Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I am completely hijacked


  • This topic is locked This topic is locked
38 replies to this topic

#1 beakerr

beakerr

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 10 December 2009 - 01:43 PM

Last night I left my computer on and running an Ad-Aware scan. When I got to it this morning it had lots of "Windows" security warnings along with warnings from other anti virus programs that I had never installed. Along with these, as if to illustrate how infected it was ,were a couple adult type web pages .
I am unable to either navigate to a web page (I am on my wifes laptop) or open any software programs like antivirus programs or reg cleaners. I attempted to load an antivirus program that I found here at BC onto a flash drive and run it on my computer, but whenever I attempt to run anything I get a message saying the file is infected or somesuch. basically my PC is acting alot ike Linda Blair in "The Exorcist"
Can you help me?

BC AdBot (Login to Remove)

 


#2 azfreetech

azfreetech

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:09:51 AM

Posted 10 December 2009 - 02:31 PM

It sounds like you may have something running which is preventing you from being able to install/run security software. What I normally do is use Rkill to stop the rootkit processes that start when the computer comes on. Then I run the Malwarebytes and SUPERAntiSpyware. Here are some DL links for the Rkill....

LINK 1
LINK 2
LINK 3
LINK 4

Save it to your desktop and then double click to launch it (With Vista you need to right click and select run as administrator). You should see a little black window open and then close. If you see that box then it worked. If you don't see the black box then delete the file and use another download link and repeat the steps.

Once it runs you will want to try installing Malwarebytes, update it and run the full scan; remove what it finds. Next install and run ATF Cleaner. Check the box for select all and then click the button for Empty Selected.

Next install, update and run SUPERAntispyware; remove what it finds. Keep in mind that if you have more than one username, then you will need to run this scan logged in to each individual user.

Finally I would update and run whatever antivirus program you have and remove what it finds.
DJ Digital Gem

I gave up on computers and now I just DJ!

#3 beakerr

beakerr
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 10 December 2009 - 03:05 PM

Here are some DL links for the Rkill....

LINK 1
LINK 2
LINK 3
LINK 4

Save it to your desktop and then double click to launch it


It will no longer even let me operate my flash drive. I had attempted to d/l rkil onto the flash drive but I can no longer even open the flash drive. It says the exe is infected. looks like it is going through all my computers resources and disabeling them.
please advise.

#4 azfreetech

azfreetech

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:09:51 AM

Posted 10 December 2009 - 03:43 PM

You can try running Hirens Boot CD 10.0 which will run scans before the OS boots (you have to boot from the CD). The other option would be to pull the hard drive, slave it to a known working computer and run scans with MBAM, SAS and antivirus removing what they find and then remount the hard drive in its computer and then run the scans again.
DJ Digital Gem

I gave up on computers and now I just DJ!

#5 beakerr

beakerr
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 10 December 2009 - 04:02 PM

How do I run the Hirens? Don't think I am the best guy for pulling hard drives.

Edited by beakerr, 10 December 2009 - 04:05 PM.


#6 beakerr

beakerr
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 10 December 2009 - 04:33 PM

Status Update: I was a little concerned because the Hirens looks like an advanced tool for me so I tried restarting and loading rkill from my flash drive again and I was able to load it (After several attempts) and run rkill!!! I am in the process of running SUPERAnitiSpyware Free Edition now will update upon completion. Many Items listed already.

#7 azfreetech

azfreetech

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:09:51 AM

Posted 10 December 2009 - 04:50 PM

You will need to download Hirens with a working computer. You will need to burn it to a CD as an ISO file. If you need instructions on how to do this those can be found HERE. I am also including a link on how to set your BIOS to actually boot from a CD.

Download Hirens 10.1 with keyboard patch (NEW!)

Edited by azfreetech, 10 December 2009 - 04:50 PM.

DJ Digital Gem

I gave up on computers and now I just DJ!

#8 beakerr

beakerr
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 10 December 2009 - 05:04 PM

SUCESS!!! tytytyty Seems strange that it initially blocked my attempt to load tools from my Sandisk than later I was able to but I'm not compaining. I had 87 objects including Trojans I'm afraid I instantly quaranteed them but I'm sure I can open the list if you think its important. I still have a red shield with a white x in it in my system tray that says ins Windows Security Center. Not sure what to do about that. One thing I learned is that my avast doesn't seem to be working to well. Can you give me any further recomendations? Should I head over to the HJT thread do you think? Thanks again for your help azfreetech!

#9 azfreetech

azfreetech

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:09:51 AM

Posted 10 December 2009 - 05:23 PM

Update and run scans with Malwarebytes and SUPERAntispyware; post the logs here and I'll take a peek at them. That icon needs to GO AWAY LOL.
DJ Digital Gem

I gave up on computers and now I just DJ!

#10 beakerr

beakerr
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 11 December 2009 - 11:06 AM

Ok here is the first scan with all the nasties in it. I am rescanning now will post it when it finishes. I couldn't get malawarebytes to work yet will attempt again this evening.

hmm I can't seem to insert the image of the quarantine log screenshot. should I start a new post? ugh

<a href="http://s79.photobucket.com/albums/j157/BatWhalen/?action=viewĄt=scan1.jpg" target="_blank"><img src="http://i79.photobucket.com/albums/j157/BatWhalen/scan1.jpg" border="0" alt="scan 1"></a>

#11 azfreetech

azfreetech

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:09:51 AM

Posted 11 December 2009 - 12:44 PM

Hmmm.... Can't view those for some reason. Maybe because I am at work LOL
DJ Digital Gem

I gave up on computers and now I just DJ!

#12 beakerr

beakerr
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 14 December 2009 - 03:00 PM

OK it took me a while to get thi right sorry for the delay. I think something is still not quite right because SuperAntiSpywre is still coming up with things periodically. I usually never got anythng but tracking cookies. Still unable to get Malawarebytes running on my puter.
[url="http://<a%20href="http://s79.photobucket.com/albums/j157/BatWhalen/?action=viewĄt=scan1.jpg"%20target="_blank"><img%20src="http://i79.photobucket.com/albums/j157/BatWhalen/scan1.jpg"%20border="0"%20alt="scan%201"></a>"]Visit My Website[/url]

Ok I think I still have issues though things are much better maybe I have an open port or something, but I can't get the link to my log to work. I am weak sauce incarnate I realize but I don't know how to get the log up. sry

Edited by beakerr, 14 December 2009 - 03:05 PM.


#13 cookmiester

cookmiester

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Stoke-on-Trent
  • Local time:04:51 PM

Posted 14 December 2009 - 03:18 PM

For Malwarebytes, i reccomen recommend you change the file name to something random like huehf.exe. However, you may still get the exe blocked, so then try huehf.pif, or .bat. Hopefully, this will allow MBAM to run on your computer. Run a scan in safe mode to be sure, and make it a full scan to ensure best detection.

#14 beakerr

beakerr
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 20 December 2009 - 08:11 PM

I can't get my Superantispyware log to post for some reason and I've tried changing the file designation on the malawarebytes .exe but nothing will make it install. What happens is that during the instalation process I click on next and I get an error message that says "run time error 0" several times in a row. I than uninstall and get the same rapid fire error message about 5 times in a row but it uninstalls. I have been able to install it on my wifes laptop and run it so I believe its being blocked on my computer.
Would it be acceptable for me to copy the trojans by manually from my superantispyware log, and skip the tracking cookies? Also not sure what to do about malawarebytes.

Below are some of the viruses that superantispyware quaranteed.

12/10/09 Adware.Vundo Variant/Rel
Rogue.Agent/Gen
Trojan.Agent/Gen-FakeSpy[Broad-1]
Trojan.Dropper/Win-NV
Trojan.Unclassified/Helper-DD

12/11/09
Trojan.Agent/Gen-BHO[Lib]
Trojan.Agent/Gen-Virut[Lib]

Next a bunch of tracking Cookies on the 12th and 13th more Trojans on the 14th.

12/14/09
Trojan.Agent/Gen
Trojan.Agent/Gen-SDR

After the reinfection on the 14th I disconnected from the internet and have been trying to get malawarebytes installed with no success. Well its in much better shape than when I first posted but I'm fearing that an OS reinstall will be necessary and I have some doubt in my ability to do it. Thanks again for your advise. jon

#15 MATTSPCHELP

MATTSPCHELP

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, United kingdom
  • Local time:05:51 PM

Posted 20 December 2009 - 08:15 PM

Not at all , is Ctrl alt delete working , ?? i can help you still
Microsoft Certified Desktop Support Technician




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users