Worried

[Henri]

I have carried out the tasks suggested in Read this before posting.
I think that I might have been hijacked but before attempting to post a HJT LOG can you please inform me if I should reverse the process mentioned below
which I have pasted from before posting section

quote

Network Security, Workstation Netlogon Services & Remote Procedure Call (RPC) Helper (Windows XP, 2K, NT); Only do this step if you have the about:blank or home search hijack. You need to check to see if any of the following three Windows services are running:
Network Security Service
Workstation Netlogon Service
Remote Procedure Call (RPC) Helper
To do this, click Start, Run, and enter the following in the Open box: "services.msc" (without the quotes). Then click OK. Now, in the Services window that pops up look for exactly the following service names (no others) "Network Security Service" or "Workstation Netlogon Service" or "Remote Procedure Call (RPC) Helper". (NOTE: DO NOT DISABLE: Remote Procedure Call (RPC) or Remote Procedure Call (RPC) Locator. They are both required services and are unrelated to the hijacker.). You could have more than one of the 3 mentioned bad services, so look for all of them. If you find these services, you must right click on it to bring up the service Properties window and do the following (refer to the Figure too):

unquote

[chaslang]

What do you mean reverse the process? If you had any of those exact services running, you needed to stop and disable them. That is why they were in the READ ME FIRST steps. You do not want them to run.

[Henri]

Upon closer examination I think the correct procedure was carried out. In the para to which reference is made, I found ''RPC'' (Helper)'' and ''RPC (Locator)'' and as I understood, these should not be disabled.
During the course of tomorrow I will venture to post a copy of my HJT Log for checking.
Thanks

[chaslang]

Quote:

Originally Posted by Henri

Upon closer examination I think the correct procedure was carried out. In the para to which reference is made, I found ''RPC'' (Helper)'' and ''RPC (Locator)'' and as I understood, these should not be disabled.
During the course of tomorrow I will venture to post a copy of my HJT Log for checking.
Thanks

No quite correct.

Remote Procedure Call (RPC) Helper : is bad and must be stopped and disabled.

Remote Procedure Call (RPC) : is good - leave it be or you can have big problems.

Remote Procedure Call (RPC) Locator : is good - leave it be

[Henri]

Sorry to be a nuisance but must admit that I am somewhat confused. Of the things mentioned only two were located. The status of what was found is as follows:
Remote Procedure Call (RPC) : When I click on Properties it shows that startup type as blanked out and Service Status shows started, under started all four options are completly blanked out.

Remote Procedure Call (RPC) Locator : When I click on Properties it shows startup type as Manual and Service Status shows as stopped, and under that, Start is highlighted.

Hopefully you can see exactly what my dilemna is hence the confusion.

RPC (Helper) was not found and as you indicated that is bad so no probs as far as that is concerned

Hopefully you can see exactly what my dilemna is hence the confusion.Please bear in mind that I fairly new to the workings of the PC and consider myself as a novice.

[chaslang]

As I said below and as the procedure states in the READ ME FIRST you should not be touching any service that does not match the exact names given.

Both Remote Procedure Call (RPC) and Remote Procedure Call (RPC) Locator are valid services and the settings you saw for them are the way they are supposed to be. You should not even be looking at these because they are not exact matches to the name of any of the three services listed in the READ ME FIRST (step 2).

If you do not see one of the below, just move on to the next steps of the READ ME:
- Network Security Service
- Workstation Netlogon Service
- Remote Procedure Call (RPC) Helper

[Henri]

I have completed all suggested tests to the best of my ability therefore now enclosing a copy of HJT for checking. I am not quite sure if this is correct forum for doing so. If not please let me know and I will then post accordingly.

quote

Edit by chaslang: Unrequested inline log removed

unquote

[chaslang]

Please read the announcement and the sticky threads. HijackThis logs should only be posted when requested and then the must be added as an attachment to your message. Please do not post logs in line.

What is the reason for posting your HijackThis log anyway? What problems are you having? I did not see any apparent problems.

Note you are not using the built in quoting capability in the message editor.

Quote:

It would make a quoted item look like this.

[Henri]

I have had a proper read in connection with sticky threads and having sent you my log file where you mentioned that it appeared to be OK I am now satisfied that my worries were probably unfounded. In the process of reading the sticky thread I could not help but notice that there were some comments which referred to XoftSPY which I use. Having read the comments I have decided to disregard this prog because it is obviously not recommended and one of my concerns when I first posted a thread was prompted by XoftSpy which kept telling me everytime I decided to use is that my home page was probably hijacked whereas in actual fact I could find no reason for that notification. To top it all I was also unable to utilize the scheduler for regular scanning instead of having to do so manually or at startup. They were never able to explain why that was not functioning.
Thanks for your advice

[chaslang]

You're welcome!