Unknown hijacker

bayonet · 08-08-2005, 06:37

Had this via a Yahoo email account it tried to set my homepage to begonia

the email said I had bought an iPod and was going to take ÃƒÆ’Ã†â€™ÃƒÂ¢Ã¢â€šÂ¬Ã…Â¡ÃƒÆ’Ã¢â‚¬Å¡Ãƒâ€šÃ‚Â£399 from a CC account mail pretends to come grom noreply@ukcards.com. It also came with a customer service number which when I rang it was the Jobseeker number.

The attachments are zipped and say your bill is in said attachment, I'm running spybot and spyware begone but neither picked this one up. JUst thought I'd post here to warn people, Google search says it's a trojan hijacker.

Jon M · 08-08-2005, 07:10

If this nasty has hijacked your browser I would get hold of an anti-spyware tool that covers BHO's (browser helper objects) like the Microsoft one here: http://www.microsoft.com/athome/secu...e/default.mspx

Don't assume that there is nothing there if you haven't found anything yet.

bayonet · 08-08-2005, 07:27

Yes got spyware begone and adaware both show nothing

Jon M · 08-08-2005, 08:04

Quote:

Originally Posted by bayonet

Yes got spyware begone and adaware both show nothing

yes, you said as much in the first post.
I suggested the microsoft one because I know it handles BHO's, if you're happy to just leave it as it is, be my guest.

bayonet · 08-08-2005, 08:22

Ok thanks for the Advice Jon M

Jon M · 08-08-2005, 08:23

No problem, happy to help

**Stuart** · 08-08-2005, 08:26

bayonet: I would recommend you get the Microsoft one. On a couple of occassions, it has caught spyware that Adaware and spybot have both missed. It also gives good protection against various things spyware does (such as install services, change your IE settings etc).

Finally, if you don't trust Microsoft stuff, bear in mind it's basically written by a company called "Giant Software".

08-08-2005, 09:07

Really i would recommend more caution in future,why did you open the email? let alone download an attatchment.2 fundamental rules of security broken.Then phoning the number now thats just silly.Sorry

Halcyon · 08-08-2005, 15:21

It definately is not a good idea to open any unfamiliar attachments or e-mails.
I'd reccomend you get a Virus scanner such as AVG which is free on the net that scans your mails for viruses and also run spyware and adware scans regularly on your machine.
You should also use a firewall such as ZoneAlarm too, available free online.

bayonet · 08-08-2005, 15:26

Here's the number 0845 6060234 it goes to a jobseeker helpline so no need to open attachment cleaned now no problem got AVG never came up with anything suspicious

Never opened the mail saw evrything in the read panel of Thunderbird

Gareth · 08-08-2005, 15:27

A utility called Hi-jack This will also display whether you have any BHO's installed on your machine. The output it produces can be a bit cryptic if you're not used to deciphering it, but paste it here and we'll have a look, or there's an online analysis you can use if you're feeling brave enough

__________________

D'oh, forgot links...

Hijack This - www.spywareinfo.com/~merijn/downloads.html
Online analysis - www.hijackthis.de

luftys · 08-08-2005, 23:21

Quote:

Originally Posted by Gareth

A utility called Hi-jack This will also display whether you have any BHO's installed on your machine. The output it produces can be a bit cryptic if you're not used to deciphering it, but paste it here and we'll have a look, or there's an online analysis you can use if you're feeling brave enough

__________________

D'oh, forgot links...

Hijack This - www.spywareinfo.com/~merijn/downloads.html
Online analysis - www.hijackthis.de

thanks for the link

just been reading Tutorial for Hijack ,very good

bayonet · 09-08-2005, 07:59

Here you go
Logfile of HijackThis v1.99.1
Scan saved at 08:58:48, on 09/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\spywarebegone\SpywareBeGone.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\AJ\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - C:\PROGRA~1\Acronis\PRIVAC~1\POP-UP~1.DLL
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Spyware Begone] "C:\spywarebegone\SpywareBeGone.exe" -FastScan
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PRIVAC~1\POP-UP~1.DLL
O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PRIVAC~1\POP-UP~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Gareth · 09-08-2005, 22:04

All looks good to me - can't see anything suspicious

Darkies Gem · 10-08-2005, 11:45

Panda security platinum, is a good thing to have for stuff like that. It's much better than adaware, at one point i had the full bought adware software.
It didn't used to catch much, and a lot of it was too confusing to even begin to understand.
Panda is constantly checking for spyware adware and viruses, without acting too much like a firewall. It also upgrades itself regularly.
It's also got child lock features, which is great when my little sister comes over.

The only trouble is, the licence runs out in a year, which will be a very sad thing indeed.