Hijack virus

37 posts / 0 new
Last post
knuckle draggin...
Hijack virus

Can build a vehicle that you could operate safely at 200 miles per hour plus, from scratch or even build a vehicle that could get you into space (probably couldn't get you back though) but these computers kick my hiney. Hat in hand, I bow to the to the Grown Up Geeks.

I have a hyjack virus. I am coming to you in safe mode. Can't even use regular mode. If you decide to walk (crawl) me through this I hope you have patients because you will truly be working with a computer old guy neanderthal. Alot of the language, words you use as regular everyday lingo is completely Geek to me. Ha Ha Ha I crack me up, Geek instead of Greek oh I am punny. Ok I'll stop.

All my wifes precious pictures of our kids and grandkids are on this computer and I want to get it all back for her. I want to be her Knight in Shinning Armor. I could build the Armor and the Sword but the computer she za da death to me.

Snif sob please help this knuckle dragging welder.



Re: Hijack virus

Firstly - welcome! We'll do our best to help

Secondly, although it's probably a bit like telling someone to wear their seatbelt AFTER they run into a telephone pole, if your wife has precious pictures YOU MUST BACK THEM UP! How you back them up is a whole nother post as it can get complicated, so let's take this as a learning experience regarding the importance of backing up important stuff.

THIRD - keep in mind that not everyone can fix these things themselves and it might be worth plopping down $75 at the local geek-store if those photos are really that precious. To put it another way, suppose I came to a auto-repair forum for beginners and said: "My transmission is broke. I can get it into reverse, but that's about it. Please walk me through how to fix it. and keep in mind that I have only basic tools, but i dont really know how to use them" .. See what i mean?

Ok.. enough bloviating.. let's get started... it MIGHT turn out to be not all that complicated..

You have two options: 1) "clean" the bad stuff off and go about your business or if that fails 2) extract all your important stuff, wipe the whole thing clean, and start over

let's go for option #1 because it is usually faster and easier.. #2, the last resort will get ugly..

I would start by downloading and running a program called Malwarebytes. You can download it for free here: MalwareBytes.com .. Be careful to click the blue download button right below where it says "download location", and not one of the advertisements that may also say "download" .. Be sure to read all of the instructions on how to install and use/run the program here: How to use Malwarebytes. It's not very complicated, and it's spelled out very well - just a lot to read.
Chances are that Malwarebytes will take care of it all for you.. If so, come back and post your thanks.. if not, then things may get complicated - come back and post what happens, we'll need some other additional information, and we'll go from there.

knuckle draggin...
Re: Hijack virus

First of I feel a little awkward refering to as Hubby. Just sayin. ;) so here goes.

Dear Hubby,
Here is what I have done so far prior to posting here.

Ran Spy bot. Found stuff and did what Spy bot does to found stuff.
Ran malwarebytes. Same as above.
Ran AVG free. Did not find stuff.

Ran all these in safe mode in the order above as well as ran all updates first.

What the computer does still after running above. In regular mode (not safe) after booting up it says that I have a security problem and to click on the balloon eminating from the right hand bottom of the monitor were all the icons are. It takes you to a fake web site, in my case it is a malwarebyte site, and says that I have to purchase there product in order to fix the problem.

The first thing I looked into was my windows security to see if all was ok and when you click on the security icon in the control panel, security starts to come up and then a balloon pops up saying "program or file" cannot be found. When you try to go to the internet it says the same thing and wont allow you to go to other things as well like system restore.

So from safe mode I researched what is up. Most posts are from 2005 thru 2008 Seems like I need to download "hyjack this" and run a log of some kind and allow the Geeks to review and then a list of changes to be made and in the end success.
Problem for me was I did not understand all that was said. Like how to get the log, where to get the download, how and where to go to make the changes.

I am pretty sure with a little prompting that I can get this done. I have identified a rootkit on my computer with a malware program, which for some reason the program could not remove, googeled it found the rootkit killer download. Downloaded it ran it and Viola! she za no more sick.

I plan on purchasing a terra bite external hard drive for future back up and for current back up I have been using a stand alone computer , not connected to the internet, utilizing a USB device called "Multi linq" by BAFO. However it is now offically full as well as being compressed.
The problem is my wife puts the pictures on the computer and I transfer them to the backup computer. Camera will hold about a years worth of events before she puts them on the computer and then wipes her card clean. Now she is going to purchase new cards each time it becomes full for another layer of protection.

Of course the hyjack virus was not expected because I use AVG, Spybot, and Malwarebytes all the time to keep the bugs away.

So I can totally relate to your analogy of putting on a seat belt after you run into a tree.

As far as the tranny analogy your right basic tools and no mechanical intellegence could be a problem. However if you had the interest and drive that's all I would need. We can puchase tools as we come to the need for them. You would just have to relize this will take a while. I got some basic tools one or two special tools a little knowledge, enough to be dangerous to my computer, as well as interest and drive.

If you are willing I will be your ,please pardon spelling, pa di one oh Obee one and together we will use the force to remove this intruder.

KDW (knuckle dragging welder)

Re: Hijack virus

ok, you've done pretty good so far - looks like you actually have a few transmission-repair tools and you DO know how to use them..

Let's vear-off from what is wrong or right to do, and into opinion for just a moment:
At this point, you've found some nasties, cleaned some of them, but your computer is still infected. Even if you can clean what you see, you cant clean what you cant see - by that I mean, you can now never fully trust this installation of Windows. If it were ME (opinion now), i would go into safe mode, pull out those pictures and any other documents that you care about onto a thumb-drive or that terra-bite external drive.. Then, get the original Windows disk or manufacturer's "recovery" disk, and nuke that sucker back to a clean-state -- Completely format the drive, wipe out all bad memories, and start fresh by installing Windows new.. This will save you much time and frustration, and you can then be mostly certain that the computer is safe and not stealing your passwords or credit card numbers in the background. If it were ME, i would also then sell that Windows PC right after wiping it clean, get a Mac, and not have to worry about this kind of silliness again..

As for storing the pictures on the camera - make sure she copies them off the camera often. SD Cards (or other memory cards in cameras) fail easily and often. Cameras also get lost and fall into lakes easily. As long as the photos are on the camera AND somewhere else, that's good.. but JUST on the camera = bad.

Ok.. now, back to solving your problem.. like I said above, if it were me, i would take the easy way out, and just nuke it.. But, if you enjoy the pain, let's see what we can do next.

Are you sure you ran a new/fresh/updated copy of Malwarebytes? Highly unusual that it didnt find everything - and, did you update your AVG? If not, update them and re-run them.

HiJackThis will generate giant file that we can look at to see what is in your computer that should not be, then point us in the right direction of removing it - If MalwareBytes or AVG cant find/fix what you have, then Hijack this will point us to it, but you will then have to manually dig into the registry based on the instructions of total strangers like me and hopefully not screw something up. One wrong move in the registry can easily render your computer NON-bootable.. Things are now getting ugly... Before you do anything else, I would get that backup of anything you care about on the computer.. then, and ONLY then would I run Hijackthis and try to fix anything manually.

As far as using Hiajackthis, you can read about it and download it here: HijackThis - BUT, like i said, i would get that backup NOW, before going any further.. You wouldnt jack your car up with a floor-jack and slide under it without jack-stands would you???

knuckle draggin...
Re: Hijack virus

Hubber, that is totally the plan to reformat and I am always happy to listen to opinions and thank you for yours it confirms that I am on the right track in my thought process. I want to try what anom/user posted right after you posted because it is something I can do right now. When the time comes to reformat, after I get the external and do back ups, for XP and I do have all the disks from Dell at least the ones to get up and running again which is in installation order;

"Reinstallation CD Microsoft Windows XP Home Edition Service pack 2"

"Dell Resource CD"

"Dell Application"

"Roxio Creator Premier SD 10.2"

I printed off from this site "how to reformat your windows XP computer" And for the most part it was peoples problems with minimal how to's. I was looking for a tutorial step by step. I believe I did not look or search correctly. Reformating is so common it seems that, I would imagine, it is somewhere on this site just don't know where to find it. I printed out "How to partition and format a hard disk by using Windows XP set up program." Article ID 313348 And it blew me right out of the water from the first page. SATA, IDE, Masters, Subordinates, jumpers, cables, BIOS, CMOS, like I said before Geekineese. I need Geekineese with translation. :)

I have started to back up to the stand alone and it got full as stated before. I was backing up files that I downloaded myself or things I created i.e. picture files and so on. I did find a dell drivers file but everything I have read you want to back certain file that I just dont have any idea as to what those may be. Essential files to back up. I also have been told that I need to purchase an Anti Virus because I will probably be backing up the the virus as well and I need to load the AV on to the freshly reformated hard drive before I bring anything back and then I guess run before bringing it back? Would not really know how to do that with out some prompting.

I will leave it at this for now.

Eagerly awaiting your response, opinions and expertise.

Thanks in advance


Re: Hijack virus

I believe that for your Dell, all you need to do is boot-up on your Reinstall CD, follow the instructions, and select the option to "reinstall Windows" - you will get warnings about all data being erased, etc. This will do the reformat for you. The result should be a new, fresh install Of Windows. You might first try to boot up from your Dell Resource CD, to see if it gives you the option to "restore to manufacture defaults" (or something worded similarly)

after you re-install Windows, you will want to install your antivirus and make sure it is updated/current, then start copying back your data-documents and photos, and reinstalling your software.. also, ONLY install software that you know you need and use. For example, do you actually use Roxio Creator? if you dont, dont re-install it - it just gives you more things to go wrong.

knuckle draggin...
Re: Hijack virus
Hubber have a look at what I posted to AV. Got any ideas what I can work on for now until I get the back up device and reformat? Also what about the tutorial on reformating? Don't need it because the Dell install disk will walk me through it? And is there any files I need to be looking for to back up before I reformat? Thanks in advance for your help. KDW
Re: Hijack virus

Anything here on out is going to be difficult, and manual.. The machine is far past the point where i would spend any more time on it.. and trying to remotely step someone thru everything would be like.. well.. like trying to explain to someone how to rebuild that transmission.

The Dell install disk should do your reformat and Windows re-install for you.. you just fire it up, read & follow the directions, heed the warnings, press GO, and sit back and wait (might take an hour or two).

The files you need to back up are anything that you have created, that you care about:
Word documents
Internet Explorer favorites
email messages stored/saved on the hard-drive

dont worry about "programs" as you cant really back them up,and you will need to re-install them the same way you installed them the first time.. you need worry only about any data you have created inside those programs.

Dont forget - if you are unsure about this process AND if the "stuff" on the computer has any significant value, now is the time to consider paying that $~75 to a professional.

knuckle draggin...
Re: Hijack virus
Hubber I have to admit trying to help someone rebuild a tranny one post at a time would be fun, kinda like getting a root canal, well your point is well made but I'm like a kid that doesn't get the answer he likes he trys to re-ask the question hoping to hear what he is wanting to hear. I'm such a kid living on a river bank in Africa. You know Da Nile. Thanks Again ;) KDW
Anonymous Visitor
Re: Hijack virus
First do what Hubby said and copy all irreplaceable data onto a USB storage device.  I do not recommend the smaller ones that are powered by the USB port - I urge people shopping for an external drive to get one that plugs into the wall like a Western Digital MyBook.  Do this now. Malwarebytes should have taken care of the active malware file mainly responsible for this.  AVG and SpyBot would be useless on an already installed malware "infection".  HiJackThis this won't be much help unless you know what the list means and which entries might be problems.  And it also won't remove the malware. So with data backed up, you have nothing to lose, right?  You could now do a Windows reinstall which is also called System Recovery if you have recovery disks or a recovery partition on your computer's drive.  But you seem game to try to lick this so let's smack it around a bit.  :) Your immediate problem is a certain malware file that Windows is told to run when started normally.  This malware file was probably randomly named and placed into a hidden folder in your User Account.  You were unknowingly tricked into installing this on your own computer.  In Windows XP, this hidden haystack is in the Local Settings directory which is hidden (C:\Documents and Settings\"logon name*).  In Vista and 7, it is placed inside the C:\Users\*logon name*\AppData or C:\ProgramData directories.  You'll have to unhide hidden and protected system folders to see these directories. Since you have clicked around on the tray balloon and the fake scanner and this malware program took you to planet Vega and back (heh), you might also have a rootkit which could effect your web search results.  The good news is that apparently you can get online from Safe Mode which tells me that your Proxy settings and hosts file are probably OK.  Also good news is this particular malware install apparently let MalwareBytes phone home to its update server. I mentioned earlier that I was surprised MalwareBytes didn't remove the active malware, so let's try this manually.  If you are in Safe Mode, click Start and type in msconfig" (no quotes).  If Vista or 7, msconfig.exe will appear at the top of the search list.  Click it.  Once System Config Utility opens, click the Startup tab.  This is a list of things that Windows is told to automatically start when started in normal mode.  If your computer has never been messed with by anyone with marginal tech skills, you might have quite a list with each entry having a checkmark in front of it.  Things with checks get automatically loaded at startup, no check means the item doesn't get loaded at startup. In this list, what you want to look for is the active malware file or files.  There may be more than one.  Carefully look at each line and drag the Command Column out to the right so you can see the full path.  You are looking for a path that ends with a randomly generated file name that ends in .exe.  Again, here are examples of the first parts of suspect paths: C:\Users\*username*\AppData\Local\ in Vista and 7 and also in 7, the file may be in C:\ProgramData or in XP...  C:\Documents and Settings\"logon name*\LocalSettings or C:\Documents and Settings\"logon name*\LocalSettings\Application Data Since some malware infections name their files AVG.exe, look for that one too. If you see anything in System Configuration Utility's list that resemble any of these command lines UNcheck it.  Don't worry about unchecking something important - this can be undone by going back in that same way.  At this point, I go to the file that the path shows and delete it, but I know exactly what to look for.  We don't want to delete something you actually need so for now, unchecking it (stopping it from starting) serves your purpose. With suspected command paths of the malware unchecked, restart in normal mode.  If you picked the correct items from the msconfig list, the popups are not happening and you can now run MalwareBytes and any other .exe.  Start MalwareBytes, do the update, then run a "Quick Scan".  After it's finished click "Get Results" and click "Remove Selected".  It may prompt for a reboot and when Vista or 7 reboots, you have to give permission for MalwareBytes to run and finish the cleanup - look for the prompt in the lower-right task bar. Next download HitMan Pro free version from SurfRite.  Run it, let it update, hit Next, choose the "one-time scan". When it's done scanning, look at the list to see if there's anything besides tracking cookies.  If there's anything in red like a rootkit, choose Next.  On the activation page there will be a text link to do a one-time free activation.  Click that and allow it to clean the rootkit and reboot if asked.  Again - Vista or 7 will ask for startup permission. Optimistically, your machine is now clean.  Go into Add/Remove and uninstall all security products.  AVG, AdAware, SpyBot, Norton (Symantec), McAfee, all of it.  You can really crap up a system overloading it with this stuff which is pretty much useless against modern threats (as was shown by your experience).  I recommend using only one AV product and then being informed about pop-ups which when clicking OK on teh wrong one, will cause malware files to be installed.  My preferred AV is Panda Cloud and I train customers to close all script-generated pop-ups using Task Manager.
knuckle draggin...
Re: Hijack virus
Anom/vis.(AV) Thanks for the post. Hubby also thanks for your help as well. Sorry I jumped right in to it and did not say thank you and thanks for the camera tips. :) AV I am going to give it a try right now, however I have messed with my start up menu alot over time with spy bot tools. I look at Phil Collins? start up list comments and I uncheck anything he says is malicious, resourse hog or generally not needed. Yes there is quite the list and alot of it is unchecked. I have never looked at start up from msconfig mainly because there isn't any guidence, what to leave checked and what to uncheck. With your comments I feel a little more confident or dangerous. More specifics would be very helpful to me. Example can you un check enough stuff to where your computer won't even start? At the bottom of spy bots list is a bunch of windows or winlog items with no explanation. There is the AVG item you mentioned I am remembering here, I usually do not un check because it's AVG ;) even though there isn't any Collins explanation. Hummmmmmm!? I will uncheck them all if it will allow me to get up and running in regular mode for now and allow me to download some round up so i can kill some roots if necessary and it seems you are pretty confident that there might be. "(C:\Documents and Settings\"logon name*)." Am I looking for logon name or is logon name generic for whatever the virus might be using? "You'll have to unhide hidden and protected system folders to see these directories." How? Well went there. Tried to print it all out here. Could not get it to copy and paste. Maybe around 12 line items. Unchecked them all. Things like AVG tray something, itunes, mbam malwarebytes thing,kodak stuff a couple of others. Nothing seemed to be critical to the operation of the computer so I unchecked them all in the spirit of "living la vida loca" ;) "I recommend using only one AV product and then being informed about pop-ups which when clicking OK on teh wrong one, will cause malware files to be installed. My preferred AV is Panda Cloud and I train customers to close all script-generated pop-ups using Task Manager." Want to know and understand above quote. Also is "Panda cloud" freeware or should you purchase at ? in disk form or online...etc. AV and Hubby and anyone else please write to me as if I am a booger eating curtain climber and I don't know nuthin. Totally won't insult me because it's true and the extra detail will help a whole lot. I have to reboot so I will be back later. Thank you in advance. KDW


Add new comment

Enter Your Comments