I've been hijacked by something!

Discussion in 'adware, spyware & hijack cleaning' started by thekillerbean, May 12, 2004.

Thread Status:
Not open for further replies.
  1. thekillerbean

    thekillerbean Registered Member

    Joined:
    May 12, 2004
    Posts:
    2
    I'm a diligent HijackThis and CWShredder user and on a weekly basis I run this 2 programs. A family member recently installed a program that also installed a BHO - hotsearch. I ran CWShredder which found and exterminated this BHO. However, I've been left with something that causes my initial page load to take quite a long time - ~30 secs, after which I can surf with no hassle. However, should I need to open up another browser window or click on a link that opens another browser window, it proceeds to take ~30 secs to load.

    I then decided to run Trend Micro's Housecall which found TROJ_PITUX.A in a file "c:\q230903.exe" which I un-ceremoniously had deleted. A quick search on the net also led me to find "\Windows\system32\dk1.exe" which I also deleted - and with prejudice I might add! I also disabled System Restore so that files in my Restore folder could be wiped out.

    After all this and I still cannot determine what is causing me sorrow! I'm posting this incase someone else has seen this type of behaviour recently and might shed some light on what else to check on.

    I did not see the need to post the HijackThis log as I'm conversant with what each entry in the output log does. However, one of those executables could be compromised by something that the Housecall cleaner is currently unaware of!

    The PC in question only serves as a router (it's a laptop that has a wired nic to the dsl modem and a wireless nic that communicates with a linksys wireless router - wrt54g - which services 3 other PC's) but I occassionally use it when need be. I might just switch over to Linux on it but I'd prefer not to as no one else in the household knows much about it.

    Thanks for your kind eyes and ears.
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    post a hijackthis log please

    and also

    http://download.broadbandmedic.com/VbStuff/KillBox.zip

    UnZip it to it's own folder not to the Desktop or a Temp folder. Click on The KillBox.exe and it will open. Now click find then find vx2 better internet, then on the little pop up window that says killbox file list, will open if it finds any files then press file/create log and a pop up says do you want to create a log in notepad, say yes and then save as usual in notepad and copy & paste the resulting list here
     
  3. thekillerbean

    thekillerbean Registered Member

    Joined:
    May 12, 2004
    Posts:
    2
    dvk01,

    Thanks for your response. Just after posting this question, I remembered another tool I hadn't used yet - regmon. I ran this tool a few minutes ago and caught the registry entry that was causing me worries.

    Apparently, AIM was being launched off of a network share. This program has never been the cause of issues as I have used it on numerous occassions on the laptop. What happened this time around was that the network share in question was not available as the computer user (one of my kids) is on vacation and had turned his PC off - it is rarely ever turned off!

    My only question is why is AIM launching when IE is launching? That is rather odd if you ask me! In any case, the problem has been fixed by removal of this registry entry - I really don't care for AIM anymore. It'll be saying bye bye to my world tomorrow.

    I'm off to bed as it is way past my bed time in the land down under.

    Later.
     
Thread Status:
Not open for further replies.