Computer HiJack Problems

[OneFinger]

I have a friend trying to remove hijacking programs from a laptop. Here's kind of a summary of the problem that he posted on another forum:

 

I need some major help. I have hit a brick wall and can't get anywhere. I know I have a LOT of problems with this computer.

 

First problem is that it has cws.msconfig. cwshredder will not remove it. I also have a problem getting to regedit. I have to do both in safe mode.

 

Also, I am not able to completely run ewido, stinger, spybot, ad-aware in safe mode or regular mode without the computer rebooting in the same place everytime (shortly after the I386 folder sacn completes). Ewidio finds 4 things but never finishes. I have tried running hijack this and been unsuccessful.

 

The following items keep showing up in the startup list and started duplicating themselves in safemode. After I would remove them, they would appear back and a copied version would appear as well. This started happening after trying to run ewido.

 

fdos.exe (labeled windows update)

sys(various numbers).exe

xzhj.exe

ipmppp.exe (labeled Ywp7RVjtU)

 

I also had something called media pass that I removed a while ago come back to the registry. I had cleaned it and deleted all instances I could find.

 

This computer can connect to the internet but I can't get to any pages. I have the about.blank thing going on as well.

 

I have thought about hooking up the computer to a network and scanning with another computer, but I am worried about getting the crap on another computer.

 

I do not want to format and reinstall as I have programs on the laptop that I can't replace. But as a last resort I am afraid I may have to.

 

I don't understand most of his post. So please be elementary in your responses.

 

Is there a downloadable program that can help remove this problem? Are there sites you'd recommend going to for help?

 

Any options or suggestions appreciated.

 

-------------

"We need to have more respect for each other. Things have just gone really crazy, out of control. ... We're on a very weird kind of cycle." Stevie Wonder

[+ deej]

He should do one thing immediately: DISCONNECT FROM THE INTERNET AND DO NOT RECONNECT IT UNTIL THE MACHINE IS CLEANED UP.

 

With that level of infection he's no doubt running email bots adding tons of spam to the worldwide flow, and probably participating in DOS attacks as a IRC bot. Among other things. He should do us all a favor and remove himself from the internet gene pool until he's safe again.

 

If he can't get Ad-Aware, SpyBot, or Hijak This to run successfully he's definitely in very sorry shape. (Those three are the holy trinity often recommended by security experts.) If he can't even run RegEdit, he's lost core Windows functionality.

 

No single program will resurrect this machine, from the sound of it.

 

It is possible that a seasoned practitioner could resurrect the machine but with all that dreck it's looking (to me) like at least an all-day job, probably longer. The wizzurds that know how to eradicate that stuff charge lawyer-like hourly rates, so a fresh reinstall might be his best bet economically.

 

Programs can ALWAYS be replaced. His first should be firewall, anti-virus, and spyware prevention, (in that order) of course. AFTER he's up and safe, he can worry about the other stuff.

[OneFinger]

deej,

 

Thanks for your response and confirmation. I almost think the hard drive is beyond repair and reformatting is essential. But, he's talked of another "temporary" solution that kind of goes along with your suggestion.

 

Since the computer works just fine when it's NOT connected to the internet, he's asking about continuing to use it in non-internet mode. It's going to take him a while to xfer data/picture files to a temporary drive, ensure they're not infected, and then do a final transfer to another computer. Plus, he's trying to track down program CDs to re-install after reformatting.

 

Are there any problems continuing to use the computer in non-internet mode? Could data files for Word, Excel, TurboTax, etc. get "dirty" and infect other machines?

 

Is the idea of an isolation drive to scan files sufficient before loading files on a clean machine?

 

Appreciate your opinions on this situation. Also, I can confirm that the computer is no longer hooked up to the internet. Any programs he's downloading to try and clean things up are being done on another computer and transferred via memory stick to the infected computer.

 

Thanks for your help!

 

-------------

"We need to have more respect for each other. Things have just gone really crazy, out of control. ... We're on a very weird kind of cycle." Stevie Wonder

[Boston Guy]

Ummm... tough one.

 

Deej is right: disconnect the machine from the Internet for the time being.

 

It may be a lost cause. But I would recommend using a second machine to download a copy of spysweeper. It's only $30 and it sounds like it will cost a lot more if he has to reformat this thing.

 

Copy Spysweeper to the machine and install it. (Use diskettes and safe mode if necessary.) If you can get it to run, let it do its thing. It will clear out a ton of this stuff and may render the machine usable again. If so, he'll be out of the woods. From this point on, he should run Spysweeper 24/7, along with an antivirus program. (I link PC-cillin but there are a number of good ones.)

 

If does have to reformat it, then he should still use his copy of Spysweeper on the newly-reformatted system. So, either way, he's not out any money.

 

Hijack-this is a good program but only in the hands of someone who really does know what he's doing. I think that Spybot and Ad-Aware were once great but I think they're sort of outmoded. Spysweeper does a great job, especially if you let it run 24/7.

 

Good luck to your friend.

BG

[+ deej]

Lotsa questions, no black and white answers. :-(

 

>Are there any problems continuing to use the computer in

>non-internet mode?

 

Maybe, maybe not. Some viruses continue to work their "magic" over time, rather than in one swell foop.

 

>Could data files for Word, Excel, TurboTax, etc. get "dirty"

>and infect other machines?

 

Word and Excel for sure. Not sure about TurboTax. Any file type that allows executable content (such as Word or Excel macros) or is used in a viewer (such as Windows media player) with known weaknesses MIGHT pose a risk on another system. Heck, plain old HTML documents with embedded script can be a security risk.

 

But that's why you build a new system from scratch and make sure the protection is bulletproof. Once you copy files to the new system, they'll be sanitized by the new bulletproof protection. Hopefully.

 

>Is the idea of an isolation drive to scan files sufficient

>before loading files on a clean machine?

 

Maybe. (Don't you just love how there's no solid sure-fire formula?)

 

The external isolation drive is MOST DEFINITELY a good idea!

 

If the machine doing the scanning is iron-clad protected, yes it should be safe. (You did catch that IF, right?)

 

Since you've told us he has USB access to the old machine, I would strongly suggest a USB external hard disk. (They're pretty cheap, depending on the size he needs.)

 

He can copy ALL data files to the external disk, unplug it, set up his machine with the iron-clad protection mentioned above, and then plug the thing in again. Worst-case scenario: he has to repeat the process. But he still has a copy of all his data files on the external drive.

[+ deej]

>Copy Spysweeper to the machine and install it.

 

Good advice, but when RegEdit doesn't work I'm wary of any installer working.

 

This is that proverbial place between a rock and a hard place. x(

[OneFinger]

deej and BG,

 

THANK YOU for your quick responses. I've downloaded a trial copy of Spysweeper to try on my PC to test drive it. I'm trying on my system (which I feel is 100% clean) to see if it finds anything. That should be interesting.

 

If we like the results, then he'll probably download a "real" copy and give it a try.

 

Also liked the idea of a USB external drive. Hadn't thought about that one. Great idea!!

 

Thanks again and I'll keep you posted.

 

-------------

"We need to have more respect for each other. Things have just gone really crazy, out of control. ... We're on a very weird kind of cycle." Stevie Wonder

[OneFinger]

Just finished Spy Sweeper on my machine. It only found 5 tracking cookies and that doesn't concern me. I feel much better about my own machine and that I've probably got it adquately set-up to avoid most problems.

 

But, the trial version will NOT resolve the problem. It only identifies problems and indicates that you have to subscribe to activate clean-up. However, with the tracking cookies, it gave me location and file name and I just manually deleted them.

 

I plan on using the demo copy to scan the infected machine and see what it finds. If it runs successfully (without hanging up) then I'll have confidence that it's a possible solution.

 

So far, I like the look and feel of Spy Sweeper. Appears to have a lot of positive features. I especially like the on-the-fly checking, timed scans, and the ability to tell it which tracking cookies to always delete and which ones I've decided are OK.

 

-------------

"We need to have more respect for each other. Things have just gone really crazy, out of control. ... We're on a very weird kind of cycle." Stevie Wonder

[DelawareGuy]

I use SpySweeper and I'm totally pleased with it. You can set it to not accept tracking cookies which I've done. Nobody's business where I go when I leave a web site. I have it set to receive regular updates and to run in the background. I have a much higher level of confidence now (although this does NOT preclude using common sense when surfing).

[+ ArVaGuy]

I run Spy Sweeper and have been very pleased with it as well. Mine is set to sweep every time I log onto my computer. From time to time I will run a sweep while on online especilaly if I have been on the net for a long period of time.

 

Its been well worth the cost but its also best to keep in mind that nothing is 100% with these programs. Consequently, there are certian sites I will not visit and never open attachemnets until they are scanned.

[OneFinger]

Haven't had a chance (yet) to run Spy Sweeper on the infected computer. But, my friend was given the following suggestion:

 

Download aboutbuster from this link http://www.malwarebytes.org/AboutBuster.zip and extract it to your desktop, run it, update the files but do not scan yet.

 

Download cwshredder from this link http://cwshredder.net/bin/CWShredder.exe but don't run it yet.

 

Reboot into safe mode.

 

Once you get into safe mode run cwshredder and click "fix".

 

Next Then please run About:Buster and click Start to begin the scan. If prompted to end the Explorer.exe process, click Yes. Your desktop may disappear, this is normal. Allow the program to scan twice, and when complete click "Save Log". This will create a text file called "AB Logfile.txt" in the folder where About:Buster is saved.

 

I've heard of CW Shredder before but don't know how powerful it is. I've never heard of AboutBuster. Anyone familiar with it? Does this sound like a good alternative if Spy Sweeper doesn't work?

 

Again, I really appreciate the responses and second opinions.

 

-------------

"We need to have more respect for each other. Things have just gone really crazy, out of control. ... We're on a very weird kind of cycle." Stevie Wonder

[+ deej]

I have not heard of About:Buster which of course means nothing.

 

It might be a wonderful tool, but please be aware that many tools in this niche are themselves delivery mechanisms for adware/malware/spyware. They deliver their own payload while killing everyone else's.

 

(Many of us lobbied Microsoft long and hard to remove some adware/spyware/malware products from the Windows Marketplace site because they are themselves adware/malware/spyware.)

 

It may be a great tool, but I haven't heard any of the security geeks I hang out with mention it. (cwshredder isn't on the list either, actually.)

 

Please do not hesitate to use the tool because of what I've said. Your friend's PC sounds like it could use all the help it can get! Just please be ready to try something else if it doesn't completely solve the problem.

 

And after you spend a week or so on it, format the damn hard disk and start from scratch like you should have done in the first place. :7

[Boston Guy]

AboutBuster is not malware. But it's just one more among many shareware/freeware programs that can remove malware to some extent. Most require that the user runs them periodically to scan their system and these programs are updated at random intervals; some are updated often and others are not and some good ones get less good over time as others improve.

 

Bottom line: you can keep your system clean for free if you are willing to invest time and effort in doing so and are reasonably vigilant about it. Or you can spend a small amount of money protecting it by investing in one of the good systems marketed for a price by a company actively in the business of keeping their products up to date. Since malware changes on a daily basis, frequency of updates is a very critical part of how effective a program will be.

 

When a system succumbs to malware, it's usually a major pain in the neck for the affected system user. It often requires at least a bunch of time to clean it out and can involve spending money or at least paying an opportunity cost for the lost time. For me, $30 per year for a Spysweeper subscription is an extremely small price to pay so I simply don't have to worry about my system being hijacked.

 

I used to use Ad-Aware, Hijack This, Spybot Search and Destroy, etc., etc. on a regular basis and I'm quite careful about how I use my systems. However, things would still slip through periodically and it would always be a pain in the neck. Now I use Spysweeper and I haven't had a single problem in the nine months or so that I've been using it. Better still, I haven't had to think about running progams to scan for malware or worry about the status of my systems.

 

BG

[+ deej]

We see 100% eye to eye, BG.

 

But there's a subtlety you left unsaid. You've used SpySweeper for 9 months successfully. Tomorrow is the 10th month.

 

Every malware tool gets new challenges every month. (Every day, actually.) It's not a Ron Popeil "set it and forget it" thing. You need to be always vigilant.

 

And that's not something that's easy to do, or even to define!

 

If you only use your computer once a month, you should update your virus/malware definitions every time you start your computer. If you use your computer every day, your schedule might be different. But the important thing is to ALWAYS stay current!

 

Everyone I know who has a computer that was taken over said the same thing: "I was too busy". They were too busy to accept automatic updates and they paid the price.

 

(And they expect ME to fix it. Sorry, no.)

 

Let your tools update when they want to update.

[Boston Guy]

>Let your tools update when they want to update.

 

Exactly. I'm quite happy to see SpySweeper and PC-cillin do their automatic updates each day. (Actually SpySweeper checks more often than that and I've seen it run updates more than once in a single day. But it's quick about it and runs happily in the background for a few seconds while it does the update.)

 

I know that 9 months isn't the longest trial in the world. But there's a lot of stuff out there and it's worked at 100% so far. So far, so good, I guess.

 

BG

[jackhammer91406]

Thanks to the guys who offered advice in response to this question. I checked out spy sweeper today and after it scanned my machine, it found the pesky Trojan that I had written about a few months back. I am now clear and oh what a feeling.

 

This site provides so much, I am always thankful I stumbled in here that late summer day years ago.

[OneFinger]

Ran Spy Sweeper tonight on the infected computer and it did find problems. It didn't stop or hangup while running like other programs we've tried and that gave me confidence it might be a good solution.

 

Unfortunately, we ran it AFTER their switchboard closed down for the night. (The computer is so honked we couldn't process an on-line activation.)

 

On the plus side, I did buy a 2-year subscription for my personal (home) computer. It's running a scan right now and I'll be able to take care of any problems.

 

I really like that Spy Sweeper will update automatically, scans in the background, and protects on-the-fly.

 

Thanks so much for pointing me in this direction. Not sure it will help out for the infected laptop. But for my personal system I feel confident that this is a good thing.

 

Will try to run it and activate it on the infected laptop during their phone-in hours.

 

-------------

"We need to have more respect for each other. Things have just gone really crazy, out of control. ... We're on a very weird kind of cycle." Stevie Wonder

[Boston Guy]

Yeah, we promise great service: all problems solved within a year or two! :+

 

Glad it finally worked out for you.

 

BG

[Boston Guy]

>Will try to run it and activate it on the infected laptop

>during their phone-in hours.

>

 

Let us know how it turns out... I'm very curious. My bet is that it will clean it up for you. However, as Deej pointed out earlier, that may not be enough to truly restore a fully-functioning system. There may well be too much damage at this point.

 

But don't give up hope yet. :-)

 

BG

[OneFinger]

...And after you spend a week or so on it, format the damn hard disk and start from scratch like you should have done in the first place.

 

Well deej, it's been over a week and I thought I'd give an update.

 

My friend had a geek relative come over and run a bunch of programs such as Shredder, Hijack This, About Buster, Stinger, and a similar programs. Apparently he had to run them multiple times to get everything "functional".

 

At that point they were frustrated and I picked up the PC tonight. Received the Spy Sweep CD in the mail and was able to load it. The first time I ran it it found 15 items and 177 traces. I had the program remove them.

 

Checked the setting and found that some programs had already set themselves up as "Always Keep" in the Options section of Spy Sweeper. Made sure the option was changed to "Always Remove" and ran the program again. This time it found 6 items and 182 traces. Had the program remove them.

 

Ran Spy Sweeper a third time and it finds no problems!!!

 

Also able to install Sygate Personal Firewall. I've got that set so it will not accept any incoming that I don't "approve". Also does not let anything "talk" to the internet without asking every time. I'm not keeping the PC connected to the internet but have only tried testing functionality. Am NOT sending/receiving e-mail, exchanging file, etc.

 

The only on-going issue is that I still cannot install a virus program. Have tried two different program (McAfee and Symantec) and each one appears to have problems writing to the registry. But, that's a problem for the geek relative to resolve (unless someone here has a suggestion.)

 

On the plus side, we haven't lost any programs or data.

 

If this had been my PC, I would have formatted the hard drive and started from scratch. But, I hope this serves as a warning that you should NEVER connect to the internet without a firewall, spy protection, and an up-to-date virus program.

 

-------------

"We need to have more respect for each other. Things have just gone really crazy, out of control. ... We're on a very weird kind of cycle." Stevie Wonder

[+ deej]

>The only on-going issue is that I still cannot install a virus

>program. Have tried two different program (McAfee and

>Symantec) and each one appears to have problems writing to the

>registry. But, that's a problem for the geek relative to

>resolve (unless someone here has a suggestion.)

 

Interesting. Out of curiosity, did you have SpySweeper running when you tried to install the a/v software? Its job (part of it, anyway) is to challenge registry writes. ;-)

 

>On the plus side, we haven't lost any programs or data.

 

Now would be a really great time to use that external USB drive I mentioned earlier and a copy of Acronis TrueImage or such. I realize it isn't your machine, but that backup image could be a real butt-saver if the next step hoses everything.

[Boston Guy]

BACKUPS ARE FOR WIMPS! :-) :-)

[Boston Guy]

Thanks for letting us know.

 

At the very least, should you discover that something totally strange and terrible did happen to the system, you have at least saved your (his) personal data ... certainly worth $30.

 

You might consider trying to repair XP, depending on what you're seeing and if you have access to a repair CD, etc., etc. Best leave that to your computer geek, since he'll be looking at the system.

 

As far as antivirus, I've come to like PC-cilling a lot. And I can vouch for the fact that it works well with SpySweeper: I leave them both running 24/7 on various machines (all running XP Pro) and all is well.

 

Good luck. Congratuations on getting this far.

 

BG

[+ deej]

Nobody ever got fired for having a GOOD backup. ;-)

[Boston Guy]

Nah. Just do what most of my friends do: put all of your really important records on one computer and then use it every day, put the family pics on it, use it some more, load a bunch of games, surf the web, go to the porno sites when the spouse isn't looking and then be flabbergasted and amazed and astonished when this machine breaks down and you are facing a loss of tons of basically irreplaceable information... everyone knows that machines are indestructible. They never break, they