Help!! I've been hijacked

[BobV]

I got my first really tough virus.

First of all I'd like to apologize for the mean spirited words I'm about to type. (like HELL i do!!)

I wish the person or persons responsible for hijacking IE Friday night a horrible death but only after many long hours of suffering.

While doing some surfing Friday I received a warning from NortonAV that I was under attack and it had been isolated. Then the endless popup began. With a ctrl.alt.delete I shut down IE.

When I reopened IE I discovered I had a new startup page. The location read "about:blank" (god i hate those words right now). Along with that popups about a my computer being under attack by spyware and I should follow their link for software to fix the problem. (like I'm that stupid, stupid enough but not that stupid)

I changed the startup back to MSN under preferences hoping this would set things right. No way. I then noticed Norton Real-time AV was no longer running, furthermore I could not get it restarted. I then ran SpybotS&D, AdAware, MS new beta Antivirus and several others. Some corrected the IE's setting's but only temporarily. I chucked out $30 bucks for an anti spyware program that even identified the attacker. Ran it but nothing!!

I've even tried, deleting cookies, cache, internet temp files, uninstalling/installing IE and Norton. But I always end up with an IE startup page "about:blank" and with popups titled "Only the Best" I want to hurt someone.

At this point I'm running FireFox but I wondering what else might be going on on my PC. I even can't get IE to uninstall or XP SP2 to install.

I spent a good part of yesterday backing up data. My next step is to delete my OS, reformat ind install. Any ideas? and thanks for any advice in advance.

bobv(ready to kill)

[offline]

First what was the virus trojan called ?
Have you tried a system restore?

[redwudz]

I know the feeling. I got pissed off and ripped every one of the about 20 trojans and spyware out, even in the registry. Managed to destroy the OS in the process.

Anyway, try starting in safe mode and running the latest version of Spybot S&D and your other spyware programs. 'Hijack This' is good, but be careful. Also turn off your Windows restore. The programs can hide in there and regenerate.

Unfortunately, if all else fails, a clean reinstall of Windows after a disk format is the sure cure.

I run Spybot, Adaware, AVG, Windows firewall, and a hardware router, but I still have to be careful what I click.

[Soopafresh]

Sucks, doesn't it ? Do a search, especially in your Windows folder, of all files created or modified on the day of your infection. Boot into Safe mode, and delete those suckers.

[BobV]

First what was the virus trojan called ?
Have you tried a system restore?

I tried system restore only to find I had no restore points... ? I never turned it off or deleted any either. I think the virus go to my restore points too. The more I think about it the more I want to hurt... I mean I think I need to reinstall my OS.

I don't know the hijacker's name but its like the one CWShredder kills, "CoolWebSearch"

[BJ_M]

have you checked your "hosts" file lately ? there may be more tha one (now) also

[BobV]

have you checked your "hosts" file lately ? there may be more tha one (now) also

"hosts" file? not sure what you mean.

[Soopafresh]

Good point on the Hosts file.

It is located in c:\windows\system32\drivers\etc

[mattyboy]

run "hijack this" and copy and paste the scan to here.DL it here

http://www.tomcoyote.org/hjt/

[BJ_M]

Good point on the Hosts file.

It is located in c:\windows\system32\drivers\etc

some hijack apps will make new hosts files and spread them all over ..

do a search on everything (hidden and system files included) for "hosts"

open "hosts" with notepad ...

see if they are all the same and have more than just the following in them

Code:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

[offline]

Try the 30 day full working demo of:

http://www.pestpatrol.com.au/downloads/

[Shadow57]

https://www.videohelp.com/forum/viewtopic.php?t=249083&highlight=

Karen

[Poppa_Meth]

try using microsofts antispyware beta. Its supposedly catches a strain of CoolWebSearch that other apps currently miss.

[budz]

To BobV sorry to hear your pc was hijacked.....i can relate to what has happened to you....i just fixed my cousin's pc since they had over 2000 spyware and viruses.....they had the same thing happen till the point the pc could no longer boot up, it would only get to the windows 2000 pro screen then reboot itself over and over.....i ended up reformatting the hard drive and reinstalled their operating system & installing 2 antiviruses programs for them.....i told her son make sure if he downloads shit to scan it and to use mozilla to surf the net.....

[ViRaL1]

I came across this on a PC I was working on recently. Two things you should try if you haven't already been able to get it fixed. Download the latest version of CWShredder. The 'Only the Best' popup was the same one this user was getting. CWShredder was the only thing I could find that was able to get rid of it. Another thing you may want to check when you're trying to get rid of something is clearing any unknown processes in MSCONFIG. Look for anything that you uncheck and shows up checked on the next restart, this is probably some spyware. Another thing you want to check for is look in your Add / Remove programs. Even though you chose not to install anything, some things seem to pop up there without anyone noticing.

[BobV]

Thanks for the suggestions, I’ve tried everything listed here but with no success. Last night I watched the virus dynamically create dll after dll as I deleted, renamed, and moved them. This virus seems to be smarter than anything ment to fight it, furthermore God only knows what else it might be doing. So what I plan on doing is:

Saving my data files
Reformatting the Hard drive
Reinstalling XP Pro on a OS partition
Creating a ghost copy of my OS partition
Switching to FireFox
Continue to use all the standard anti-virus, popup blockers, and anti-spyware

I’ve also thought about using a dual boot OS. Can anyone tell me if viruses normally cross OS boundaries? I thought an OS used just for surfing might be a good idea.

BTW the virus creats BHO dll files. The BHO files are Browser Helper Objects.

Thanks again

[smearbrick1]

Sounds like the virus is running program. You can't ctrl/alt/del and end the program? If you do this, look at what .exe it is executing... do a search on this little .exe file and delete every instance of it. Make sure you get the prefetch folder also.


You may want to be sure that your data files are not corrupted. I once had a computer virus that infected... umm... my computer. I backed up all of my files and reformated/reinstalled the os. When I put my data files back on, the virus came back.

[SLK001]

Run REGEDIT, and look here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

This shows all of the programs that Windows will automatically run at startup for your machine (also check for "RUN" in HKEY_CURRENT_USER). Your program is loading itself probably here. If you can't find this exact key (I use W2KP), search the registry for a "RUN" instance.

Post the contents of this registry "folder" here if you are not sure which program to permanently delete.

[BobV]

Run REGEDIT, and look here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

oops

[SLK001]

Run REGEDIT, and look here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

oops

oops?

What do you mean?

[Garibaldi]

I spent a good part of yesterday backing up data. My next step is to delete my OS, reformat ind install. Any ideas? and thanks for any advice in advance.

Well I have an idea of something you could try. There is a linux live-cd distro that you pop in your cd drive when you boot up and it automatically scans your windows partitions for viruses and spyware and then removes them. This might be a good choice for you since that way you would know for sure that no background programs are running. Its worth a try, you've got nothing to loose.
Here is the link:
http://www.antesis.org/index.php?lang=en

[BobV]

I spent a good part of yesterday backing up data. My next step is to delete my OS, reformat ind install. Any ideas? and thanks for any advice in advance.

Well I have an idea of something you could try. There is a linux live-cd distro that you pop in your cd drive when you boot up and it automatically scans your windows partitions for viruses and spyware and then removes them. This might be a good choice for you since that way you would know for sure that no background programs are running. Its worth a try, you've got nothing to loose.
Here is the link:
http://www.antesis.org/index.php?lang=en

I like that idea

and thanks for everyone’s help.. I think I finally got it with the use of Adware Away. I had to turn off the Window’s auto restore and run in safe mode, oh yea and repeat the procedure twice. I’m still going through with some changes though among the trashing IE in favor of FireFox.

[Garibaldi]

I like that idea

and thanks for everyone’s help.. I think I finally got it with the use of Adware Away. I had to turn off the Window’s auto restore and run in safe mode, oh yea and repeat the procedure twice. I’m still going through with some changes though among the trashing IE in favor of FireFox

Its a good app to have just in case. I'm happy you're using firefox. The security, tabs, extensions and themes IMO make it alot faster, safer, and better than IE.

[budz]

fark!!! talk about hijacking a pc.... i just rebuilt another pc, my old pent 3/ 933 chip with a brand new pent 3 mobo. i was downloading all the windows updates then popup windows galore... full of videohelp windows poppin up all ova the place.....i was lazy and should have installed the firewall & antivirus before doing the windows updates......i'm now having to reformat the lil 20gb and reinstall windows.....fark!!!!