Jump to content


Photo

homepage hijack, Win Min?


  • This topic is locked This topic is locked
75 replies to this topic

#51 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 03 June 2004 - 02:59 PM

Ive deleted mstasks1.exe, mstasks2.exe, wmplayer.exe.tmp no problem. But now I have a new problem...I cant delete:

F0 - syst>m.ini: Shell=
F0 - R >ystem.ini: Shel>=
F0 - R >ystem.ini: UserInit=
Everytime I click fix checked and I run Hijackthis again it re appears, are these items dangerous?

From what I've read, F0 items are always bad, but I was looking at a post that seems to say that they be legit.

These 3 files:

C:\Program Files\Winamp\winamp.ini
C:\Program Files\Winamp\winamp.m3u
C:\Windows\winamp.ini


go with Winamp (a media file player). Do you have this program on your computer? If so, was it installed around the time this problem began?

Could you make copies of the following file and place them in a ZIP file:

C:\install.cab
C:\install.htm
C:\Windows\didduid.ini
C:\Windows\dl.html
C:\Windows\hosts
C:\Windows\sasing.ini
C:\Windows\test
C:\Windows\inf\drvindex.pnf
C:\Windows\system32\ggdfg.txt
C:Windows\system32\drivers\etc\hosts

and send them to the following address: walk_wait AT msn.com (replace the AT with @). I'd like to have a look at these files.

-- LB

ahh yea seems like a few people out there have the F0 after being infected by something so it seems like a bad thing...As for winamp yea I have it installed but I installed it months ago and I wasnt running it the day I got infected (if anything I can just delete the whole thing and re install it, its easy) And Ill send you those files ASAP, thanks.

#52 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 03 June 2004 - 04:01 PM

Don't worry about the F0 items.... they're probably legit. They show up like that in certain non-english versions of XP.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#53 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 03 June 2004 - 05:07 PM

Don't worry about the F0 items.... they're probably legit. They show up like that in certain non-english versions of XP.

-- LB

yea my XP is on a Japanese setting...maybe thats why >.< as long as they are not a threat ;) I sent you the files, hope ya can figure out if their safe or not :hmmm:

#54 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 03 June 2004 - 11:25 PM

I inspected the files you sent. No obvious signs that they were related to Hacker Defender. However some of the files are related to ISearch (a toolbar). Do you recall ever seeing this in any Spybot or Ad-Aware scans?

Go ahead and delete the following:

C:\install.cab
C:\install.htm
C:\Windows\didduid.ini
C:\Windows\dl.html
C:\Windows\test
C:\Windows\system32\ggdfg.txt
C:\Windows\sasing.ini


This one I'm not sure about:

C:\Windows\inf\drvindex.pnf

I couldn't make heads or tails of the info in this file. It's probably legit.

I may have you do more stuff to ensure that Hacker Defender is really gone.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#55 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 04 June 2004 - 12:43 AM

I inspected the files you sent. No obvious signs that they were related to Hacker Defender. However some of the files are related to ISearch (a toolbar). Do you recall ever seeing this in any Spybot or Ad-Aware scans?

Go ahead and delete the following:

C:\install.cab
C:\install.htm
C:\Windows\didduid.ini
C:\Windows\dl.html
C:\Windows\test
C:\Windows\system32\ggdfg.txt
C:\Windows\sasing.ini


This one I'm not sure about:

C:\Windows\inf\drvindex.pnf

I couldn't make heads or tails of the info in this file. It's probably legit.

I may have you do more stuff to ensure that Hacker Defender is really gone.

-- LB

Okay will delete those files. drvindex.pnf does seem to be legit just odd that it got modifyed at the exact time of infection. and yea I did find iSearch Toolbar with Spy Sweeper and it got rid of it.

Okay thanks for your help so far....is it almost fixed? :D

#56 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 04 June 2004 - 12:49 PM

Could you find this file:

winunins.ini

and post the contents here?

As for that one file I'm unsure of (the one I couldn't make any sense of), I'm trying to find out if Hacker Defender messes with this or not.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#57 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 04 June 2004 - 03:27 PM

Could you find this file:

winunins.ini

and post the contents here?

As for that one file I'm unsure of (the one I couldn't make any sense of), I'm trying to find out if Hacker Defender messes with this or not.

-- LB

I deleted winunins.ini because the solution for HackerDefender in this thread:
http://www.spywarein...p?showtopic=505
Said I should delete it, its gone so I cant paste its contents :weep: Does this matter? Is that a bad thing?

Thanks for your help so far.

#58 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 04 June 2004 - 04:51 PM

I'm not 100 % sure but probably Windows keeps a log of installed drivers in drvindex.pnf . As HD's driver was installed on a specific date/time, drvindex.pnf would have changed on the same date/time. The file itself should be let alone.


drvindex.pnf is OK.

I'm now checking to see if you should change your passwords (I don't know if Hacker Defender steals passowrds).

Just about done here.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#59 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 04 June 2004 - 05:03 PM

I'm not 100 % sure but probably Windows keeps a log of installed drivers in drvindex.pnf . As HD's driver was installed on a specific date/time, drvindex.pnf would have changed on the same date/time. The file itself should be let alone.


drvindex.pnf is OK.

I'm now checking to see if you should change your passwords (I don't know if Hacker Defender steals passowrds).

Just about done here.

-- LB

Okay thanks alot! Glad were almost done ;) umm if I DID have to change passwords which ones would I have to change?

#60 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 04 June 2004 - 10:42 PM

I looked at the viruses that the anti-virus program found just after the problems began. None of them were mentioned as password stealers.

Run a full virus scan again and report back with any viruses found. I just want to make sure there isn't anything else.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#61 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 04 June 2004 - 11:17 PM

You mentioned earlier that you have a home network. Was the infected computer part of this network?

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#62 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 05 June 2004 - 11:37 AM

Ran a full virus scan, found no virus. Yea the infected computer is part of the home network. It was plugged it at the time of the infection but I have had it un plugged ever since, except to update ad aware, spyblaster and my anti virus program.

#63 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 05 June 2004 - 11:16 PM

bump

#64 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 06 June 2004 - 10:35 AM

It sounds like you're clean now.

I recommend downloading the following programs:

Spyware Blaster
IE-Spyad
MVPS Hosts

These will prevent most of the stuff from getting on your system. Install them on each computer on your home network.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#65 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 06 June 2004 - 05:40 PM

Iam clean? yay thanks alot for your help VashonDude. Ill install those things asap. One more thing before we finish up! What about the...

C:\Windows\winamp.ini
C:\Program Files\Winamp\winamp.ini
C:\Program Files\Winamp\winamp.m3u

files. I still find it odd those files were modifyed after the time of infection. I do have winamp installed but I didnt use it for days...If anything Ill just uninstall winamp and reinstall it. Or is this even something I should worry about?!

Anyway after this that should be it again thanks alot for your help VashonDude :D

#66 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 06 June 2004 - 09:08 PM

About the winamp thing I mentioned above I just deleted and uninstalled winamp...may have been okay anyway but better safe then sorry ;)

#67 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 06 June 2004 - 09:22 PM

About the winamp thing I mentioned above I just deleted and uninstalled winamp...may have been okay anyway but better safe then sorry ;)

Probably a good thing you deleted those files.

IE-Spyad and MVPS Hosts are updated frequently (about once every 2 weeks or so). Be sure to check the software updates forum here for update notices.

I'm glad I could be of assistance :wave:

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#68 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 06 June 2004 - 11:21 PM

Okay will do! Thanks alot for your help VashonDude :D C ya around :thumbsup:

#69 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 07 June 2004 - 01:29 AM

hey theres one more thing...the file "hosts" that was created at the exact time of infection is still in my windows folder :unsure: Should I delete that?

#70 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 07 June 2004 - 03:18 PM

bump ;)

#71 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 07 June 2004 - 09:12 PM

One of the hosts files was empty and the other had a perfectly harmless entry. I believe the one in the C:\Windows directory can be deleted (I'll check to make sure).

On the subject of the hosts file, the one I suggested you download is very useful. What it does is redirect certain sites to IP 127.0.0.1 (which just happens to be the computer the file is on). This will prevent anything from being downloaded from those sites.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#72 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 07 June 2004 - 09:48 PM

Okay, thanks for checking :D and I downloaded that hosts file also :D

#73 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 08 June 2004 - 11:23 AM

bump :D

#74 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 08 June 2004 - 12:04 PM

Go ahead and delete the hosts file in the C:\Windows directory. That's not the legit place for the hosts file in XP (in XP, it's located in C:\Windows\System32\Drivers\Ect).

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#75 Lucky Cat

Lucky Cat

    Meow?

  • Full Member
  • Pip
  • 94 posts

Posted 08 June 2004 - 02:04 PM

Okay will do, thanks again VashonDude ;) I guess were done here! C ya around :wave:

#76 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 14 October 2004 - 02:03 PM

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button