Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

XP connection lost on 1 user when hijacked(RESOLVED)

 
Post new topic   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> General Software Discussion
View previous topic :: View next topic  
Author Message
Guest







PostPosted: Sat Oct 30, 2004 1:40 pm    Post subject: XP connection lost on 1 user when hijacked(RESOLVED) Reply with quote

OK, this is actually TeMerc, on my brothers account.

He got hijacked the other nite by easysearch. He was away from the pc, came back, had alerts by SpySweeper about his home page so forth.

I cleaned up everything, ran Shredder, found some minor stuff, ran HJT on all user accts. All clean now.

He has a user account set up for his son, that acct has internet access, but his does not.

Any suggestions? IE repair? He just installed XP from my discs and had no troubles with that. I have already reset web settings. Gone thru all that I can think of. Stil no internet.

Needless to say its kinda frustrating. Let me know, as both me and my brother will be 'watching' this topic for any suggestions.
Back to top
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Jan 2014
Posts: 4953
Location: Phx. AZ.

PostPosted: Sat Oct 30, 2004 2:00 pm    Post subject: Reply with quote

Just so I can watch this. Cool
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
3162
Honorary Site Admin


Joined: 31 Mar 2004
Last Visit: 04 May 2009
Posts: 4452

PostPosted: Sat Oct 30, 2004 2:13 pm    Post subject: Reply with quote

Dial-up or Cable?
_________________
Proud member of the Chest Zipper Club!
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Jan 2014
Posts: 4953
Location: Phx. AZ.

PostPosted: Sat Oct 30, 2004 3:02 pm    Post subject: Reply with quote

Cable, Cox Hi Speed. I just called him to try System Restore. We'll see if that does anything.

Funny tho, you would think if one IE is corrupted it would be on both?

Another issue I discoverd just as I left was the Norton firewall was not enabled on the kids account, and when I tried to acces it I was denied, and told 'contact supervisor'. I thought fws were all global. But I'm going to read about that in the manual, as he got it from me.

More tonite. Cool
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Sat Oct 30, 2004 6:03 pm    Post subject: Reply with quote

with the fire wall disabled you may have a very compromized computer.
see if booting in as admin can enable the fire wall.
i would look at the logs in start,settings,control panel,admin tools,event veiwer.
see if you can find out whats happening there.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Jan 2014
Posts: 4953
Location: Phx. AZ.

PostPosted: Sat Oct 30, 2004 7:17 pm    Post subject: Reply with quote

OK, well, the thing about the firewall is, on the kids acct, it was never online, with any browser. My bro just tried it after he got infected.

And I read in the Norton manual that each user needs to have admin priviledges to change anything within the firewall, tho that does not explain why the firewall was not even activated............guess I'll read a bit more about that.

I also thought of just removing the user acct thats not operating.......would this work? My bro is also gonna creat a new acct, to see what that does.

More when I hear from him.

Thanks all!!
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
3162
Honorary Site Admin


Joined: 31 Mar 2004
Last Visit: 04 May 2009
Posts: 4452

PostPosted: Sat Oct 30, 2004 7:35 pm    Post subject: Reply with quote

Well,
I'm not a Norton Expert and to be honest I think it is bloated, expensive, and causes conflicts on multiple user machines.
Not to mention the fact that Norton Trial Versions installed on new machines lead Users into a false sense of security when the trial version expires.

However....

Try this:
Uninstall Norton.
Reboot.
See if all users have a live connection to the internet.
If they do, reinstall Norton, and enable Protection for all users.
_________________
Proud member of the Chest Zipper Club!
Back to top
View user's profile Send private message
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Sat Oct 30, 2004 10:01 pm    Post subject: Reply with quote

might try posting the question here .
http://computercops.biz/forum82.html
norton forum.
ok i saw a locked out fire wall and thought heres a machine that has be throughaly hacked. on the grounds it never got on the net your safe. but i would still look through the logs you can find some interestings things you don,t exspect.
founf riaa trying to open a vpn into my machine but thats a whole other thing! the failed atemted gave the ip and mac addy it could than be ...........
see you latter.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Jan 2014
Posts: 4953
Location: Phx. AZ.

PostPosted: Tue Nov 02, 2004 11:19 pm    Post subject: Reply with quote

Slight update.

My brother uninstalled, then reinstalled Norton, no luck.
Told him to be sure XP ICF was off too. I told him to uninstall Norton again, install it on the Admin acct, and see if that changes anything.
Then, I said, if that don't work, uninstall Norton, DL ZA, see what happens then. I'd be surprised if its Nortons fw tho.

Then he created 2 new accts, with fulll permissions on his acct, none for the kid.

Kids acct got easysearch again. I'll probably run over there this weekend if he don't get it cleaned. I negelected to leave him a copy of Shredder 1.59.2, so, I don't think he'll be able to fix it entirely.

I'll keep you updated as I get info from him.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Jan 2014
Posts: 4953
Location: Phx. AZ.

PostPosted: Wed Nov 03, 2004 9:56 pm    Post subject: Reply with quote

OK, well it sems my bro is still having probs. Now he has a new hijack to some search engine, whose name eludes me currently. And he has been getting some DNS errors as well.

I'm going over there tomorrw to try and fix it all up.

One question I had, but not sure about, is if I delete all the users,(currently 4) save the admin acct, then clean that acct up, will this give us a fresh start point?

He just installed the XP on this machine maybe 2 weeks ago. Not much if anything to save.

Oh, and we tried system restore too, but it wouldn't let him save a point.

I'll be going in the late morning, so hopefully some of you will have some input for me, thanks all!!! Cool

Tom
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Wed Nov 03, 2004 10:59 pm    Post subject: Reply with quote

One question I had, but not sure about, is if I delete all the users,(currently 4) save the admin acct, then clean that acct up, will this give us a fresh start point?
well it will narrow it down to one acount. if the others a screwed up. just create new ones after heres a few things besides spyware to fix screwed files .
goto start,run,type
sfc /scannow click ok incert xp cd when asked.
be warned recovery cd,s will not work for this!
sfc /scannow how to: http://www.updatexp.com/scannow-sfc.html

How to use recovery consol
http://www.webtree.ca/windowsxp/repair_xp.htm

How to do xp repair install
http://michaelstevenstech.com/XPrepairinstall.htm
------------------------------------------------------

but did you manager to install spywareblaster? spyadds?etc. sounds like you need to teach him some computer self defence!!!
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Jan 2014
Posts: 4953
Location: Phx. AZ.

PostPosted: Wed Nov 03, 2004 11:03 pm    Post subject: Reply with quote

Thanks Dave, actually my bro had everything installed, but then upgraded his tower, and OS to XP. He just wasn't quick enough with his security installs, like I told him to be.

He also still does some P2P thru WinMX, which is better than the other crap, KaZaa and a couple others he tried.

He has always been infected it seems with one thing or another, primarily due to P2P and p0rn.

Oh well, lets hope I can fix him up, I'm sure I will, then at least I'll know he will be all fixed, and properly protected once I leave.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Wed Nov 03, 2004 11:11 pm    Post subject: Reply with quote

6 mineuts to infection on line not surfing!
less if you surf! thats on an unprotected pc.
and hirisk things like p2p can be done if your aware of all the pit falls and there are many.
but thats a whole other topic!
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
3162
Honorary Site Admin


Joined: 31 Mar 2004
Last Visit: 04 May 2009
Posts: 4452

PostPosted: Thu Nov 04, 2004 3:52 am    Post subject: Reply with quote

Quote:
One question I had, but not sure about, is if I delete all the users,(currently 4) save the admin acct, then clean that acct up, will this give us a fresh start point?


If you delete the other profiles, and then create a new restore point,
you'll only have the one infected profile to deal with.

Clean it up, get all the updates etc, and then create another fresh restore point.

That should work..
_________________
Proud member of the Chest Zipper Club!
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Jan 2014
Posts: 4953
Location: Phx. AZ.

PostPosted: Thu Nov 04, 2004 12:44 pm    Post subject: Reply with quote

OK, well, think I found the problem. Seems that easysearch dropped in 6 services into MSCONFIG.

I don't know why I didn't notice them on Saturday when I was here, but they were here today. I disabled them in MSCONFIG, now I need a registry entry to get rid of them permanently?

They were in HKLM\software\microsoft\windows\currentversion\run
and
HKCU same as above.
I have added ZA and aVast av, which is scanning now, and will then proceed to install evrything else I brought along on my disc.

So far, no troubles surfing or searching. Still need to double check the kids acct tho. But he does not surf.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
3162
Honorary Site Admin


Joined: 31 Mar 2004
Last Visit: 04 May 2009
Posts: 4452

PostPosted: Thu Nov 04, 2004 12:49 pm    Post subject: Reply with quote

If you can locate the CLSID's, write up a REGEDIT4 batch file to merge into the registry. Might be easier to do that instead of hacking them all out one by one.
_________________
Proud member of the Chest Zipper Club!
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Jan 2014
Posts: 4953
Location: Phx. AZ.

PostPosted: Sun Nov 07, 2004 1:29 pm    Post subject: Reply with quote

OK, here is an update, sorry took me so long to remember to do this.

As we had found the location of exes in a MSCONFIG startp tab, Blender and I, via IM were able to track them down, and manually delete all 6. Then I wa able to reboot, delete everything, and get his machine working nicely.

Oddly tho, for some reason, we couldn't get Nortons fireall to operate.
Just DLed ZA for him. And aVast AV.

Then installed all the other goodies to help keep him cleaned up.

It was about 6 months since I last went over there, to clean him up, so lets see how long it lasts this time. Wink


This topic has been resolved, and locked, if need be, PM me to reopen for continued support, thanks.TeMerc
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> General Software Discussion All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group