Jump to content

Computer Hijacked!


mittheimp

Recommended Posts

Can't get into certain sites like google, bbc, etc as its hijacked by a dodgy search engine. Tried scanning with various spyware programmes and half of them crash before they finish the others claim to have found and quarantined 'downloader.agent.uj' but it doesnt solve the problem and it appears again next time i scan.

Any (non jargon simply explained) help much appreciated -

at least i can still get into TV though!

Link to comment
Share on other sites

If you don’t have any luck with a spyware removal tool such as the one suggested by mid, the first thing I would check if I was you is that there are no suspicious add-ons running as part of internet explorer. To check add-ons go to internet explorer and click Tools->Internet options. From the resulting dialogue select the 'Programs' tab at the top and click the 'Manage add-ons' button.

From the 'Manage add-ons' dialogue choose 'add-ons that have been used by internet explorer' from the drop down list at the top.

Look for any add-on that appear suspicious and disable them by selecting the add-on and selecting the disable button. If you disable something by mistake you can just re-enable it again afterwards. In my experience most malware is poorly developed and the tell-tale signs can stand out.

Look for

No publisher information, or a publisher you probably don’t want software from e.g. MySuperFreeToolbarCompany.com, freesmileycursors_r_us, xxx_free_pics(corp) - you get the idea

Non-descriptive or give-away names. Names that have 'toolbar', 'helper', 'my-something-or-other', 'free-this-or-that' are examples of what to look for and disable.

Pictures saying a thousand words, I've attached a graphic that may help.

There are many ways for malware to infect your system - this is just one of them that seems quite popular.

Hope this helps,

Malc

post-28752-1165005395_thumb.jpg

Link to comment
Share on other sites

I like Trendmicro's online scanner. It catches a lot of things. You might want to try that. One thing that many programs recommend is to turn off Microsoft's System Restore before doing a scan. Try turning yours off and then do a scan/quarantine and see if that does anything.

Link to comment
Share on other sites

spybot

download , update and run :D

One of the good ones..... but start Windows in 'Safe Mode' and then run it, some of the more pesky bits of spyware can't be removed once they have been loaded into memory.

Also download Ad-Aware and run that. Spybot is very good, but it doesn't get them all.

Alternatively, sell the PC 'as is' to someone you don't like and buy a Mac :o

//edit/typo

Edited by Thaddeus
Link to comment
Share on other sites

Bad news :o

This particular exploit installs a rootkit into the kernal of your operating system. Spybot and Ad-Aware will NOT permanently remove this, even in safe mode as the rootkit will re-install it.

The only decent program to deal with it is Backlight. Use it to get rid of the rootkit, then scan (in safe mode) with one or more antispyware programs to look for the leftovers.

Be prepared to reinstall Windows if it doesn't work.

With a rootkit the main brain of your OS has been compromised. You can't trust system restore or removal programs until the rootkit is gone.

An explanation of rootkits:

http://www.microsoft.com/technet/sysintern...itRevealer.mspx

For future safety:

Ad-Aware and Spybot are great but I'd advise having something that scans in real time as your first line of defense. Windows Defender is IMO the best along with the paid variant of Ad-Aware. The others will only tell you you have an infection, not block it's installation.

Even good antiviruses are at best marginal in detecting hijacks. Anti-spyware programs listed above do a better job.

Don't use Internet Explorer. Get Firefox. If you must use IE, run it at medium or high security and add sites to your trusted zone individually.

If you want to surf "naughty" sites (not saying you did..just sayin' in case) install Linux on partition on your hard drive and boot to the Linux before surfing or downloading.

Edited by cdnvic
Link to comment
Share on other sites

There is another thread similar where Mobi had a Trojan virus, and I posted there that today I would help my nephew with a Trojan virus on his computer.

However I made no progress as this little Trojan screen repeatedly came up on every mouse click.

Could not connect to the net, so was unable to run any program at all.

So the suggestion above from Cdnvic looks good, but I wouldn't have the capability to use it.

All the virus screens pointed at C/Windows/system32/dll type files.

Is it a total re-format and re-install?

I feel so sorry for this young kid as he needs it for school work and all he did was play an innocent online game from China. :o

Link to comment
Share on other sites

I came across a couple of nasties last week that weren't detected by Avast, and which are mostly referred to in Google by Thai and Chinese websites. I only found them because my firewall (Zone Alarm) popped up asking permission for some weird sounding programs to access the internet.

One was called AdobeR.exe (or RavMon), which downloads addware/crapware onto your computer. It has the annoying habit of copying hidden files onto removable media like flash cards, including an autorun file to make sure it gets installed next time you stick your card in somewhere else. You need to view hidden files to see it, but on the hard drive it was in c:/windows/adober.exe.

Another even more evil Chinese nasty was called iexp1ore.exe, which replaces your desktop/toolbar shortcuts to internet explorer with a link to its evil trojan self. This one redirects you to dodgy Chinese websites, maybe you have it. It was in the same folder as internet explorer.

Both were easily removed - shutdown the relevant processes in windows task manager, and delete the files. It also sets up entries in the programs/microsoft/windows/run registry area.

Edited by Crushdepth
Link to comment
Share on other sites

I came across a couple of nasties last week that weren't detected by Avast

Don't mix up antivirus and antispyware programs. AV programs are never that great at looking for trojans. Windows Defender will block the install of the trojans.

When kids are online don't let them run as administrator in Windows 2000/XP. If it's Windows98 you need to upgrade as MS has ended support for it and no new security patches are being produced.

Link to comment
Share on other sites

Sincere thanks to everyone for advice and suggestions - not tried everything yet but should have some time today.

Kayo why the presumtion that this was caused by looking at porn sites? That certainly is not the case with me :o but can't necessarily vouch for my wife!

Ill let you know how i get on!

Mit

Link to comment
Share on other sites

Bad news :o

This particular exploit installs a rootkit into the kernal of your operating system. Spybot and Ad-Aware will NOT permanently remove this, even in safe mode as the rootkit will re-install it.

The only decent program to deal with it is Backlight. Use it to get rid of the rootkit, then scan (in safe mode) with one or more antispyware programs to look for the leftovers.

Be prepared to reinstall Windows if it doesn't work.

With a rootkit the main brain of your OS has been compromised. You can't trust system restore or removal programs until the rootkit is gone.

An explanation of rootkits:

http://www.microsoft.com/technet/sysintern...itRevealer.mspx

For future safety:

Ad-Aware and Spybot are great but I'd advise having something that scans in real time as your first line of defense. Windows Defender is IMO the best along with the paid variant of Ad-Aware. The others will only tell you you have an infection, not block it's installation.

Even good antiviruses are at best marginal in detecting hijacks. Anti-spyware programs listed above do a better job.

Don't use Internet Explorer. Get Firefox. If you must use IE, run it at medium or high security and add sites to your trusted zone individually.

If you want to surf "naughty" sites (not saying you did..just sayin' in case) install Linux on partition on your hard drive and boot to the Linux before surfing or downloading.

just ran this programme and it didn't find anything!

help! If i have to reinstall windows what does that mean exactly?

Link to comment
Share on other sites

I've dealt with alot of viruses and actually enjoy the challenge. I'm familliar with this one and I'm convinced the best thing to do would be to go to a computer forum vs this one. Not that there aren't a lot of great suggestion here but.... First I would get Firefox so you can at least browse the internet without being redirected. Second I would (if you haven't already) download a program called hijack this. An excellent forum you can use is http://www.5starsupport.com/ipboard/lofive....php?t2144.html which will deal directly with the problem you have at hand. You don't need to be computer savy but should have a printer handy so you can copy their instructions as there will be a some rebooting in safe mode going on. The product I use is fixwareout which can be downloaded from their site. Yry this out and see if it works. Also, you don't need to sign up for the forum, just use yhe guidelines posted. Cheers :o

Link to comment
Share on other sites

help! If i have to reinstall windows what does that mean exactly?

1) Copy all yout personal data to somewhere else: another computer on the network or burn a CD/DVD or copy to another harddisk external/internal or to a thumbdrive or whatever medium that's avaiable and big enough to hold your data.

2) Put in the Windows installation disk and follow the on screen instructions.

3) Install a firewall - ZoneAlarm will be just perfect.

4) Copy your personal data back to appropiate folders on your harddisk.

5) Enjoy.

Link to comment
Share on other sites

I found this from a search:

http://blog.evilissimo.net/2006/08/07/how-...andownloaderuj/

The guy who had this similar malware, got rid of it following these instructions.

:o

Looks like ive cracked it! Well at least im not hijacked when going to any websites anymore! The link from friend2 was the one that seem to be the important one, followed by lots of scanning in safemode.

Thanks very very much for all the advice - extremely useful when you know as little about computers (when thet go wrong) as i do. Now i need to keep a closer eye on what my wife is doing on the PC!!

Link to comment
Share on other sites

spoke to soon!! :o:D

Although microsft internet explorer seems to be working ok now - i downloaded firefox as people seem to think it is a safer browser and the same thing is happening here - instead of going to google it finds dodgy porn orientated search sites! So there still must be something still somewhere on the PC!

Link to comment
Share on other sites

Rootkits are like this unfortunately. :D

Follow Cyberstar's instructions for re-installing Windows with the addition of reformatting the drive first.

I could go on about it but there's an excellent FAQ here that explains the process in fairly easy to understand terms.

I highly recommend using a NAT router, as they are the best firewalls. Most modern routers are NAT capable. (D-link, Linksys)

After reinstall, make sure your Windows firewall is on and install these items:

1. Every security patch from Windows Update (The only site you really need IE for)

2. Windows Defender (from the same site) for realtime protection against trojans. Grab Spybot and Ad-aware for weekly scans as a backup.

3. Firefox and Thunderbird

4. An antivirus. If you don't already own one, there's Avast, the best of the free ones (avoid AVG) nod32 and Bitdefender are my picks for paid AVs.

Although Firefox is your web browser now, IE is still there. Make sure that IE isn't set as your default image viewer, or is associated with any file types or they will invoke IE when you encounter them. Mail hijacks do this, even if you are not using Outlook.

Also, don't get the impression that there's no danger surfing with Firefox, it's just a much safer option. Use common sense and when in doubt, ask about something that looks fishy. :D

I know the re-install is a bit of a pain but at least you get a clean start. :o

Edited by cdnvic
Link to comment
Share on other sites

spoke to soon!! :o:D

Although microsft internet explorer seems to be working ok now - i downloaded firefox as people seem to think it is a safer browser and the same thing is happening here - instead of going to google it finds dodgy porn orientated search sites! So there still must be something still somewhere on the PC!

It could be such a simple thing as an tampered hosts file...

You should have a look at that one.

Sometimes malware installs their own hosts file and redirects the registry to use that one instead.

My advice would be to follow Popeyethesailorman post above, and go to the

http://www.5starsupport.com/ipboard/lofive....php?t2144.html site and post a hijack this log.

Hijack this is a small program you download, that will give a lot of insights to what's going on in your machine.

You then post the log created by the program at the site above and let the "pro's" sort it out for you.

Link to comment
Share on other sites

I understand this is a bad threat, but with so little known what else

is roaming around in his computer, a re-format sounds a little pre mature to suggest wouldn't you agree ?

Without a Hijackthis log (and perhaps logs from other tools as well)

I wouldn't throw in the towel as of yet.

Offcourse that being said, a re-format is always a possibility.

I guess you have to weigh the plus and minuses of doing so, as it

depends on how valuable/time consuming your setup is.

A good tip for mittheimp would be (If you decide to re-install) to use an diskimaging utility

like Acronis Trueimage or Norton Ghost.

That way, in the future, if you ever get hit by something really nasty, you can always return your machine to a working/non-infected state.

This backup image should offcourse be created when the system is working properly

I might add.

Edited by friend2
Link to comment
Share on other sites

If removing the rootkit failed then there's no sense doing anything else as rootkits just mask infections. A rootkit is the computer equivlent to a psychosis. They can alter the clocking of processes to hide the fact that they exist to antimalware programs. If this is all he has I'd be surprised but with the rootkit buried in the kernal we'll never know.

Just guessing at things isn't helping him. We've identified the exact problem, and a reformat/re-install is the ONLY way to be sure he's clean if the rootkit removal programs have been unsuccessful.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...