hijacked...virus...what?
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: hijacked...virus...what?

  1. #1
    Member
    Join Date
    Feb 2004
    Posts
    36

    hijacked...virus...what?

    Not sure if this is the best place to post but if not i am sure you will let me know.
    My father-in-law opened up his email (earthlink) the other day to find his entire inbox deleted. He called the help desk and they told him his acct had been hijacked. but could not really give him any further info. He does not use any other email acct. The only one on his computer is Outlook and there is nothing there either. I have run AVG, ADAware, Spybot all in safe mode and found nothing. I also ran Hijackthis and here is the report. Can anyone see if there is anything odd: Thanks in advance.
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:22:57 PM, on 1/31/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Safe mode

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188922927453
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1251312111078
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe

    --
    End of file - 5675 bytes

  2. #2
    Member
    Join Date
    Feb 2004
    Posts
    36
    Nihil, I found another of your posts with a link to hijackthis.de
    great website...everything came back as safe.
    maybe he messed around with the settings and his email, or spyware, or etc. is set to delete all messages after being read. i will check that once i get home tonight.

  3. #3
    Banned
    Join Date
    Jan 2008
    Posts
    605
    Go through the accounts and the policy editor then get rid of all those toolbars and antiviral software. Shesh... have some self respect, man.

  4. #4
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,188
    I love toolbars. Here is a screenshot of my browser.
    Attached Images Attached Images
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  5. #5
    Senior Member wiskic10_4's Avatar
    Join Date
    Jan 2004
    Location
    Corpus Christi, TX
    Posts
    254
    raven955i -

    How does earthlink know his account was "hijacked"? He told you that in those exact words? Maybe the earthlink tech was just lazy and didn't know what else to tell him when he found his inbox deleted but insisted that he didn't do it. Could he have let his password out? Has he changed it since? If not, have him do so.

    Usually if you've hijacked someones email account you'd be looking for useful information or as a means of sending out phishing emails, etc. You would want to go undetected, not delete the inbox... Is there anything in his trash folder? It's very possible that he deleted his own stuff by accident. Was it anything important? I delete everything in my inbox on a regular basis - usually upon entry.

    westin -

    That's friggin' hilarious. Sadly, I've worked on some puters where the browser actually looked like that. Usually on the work order: "Help! Browser running slow! I think I got a virus!" Of course, the system tray goes all the way to the start button, the start menu takes up the whole screen and then some and the desktop is full of miscellaneous icons that came from god knows where. =|
    My Corner of the Intarwebz: Jeremy Dean Online

  6. #6
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    I would get rid of AVG. Use some other AV. Get rid of all toolbars and if possible use alternative browser (anything but IE and if you *must* use IE please upgrade to version 8 with all patches). Update all your microsoft patches to latest level, ensure you have original copy of windows, firewall (get something [outpost is good]) and AV. If you are looking for *free* version of AV get - http://www.microsoft.com/Security_Essentials/ - Make sure you download from Microsoft.com only!
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  7. #7
    Member
    Join Date
    Feb 2004
    Posts
    36
    Thanks for the info. I have changed his password (his previous one was password if you can belive it.) He insists that he had not deleted anything. I checked his acct and nothing seems out of the ordinary. No new accts created, etc. nothing is the trash file.
    that is the exact words that the nice lady in India told him. that his acct had prolly been hacked.
    TeW...i will absolutely cleanse his system of AVG. thinking of putting in Avast. I have had good results from it.
    It is kinda funny. He has been having these problems ever since Firefox was loaded onto his laptop. Which is even funnier, because i switched over to Firefox when IE was starting to run a little slow and now I have browser pages not loading issues.
    I wonder if the two are related. not sure how but makes you wonder...
    Len

  8. #8
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Don't go for Avast please. If you are willing to pay then choose Kaspersky or Symantec (i prefer Kaspersky). If you want something free please go for the microsoft AV, it better then AVG and avast.

    Update, Update and Update - Everything on your machine and the OS itself.


    Run a online scan at housecall.trendmicro.com once you're done with everything just to be sure.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  9. #9
    Member
    Join Date
    Feb 2004
    Posts
    36
    Just as an update ( i hate open ended posts)...

    I changed his password, scoured his system, updated all his stuff, etc. It now seems to be working fine. He is now getting his emails and they are not going anywhere. I did turn off his empty trash bin automatically option in case he did deleted them by accident.
    I did get a few spam email returns when his email came back up. Different names attached to his email address, that type of thing. All of them seemed to originate in Korea. I think all the blocks, etc were keeping that contained but i will continue to monitor it.
    I got my system back up and running also. I had to reload IE (some websites in the house will not load on Opera, etc.). but all is working well now. No more issues with pages not loading etc.
    thanks for all the help. :thumbsup

    Len

  10. #10
    Senior Member wiskic10_4's Avatar
    Join Date
    Jan 2004
    Location
    Corpus Christi, TX
    Posts
    254
    I would assume, then, that his account was "hijacked" simply because his password was "password." Hopefully he's learned a lesson. If he has difficulty remembering passwords, it may be helpful to him to substitute numbers and symbols for letters, for example "password" may become "pa55w0rd" or "p@$$word" - just a thought.
    My Corner of the Intarwebz: Jeremy Dean Online

Similar Threads

  1. Abbr: history of the computer virus
    By E5C4P3 in forum AntiVirus Discussions
    Replies: 12
    Last Post: April 30th, 2013, 09:05 PM
  2. The Bulgarian and Soviet Virus Factories
    By foxdie in forum AntiVirus Discussions
    Replies: 11
    Last Post: April 4th, 2004, 03:52 AM
  3. New Viruses (humor)
    By sumdumguy in forum Tech Humor
    Replies: 20
    Last Post: July 6th, 2002, 08:10 PM
  4. Black Wolf's Guide to Memory Resident Viruses.
    By ahmedmamuda in forum AntiVirus Discussions
    Replies: 2
    Last Post: March 20th, 2002, 02:03 AM
  5. So you want to learn about Viruses.
    By 3ntropy in forum AntiOnline's General Chit Chat
    Replies: 10
    Last Post: March 4th, 2002, 11:32 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •