Help, my computer was hijacked!

Discussion in 'Malware Help (A Specialist Will Reply)' started by wendynik, Jun 15, 2006.

  1. wendynik

    wendynik Private E-2

    Found a rogue user acct on my winXP -- ran all the tools according to Read & Run Me First instructions (except that I couldn't run Microsoft Malicious Software Removal in safe mode, so I ran in normal). Some of the reports seem to indicate that my anti-virus and firewall were disabled. I am still unable to update windows.



    hjt attached
     

    Attached Files:

    wendynik, Jun 15, 2006
    #1
  2. wendynik

    wendynik Private E-2

    Forgot to add, last bdfscan found no viruses. Attached is last activescan
     

    Attached Files:

    wendynik, Jun 16, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!
    Please uninstall Viewpoint Manager & Viewpoint Toolbar as instructed in step 0 of the READ ME.
    There are no other malware problems in you logs but you can have HijackThis fix the below lines:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - Startup: PowerReg Scheduler.exe

    I don't think you are having any malware problems. But make sure that ALL accounts on your PC, including the Administrator account which is only seen in safe mode, have passwords.

    You should check in the Software Forum about your inability to get Windows updates. The problem could just be related to how you have McAfee setup.
     
    chaslang, Jun 17, 2006
    #3
  4. wendynik

    wendynik Private E-2

    Thanks. I've been continuing to scan, going through your steps and then some and I think I have a better idea of what happened.
    According to the TrendMicro scan, I have an ASP.NET Path Validation Vulnerability. Coincidentally, the rogue account was called "ASP.NET ACCCOUNT"

    According to Spybot, it looks like the invader disabled Antivirus & Firewall and disable notification. HKEY_LOCAL...Windows Security Center AntiVirusDisableNotify and FirewallDisableNotify

    I think I've kicked him out and set up more secure firewall and antivirus, but it's still very scary. How can I be sure he didn't leave anything nasty behind?

    I'm attaching my most recent logs, if you wouldn't mind taking a quick look just to make sure.... (I have financial information on this computer, which I have to assume may have been compromised.) I appreciate your help
     

    Attached Files:

    wendynik, Jun 18, 2006
    #4
  5. wendynik

    wendynik Private E-2

    here is the hjt scan
     

    Attached Files:

    wendynik, Jun 18, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is not a rogue account. That account appears when you install the .NET update from Microsoft.

    Also not a problem. Spbot is just telling you that you have changed your settings from the default settings that Windows comes installed with. This happen when you installed McAfee to use for all of your security.

    You logs are no different than before.....still clean.
     
    chaslang, Jun 18, 2006
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds