More Google Results Hijacked log included
- Thread starter Ethered
- Start date
- Status
Daveskater
Posts: 1,412 +0
Hello, Ethered, and welcome to Techspot :wave:
Please take a look at the following threads to make your experience here as enjoyable as possible
Message for all newcomers
SNGX1275's Guide to making a good post/thread
The Techspot FAQ
If you could take a minute to fill in some of your profile information that would be helpful to all members of the forum
Knowing someone's location in the world can be extremely helpful, even if you just put a country.
Also remember to post any problems or questions that you have in the appropriate forums
With regards to your problem, have hjt fix these entries:
O17 - HKLM\System\CCS\Services\Tcpip\..\{4EEB5DDB-00AF-4CF4-A0EF-BFE908DF32E3}: NameServer = 85.255.115.3,85.255.112.127
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.127
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.127
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
With that many running processes i'm surprised your pc even manages to get as far as google
Please take a look at the following threads to make your experience here as enjoyable as possible
Message for all newcomers
SNGX1275's Guide to making a good post/thread
The Techspot FAQ
If you could take a minute to fill in some of your profile information that would be helpful to all members of the forum
Knowing someone's location in the world can be extremely helpful, even if you just put a country.
Also remember to post any problems or questions that you have in the appropriate forums
With regards to your problem, have hjt fix these entries:
O17 - HKLM\System\CCS\Services\Tcpip\..\{4EEB5DDB-00AF-4CF4-A0EF-BFE908DF32E3}: NameServer = 85.255.115.3,85.255.112.127
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.127
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.127
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
With that many running processes i'm surprised your pc even manages to get as far as google
howard_hopkinso
Posts: 21,238 +17
Hello and welcome to Techspot.
Your system has been hijacked. Please ignore Daveskater's instructions as he is still learning.
Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.
If after reading the above, you wish to clean your system, do the following.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Then, Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.
Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.
Also, please post the C:\fixwareout\report.txt.
Also, let me know the results of the Panda Antirootkit scan.
Regards Howard :wave: :wave:
This thread is for the use of Ethered only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Your system has been hijacked. Please ignore Daveskater's instructions as he is still learning.
Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.
If after reading the above, you wish to clean your system, do the following.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Then, Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.
Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.
Also, please post the C:\fixwareout\report.txt.
Also, let me know the results of the Panda Antirootkit scan.
Regards Howard :wave: :wave:
This thread is for the use of Ethered only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Daveskater
Posts: 1,412 +0
your malware removal knowledge clearly surpasses me, howard
i've been contemplating whether to join the malware removal university but haven't quite made my mind up yet, i may do it but it's having the time to do it
however i'll leave you to it now because this isn't a discussion thread, we have a serious matter at hand
i've been contemplating whether to join the malware removal university but haven't quite made my mind up yet, i may do it but it's having the time to do it
however i'll leave you to it now because this isn't a discussion thread, we have a serious matter at hand
howard_hopkinso
Posts: 21,238 +17
No worries mate, it`d be really good to have you helping out in this forum. I could sure use the help.
The MRU is very good and thorough, but is quite involved and time consuming.
If that`s what you want to do, then you have my utmost respect and appreciation.
Just for future reference, this is the hijacker.
O17 - HKLM\System\CCS\Services\Tcpip\..\{4EEB5DDB-00AF-4CF4-A0EF-BFE908DF32E3}: NameServer = 85.255.115.3,85.255.112.127
If ever you see that IP address as a 017 entry in a HJT log, you`ll know it`s been hijacked.
Regards Howard
The MRU is very good and thorough, but is quite involved and time consuming.
If that`s what you want to do, then you have my utmost respect and appreciation.
Just for future reference, this is the hijacker.
O17 - HKLM\System\CCS\Services\Tcpip\..\{4EEB5DDB-00AF-4CF4-A0EF-BFE908DF32E3}: NameServer = 85.255.115.3,85.255.112.127
If ever you see that IP address as a 017 entry in a HJT log, you`ll know it`s been hijacked.
Regards Howard
Daveskater
Posts: 1,412 +0
yeah i work random(ish) hours through the week and i have driving lessons going on at the moment so if i can find the time then i'll go for it
thanks if i see an ip like that i usually check it on dnsstuff.com and that one came up as being in Ukraine or something so it didn't look so good
thanks
if i see an ip like that i usually check it on dnsstuff.com and that one came up as being in Ukraine or something so it didn't look so good howard_hopkinso
Posts: 21,238 +17
inhoster
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
It used to be a lot more common. I haven`t seen it for a while.
Regards Howard
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
It used to be a lot more common. I haven`t seen it for a while.
Regards Howard
Daveskater
Posts: 1,412 +0
well let's just hope it doesn't come back, eh
hopefully i'll recognise that ip in future but i don't usually remember combinations of numbers unless i think of them a few times or type them a few times. for example i could tell you that typing in 5000128271165 into the till at work will come up with a 69p cucumber but that's not really helpful here
hopefully i'll recognise that ip in future but i don't usually remember combinations of numbers unless i think of them a few times or type them a few times. for example i could tell you that typing in 5000128271165 into the till at work will come up with a 69p cucumber
but that's not really helpful here Howard,
Thanks for the help this far. I have followed almost all the instructions in the Viruses/Spyware/Malware, preliminary removal instructions. I could only get one of the 3 tools in step 10 to run besides that I am good. I have attached the 3 log files you requested. Finally the Panda Antirootkit scan did not find anything.
Also I am no longer experiencing the problem.
Once again thank you for your help to this point. Same to you Daveskater.
-Eric
Thanks for the help this far. I have followed almost all the instructions in the Viruses/Spyware/Malware, preliminary removal instructions. I could only get one of the 3 tools in step 10 to run besides that I am good. I have attached the 3 log files you requested. Finally the Panda Antirootkit scan did not find anything.
Also I am no longer experiencing the problem.
Once again thank you for your help to this point. Same to you Daveskater.
-Eric
howard_hopkinso
Posts: 21,238 +17
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O4 - HKUS\S-1-5-18\..\RunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [supportdir] cmd /c "rmdir /q /s "C:\WINDOWS\TEMP\{48227AEB-DC8E-4A90-A274-0B4A39D699B1}"" (User 'SYSTEM')
Click on the fix checked button.
Close HJT and reboot your system.
Post a fresh HJT log.
Regards Howard
This thread is for the use of Ethered only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
O4 - HKUS\S-1-5-18\..\RunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [supportdir] cmd /c "rmdir /q /s "C:\WINDOWS\TEMP\{48227AEB-DC8E-4A90-A274-0B4A39D699B1}"" (User 'SYSTEM')
Click on the fix checked button.
Close HJT and reboot your system.
Post a fresh HJT log.
Regards Howard
This thread is for the use of Ethered only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Daveskater, you should join the MRU.
But bear in mind, there is alot of reading involved and loads of information to take in.
I've also heard about SWI Bootcamp, here. That is meant to be a good malware training site.
But i'll shut up now lol. As this thread is for Ethered. lol
I would take a look into this Ethered mate, but i'm going bed now. lol
Regards Jase
But bear in mind, there is alot of reading involved and loads of information to take in.
I've also heard about SWI Bootcamp, here. That is meant to be a good malware training site.
But i'll shut up now lol. As this thread is for Ethered. lol
I would take a look into this Ethered mate, but i'm going bed now. lol
Regards Jase
howard_hopkinso
Posts: 21,238 +17
It`s ok Jase, I`m already on it.Jase123 said:
Regards Howard
howard_hopkinso
Posts: 21,238 +17
Your HJT log is clean.
Turn off system restore.(XP/ME only) See how HERE.
Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.
If you have any further virus/spyware problems, please post in this thread.
Regards Howard
This thread is for the use of Ethered only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Turn off system restore.(XP/ME only) See how HERE.
Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.
If you have any further virus/spyware problems, please post in this thread.
Regards Howard
This thread is for the use of Ethered only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
- Status
Similar threads
Latest posts
-
Ayaneo Pocket S Android handheld lands on Indiegogo starting at $400- Dimitriid replied
-
The Best Handheld Gaming Consoles- MarkHughes replied
