posts: 770   +10

    Hi, here is the log for combofix. I wont be able to post the log for Nod cause I need to go and i dont think i'll be able to go online for a week maybe. Please keep this Thread active. Thanks. :D
     

    Attached Files:

  7. abe10tiger

    abe10tiger TechSpot Paladin Topic Starter Posts: 770   +10

    Heres the Nod log. So do i remove the "ask toolbar you were talking about?
     

    Attached Files:

    • log.txt
      File size:
      1.5 KB
      Views:
      3
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    We'll start when you get back. Before you go- your AV is out of date. Best renew or update it now

    I'll keep this open for a week.
     
  9. abe10tiger

    abe10tiger TechSpot Paladin Topic Starter Posts: 770   +10

    i'm back

    Hey, im back, i'm done updating my anti-virus. :D
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please update and run the Eset Nod scan again.

    Also, do a new scan with Combofix. Please paste the new log from Combofix into the next reply. Use multiple posts if needed.
     
  11. abe10tiger

    abe10tiger TechSpot Paladin Topic Starter Posts: 770   +10

    OK, so do i follow the steps in combofix again?
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Yes, you run Combofix again. You already have it on the desktop, right?
     
  13. abe10tiger

    abe10tiger TechSpot Paladin Topic Starter Posts: 770   +10

    Yup. I already have it in my desktop.
     
  14. abe10tiger

    abe10tiger TechSpot Paladin Topic Starter Posts: 770   +10

    here's the log

    Here's the log for combofix and nod
     

    Attached Files:

  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you see the difference in Eset? It didn't show any bad entries, but it was the full log and not just the Registration.

    Please do this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\program files\Ask.com\UpdateTask.exe
    Folder::
    c:\program files\Ask.com
    c:\documents and settings\Administrator\UserData
    c:\documents and settings\Administrator\Application Data\Xfire
    c:\program files\Xfire
    c:\documents and settings\NetworkService\Application Data\Xfire
    c:\program files\XfireXO	
    
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{00000000-6E41-4FD3-8538-502F5495E5FC}"=-
    "{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"=-
    [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
    [HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"=- 
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=- 
    [HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{5E5AB302-7F65-44CD-8211-C1D4CAACCEA3}"=-
    [HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Xfire\\Xfire.exe"=-
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    RegLockDel:
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=-
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    Extra::
    File::
    Firefox-:
    Firefox-; - Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fwv96nqh.default\
    Firefox-: - prefs.js - Search.DefaultURL
    Firefox-: - prefs.js - Startup.Homepage
    Firefox-: - prefs.js - Keyword.URL 
    DDS::
    uStart Page = hxxp://www.ask.com/web?&o=13799&l=dis&q=
    uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
    uURLSearchHooks: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - c:\program files\xfirexo\tbXfir.dll
    BHO: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - c:\program files\xfirexo\tbXfir.dll
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - c:\program files\xfirexo\tbXfir.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    I have some concern about use of the Video Accelerator program. It is legitimate, but causes the homepage to be reset to SpeedBit. IF you know this and it's intentional or okay, fine. If not, then it should be removed.
     
  16. abe10tiger

    abe10tiger TechSpot Paladin Topic Starter Posts: 770   +10

    Heres the log for combofix!
    hm... i dont really use the video accelerator program.
     

    Attached Files:

  17. abe10tiger

    abe10tiger TechSpot Paladin Topic Starter Posts: 770   +10

    Hey Bobbye, i wont be able to log-in maybe for a week again. But there's a chance that i might go online tomorrow. Please keep this thread active unless i'm done. Thanks! :D
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm going to close this thread. When you find you're back in town long enough to attempt cleaning the system, please start a new thread with the pertinent information at that time. You can reference this thread if you want: http://www.techspot.com/vb/topic153477.html

    As for the Video Accelerator and any other program you don't use, need or want, please uninstall them and delete the program folder for each.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...