Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

my windows system has been hijacked


  • Please log in to reply
6 replies to this topic

#1 Frankhero

Frankhero

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 06 June 2015 - 03:03 PM

I've been struggling with this problem for almost a year now.  I'd finally broke down and bought a new computer in February 2015 but it's recently been infected with the same hijacker as the previous 2.  They are all HP laptops, and they seem to be communicating with my iPhone using BTh in order to establish communication.  I've tried doing fresh installs and the like but reading the logs, I can see that they never do a clean install, they always latch onto a system file and register everything offline.  They force a hive to load and as soon as I do a windows update the infection is very obvious.  I haven't found much on the subject...  a few consistant files are named 'fbi' or 'csi'
a few windows appx folders are suspicious, but I haven't been able to find the literature to support the idea that these aren't actually windows folders:
CheckPoint.VPN_cw5n1h2txyewy
f5.vpn.client_cw5n1h2txyewy
JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy
SonicWALL.MobileConnect_cw5n1h2txyewy
Farbar minitoolbox log shows that the image authentication hash file is missing.
System Internals psexec -i -s cmd.exe won't let me delete files (unauthorized)
System Internals RootkitRevealer.exe is stopped by WRG.dll
 
Found a log that begins like this and then goes on...
 
Requested to remove devices controlled by the "FBIKB_NT" service
[...]
Root..MS_SSTPMINIPORT..0000
Root..RDP_KBD
Root..RDP_KBD..0000
Root..RDP_MOU
Root..RDP_MOU..0000
Root..SYSTEM
Root..SYSTEM..0000
Root..SYSTEM..0002
Root..UMBUS
Root..UMBUS..0000
Root..volmgr
Root..volmgr..0000
<< Successfully completed the request!
>> Requested to remove a specific device ("Root..LEGACY_FBIKB_NT").
 
Windows Defender doesn't work, as a matter of fact, none of the AV's do anything.  They go through the motions, but never return anything.  MBAM doesn't work, Avira doesn't work, ESET online doesn't work, VBA works, but i don't know how to use it properly.  I always just end up having to restore because i delete something that is needed in the boot process. 
 
I am currently running on a relatively fresh install... the only thing I've done so far is remove the bloatware.  As long as I don't do a Windows update, the system is stable.  But once I do the update I lose all admin access.  Any ideas?

Edit: Moved topic from Windows 8 to the more appropriate forum.~ Animal

BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 24,291 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:14 AM

Posted 06 June 2015 - 04:55 PM

Do a scan with TDSS killer. Then HitmanPro. I would also do a offline scan with Kaspersky Rescue Disk. Burn the iso and boot the disk. If you have an Ethernet connection, not wireless, the database will be updated. 

 

How to scan with Kaspersky    When scanning make sure Disk Boot Sectors and Hidden Startup objects are checked. 



#3 TOMIS13LACK

TOMIS13LACK

  • Members
  • 213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:14 AM

Posted 08 June 2015 - 12:53 PM

If the above thing did not work, try disabking ur network via router. If it is to the point where it is nothing but necessary, use a iso burnt to a fd from another pc and remove ur current os and replace it with the selected version.just a suggestion.

ooh, i have a signature


#4 carlosayon

carlosayon

  • Banned Spammer
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:14 AM

Posted 08 June 2015 - 04:57 PM

Hi, I'm sorry to hear that you are having this issue. Let me try to add some help to this post.
 
"Use this only if you are not following any other instructions"
 
I will provide you a couple of steps that will clean up your computer in the most part. 
 
1. Since most likely your computer runs a lot of programs once it turns on, to make the process easier we will disable all the program that run at boot.
From your keyboard press Win + R key - It will pop up a "Run" window. Inside that "Run" box please type in msconfig
Once it opens, go to the Startup tab, and disable all of the entries (In windows XP, Vista and 7, you can do it all at once, in windows 8, it has to be one by one.)
 
2. Restart your computer.
 
3. Now we are going to run several applications one by one, withouth restarting your computer. 
 
- Junkware Removal Tool - Removes adware, junk toolbars, and unwanted software.
http://www.bleepingcomputer.com/download/junkware-removal-tool/
 
- AdwareCleaner - Removes adware, toolbars, hijackers. 
http://www.bleepingcomputer.com/download/adwcleaner/
 
- MalwareBytes - Removes malware
http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/
 
- Rkill - Removes Malware
http://www.bleepingcomputer.com/download/rkill/
 
- Spybot Search & Destroy - Removes spywares and malicious softwares. 
https://www.safer-networking.org/
 
- Iobit Uninstaller - Uninstal software manually, in case you know of an application that should not be installed in your computer. 
*** You can use the following website to know if an application is dangerous - http://www.shouldiremoveit.com/
http://www.iobit.com/es/advanceduninstaller.php
 
- Registry Recycler - Will clean all empties and misdirected registries left from all the cleaning. 
http://www.registryrecycler.com/
 
 
****** Finally try updating your computer from a different internet connection if possible

*Moderator Edit:moderator edit: Removed instructions to run a tool which is not allowed in Am I Infected. ~ Queen-Evie*

Edited by Queen-Evie, 08 June 2015 - 06:02 PM.


#5 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:02:14 AM

Posted 08 June 2015 - 06:03 PM

Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:
  • Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

    The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.
  • Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.
  • Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.
  • Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.
  • The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".
Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.

#6 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:02:14 AM

Posted 09 June 2015 - 03:25 PM

 

RKill does NOT remove malware.

It stops it so other tools can remove it.

 

more here  http://www.bleepingcomputer.com/forums/t/308364/rkill-what-it-does-and-what-it-doesnt-a-brief-introduction-to-the-program/



#7 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:14 AM

Posted 09 June 2015 - 03:31 PM

Spybot S&D is also no longer recommended due to its poor performance. Emsisoft and Malwarebytes do a better job IMO.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users