Solve : Quaxo has been hijacked.?

1.	Solve : Quaxo has been hijacked.?
Answer» Quaxo done f'ed up. Alright, here's the story. Someone (a trusted person) forwarded me an e-mail through my Hotmail account. Attached were TWO pictures. I went to open one and in the opening, I noticed something strange... it was fast, but I could see more downloaded than just that picture. My IE homepage was reset to www dot daemon-search dot COM (not advisable to visit that site). I set it to my normal about:blank homepage and it hasn't been changed again, but I want find and elminate whatever else came with it. (Firefox was untouched by it as far as I can tell). I've attached a HijackThis log and AVG is in the process of scanning my entire system right now. Until that finishes, could someone have a look through of the log and see if there's anything that shouldn't be there? I'll post back with any virus findings as soon as that's finished. Thanks guys. [file cleanup - saving space - attachment deleted by admin]Quote Someone (a trusted person)...Attached were two pictures...I went to open one You'll never do it again, won't you? Two main reasons: 1. Even, if a sender appear to be your FRIEND, it's not necessary the case. Bad guys have a lot of ways to fake email addresses. 2. Even, if a sender IS your friend, he/she may be infected, and don't know about it. Said that... ALWAYS scan any attachment with your AV program BEFORE opening it. I'll check now, what you have there.You have Trojan-Spy.Agent.204 Also, you need to update your Java. Your version is one notch old. Uninstall any older version through Add\Remove. You're using beta version of HJT. In your next post, use current version: http://www.snapfiles.com/get/hijackthis.html 1. Print this post out, since you won't have an access to it, at some point. 2. Close all windows, except for HijackThis. 3. Put a checkmark next to the following HijackThis entries: - O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) - O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE') 4. Click on "Fix checked" button. 5. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts) 6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to "Show hidden files, and folders". 7. Delete following files/folders (if present): - msnsc.exe from C:\WINDOWS\system32 8. Turn off System Restore: - Windows XP: 1. Click Start. 2. Right-click the My Computer icon, and then click Properties. 3. Click the System Restore tab. 4. Check "Turn off System Restore". 5. Click Apply. 6. When TURNING off System Restore, the existing restore points will be deleted. Click Yes to do this. 7. Click OK. - Windows Vista: 1. Click Start. 2. Right-click the Computer icon, and then click Properties. 3. Click on System Protection under the Tasks COLUMN on the left side 4. Click on Continue on the "User Account Control" window that pops up 5. Under the System Protection tab, find Available Disks 6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:") 7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this. 8. Click OK 9. Restart in Normal Mode. 10. Turn System Restore on. 11. Run HijackThis again, and post back its log back here.Well, I knew she was sending them to me. Hotmail sees the attached pictures as just that, pictures. Something piggybacked the download though when I went to open one though. It's weird and hard to explain exactly what happened. Depending on what AVG finds tonight and how hard it is to remove, I might actually record a video (I have a screen to video capture program) of what it's doing just so I can stop the video and see exactly what all it does and what it downloaded.I doubt it was piggybacked....jpg's and other photo formats can easily be manipulated to carrry a malicious payload these days.I installed that Java update at one point, but after I did, Java stopped working properly so I went back down. Might of just been a bad update, I'll try again. Thanks for the help Broni. I've got to get some sleep now, but I'll carry on with this first chance I get tomorrow.Non-beta version log attached (prior to cleaning). Starting with your instructions now, will post back after I've finished. [file cleanup - saving space - attachment deleted by admin]All instructions followed. Post-cleaning HJT log attached. [file cleanup - saving space - attachment deleted by admin]Nice, and clean. How is your home page?Firefox is still nice and clean, never got changed from about:blank After resetting IE's homepage to about:blank, it hasn't been changed again. Thanks for the help, mate. I really appreciate it. They really should require more virus knowledge on the CompTIA A+ Certification. It's mostly Windows, Windows errors, and hardware... not much about what to do when you get screwed with a virus.Good, good. I guess, you had just small treat.

Answer»

Quaxo done f'ed up.

Alright, here's the story. Someone (a trusted person) forwarded me an e-mail through my Hotmail account. Attached were TWO pictures. I went to open one and in the opening, I noticed something strange... it was fast, but I could see more downloaded than just that picture.

My IE homepage was reset to www dot daemon-search dot COM (not advisable to visit that site). I set it to my normal about:blank homepage and it hasn't been changed again, but I want find and elminate whatever else came with it. (Firefox was untouched by it as far as I can tell).

I've attached a HijackThis log and AVG is in the process of scanning my entire system right now. Until that finishes, could someone have a look through of the log and see if there's anything that shouldn't be there? I'll post back with any virus findings as soon as that's finished. Thanks guys.

[file cleanup - saving space - attachment deleted by admin]Quote

Someone (a trusted person)...Attached were two pictures...I went to open one

You'll never do it again, won't you?
Two main reasons:
1. Even, if a sender appear to be your FRIEND, it's not necessary the case. Bad guys have a lot of ways to fake email addresses.
2. Even, if a sender IS your friend, he/she may be infected, and don't know about it.
Said that...
ALWAYS scan any attachment with your AV program BEFORE opening it.

I'll check now, what you have there.You have Trojan-Spy.Agent.204

Also, you need to update your Java. Your version is one notch old. Uninstall any older version through Add\Remove.

You're using beta version of HJT. In your next post, use current version: http://www.snapfiles.com/get/hijackthis.html

1. Print this post out, since you won't have an access to it, at some point.

2. Close all windows, except for HijackThis.

3. Put a checkmark next to the following HijackThis entries:

- O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

- O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')

4. Click on "Fix checked" button.

5. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts)

6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to "Show hidden files, and folders".

7. Delete following files/folders (if present):

- msnsc.exe from C:\WINDOWS\system32

8. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When TURNING off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks COLUMN on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

9. Restart in Normal Mode.

10. Turn System Restore on.

11. Run HijackThis again, and post back its log back here.Well, I knew she was sending them to me.

Hotmail sees the attached pictures as just that, pictures. Something piggybacked the download though when I went to open one though. It's weird and hard to explain exactly what happened. Depending on what AVG finds tonight and how hard it is to remove, I might actually record a video (I have a screen to video capture program) of what it's doing just so I can stop the video and see exactly what all it does and what it downloaded.I doubt it was piggybacked....jpg's and other photo formats can easily be manipulated to carrry a malicious payload these days.I installed that Java update at one point, but after I did, Java stopped working properly so I went back down. Might of just been a bad update, I'll try again.

Thanks for the help Broni. I've got to get some sleep now, but I'll carry on with this first chance I get tomorrow.Non-beta version log attached (prior to cleaning).

Starting with your instructions now, will post back after I've finished.

[file cleanup - saving space - attachment deleted by admin]All instructions followed.

Post-cleaning HJT log attached.

[file cleanup - saving space - attachment deleted by admin]Nice, and clean. How is your home page?Firefox is still nice and clean, never got changed from about:blank

After resetting IE's homepage to about:blank, it hasn't been changed again.

Thanks for the help, mate. I really appreciate it. They really should require more virus knowledge on the CompTIA A+ Certification. It's mostly Windows, Windows errors, and hardware... not much about what to do when you get screwed with a virus.Good, good. I guess, you had just small treat.

Solve : Quaxo has been hijacked.?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment