PDA

View Full Version : remote control hijack



kinos
2009-03-11, 22:54
i recently formatted and made a big mistake i left the remote control box ticked
( m/s defualt)

by the time i relised i think it was a bit late.
as by that time i had two trojans and one virus.
and looking at my logs i had a extreme amount off connections useing my comp.


i have turned the remote control feture off but i have found some suppious files,that dont look like they should be there
and worse off all i think my sytem has a hackers codebase in place.

my firewall says ive have routed packeges that are trying to be sent.
(one instance);

The packet was either mistakenly or intentionally routed through your computer.
The data packet was sent from port 2093 on a computer whose IP address is xx.xxx.xxx.xxx.
and explorer keeps trying to connect to a ip addy
exploer doesnt have any reason to do so as far as i know.

the trojans and virus have been removed but i guess my system is now totaly comprimised
am i right to think this and with this situation would a another format be the only option

kinos
2009-03-11, 23:00
hi

if i use i.e and boomark a page
i allways recive what hi-jack this calls unsafe ads.
upon removal if i click the bookmark again the same ads streams are found.

(part portion off what it finds)
C:\Documents and Settings\xxx\Favorites\Google.url : favicon (1150 bytes)
C:\Documents and Settings\xxx\Favorites\security\Safer Networking Forums.url : favicon (10134 bytes)
C:\Documents and Settings\xxx\My Documents\offline pages\xxxxx : favicon (1150 bytes)

removed.

use i.e again and click the wanted bookmark and this is whats found;

C:\Documents and Settings\xxx\Favorites\security\Safer Networking Forums.url : favicon (10134 bytes)


ive never found out why ive looked but i cant find the any info that would explian this.
i did find one page one safe ads saving that this would be fixed in i.e 7
they suggest unticking the inform user off downloads box but ticked or not i still get the ads.

untick the box (ignore safe streams) in hi-jack this and it find this;

(not bookmarks these ? safe ads are downloads bar the sample pics one) ; (part portion off whats is found)

C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\xxx\Desktop\checked\Firefox Setup 3.0.7.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\xxx\Desktop\checked\HJTInstall.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\xxx\Desktop\checked\mbam-setup.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\xxx\Desktop\checked\spybotsd162.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\xxx\Desktop\checked\SpySweeperRegSetup_GBR.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\xxx\Desktop\checked\WDM_A406.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\xxx\Desktop\checked\zaSetup_en.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\Dad\Desktop\checked\zlsSetup_70_483_000_en.exe : Zone.Identifier (26 bytes)

are the safe ads acctaully safe upon removing the ?safe ads they are gone and dont apperar again.
do i really need to keep them i used to remove them however ive just formattted and guessing seems silly.
esp as i might have to format again (see post named remote control hijack) and the next time i want to get it right.

the same never used to happen with firefox until v3 was released,
the lateset verion off firefox seems to have resovled this,as the unsafe boomark ads dont appear if i use firefox.

i only find ?safe ads on downloads with firefox.

(test download)

C:\Documents and Settings\xxx\Desktop\check\netalyz-0.4.2.4.exe : Zone.Identifier (26 bytes)