|
Home > Archive > General Discussion > October 2004 > hijacked with no escape
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
hijacked with no escape
|
|
| yanqui 2004-08-14, 9:33 am |
| *sigh*
This friend--the one that uses IE and DSL with no firewall and no AV--and calls himself "Doctor" (a legitimate title, I might add)--Are we going to have to uninstall his OS?
They run WinXP, he cannot for the life of him remember where he has stored the installation disk. IE is part of the OS, so uninstalling is not an option--or is it, if we reinstall it?
The browser is so seriously hijacked and the computer is so seriously infected that they cannot even hop onto the 'net to download a different browser or the worm extractor. Somewhere in my stash of books I have a disk with a couple of different browsers on it but I'm not going to find it this weekend.
Is our next best bet to uninstall XP and reinstall it, or to reformat completely (trying not to do that because of all the other files that would have to be moved and stored)? If we uninstall the OS, is the worm still there? Seems like most of those files, unless we remove them manually, would be, and they'd know enough to reset the registry keys.
As I'm working this out on screen, it's looking like an fdisk/mbr solution is called for. What about it? | |
| jkhnwspec 2004-08-14, 10:05 am |
| quote:
Originally posted by yanqui
*sigh*
This friend--the one that uses IE and DSL with no firewall and no AV--and calls himself "Doctor" (a legitimate title, I might add)--Are we going to have to uninstall his OS?
Maybe, just depends on the extent of the infection or whatever has been taking over.
quote:
They run WinXP, he cannot for the life of him remember where he has stored the installation disk. IE is part of the OS, so uninstalling is not an option--or is it, if we reinstall it?
I think you can tell it to repair itself, but I don't think that will do you much good until whatever has been removed.
quote:
The browser is so seriously hijacked and the computer is so seriously infected that they cannot even hop onto the 'net to download a different browser or the worm extractor. Somewhere in my stash of books I have a disk with a couple of different browsers on it but I'm not going to find it this weekend.
What are the symptoms? What happens when they try to do the above?
quote:
Is our next best bet to uninstall XP and reinstall it, or to reformat completely (trying not to do that because of all the other files that would have to be moved and stored)?
I would consider it a "last resort" method. Something to consider when all else fails. The caveat with this is, unless something is done about "the no firewall or AV", they may be in the same condition shortly after reinstallation.
quote:
If we uninstall the OS, is the worm still there? Seems like most of those files, unless we remove them manually, would be, and they'd know enough to reset the registry keys.
That depends on what was saved. Those pesky ones that re-add themselves to the registry and make several copies of themselves can be defeated, but it takes some serious patience and a system you can use to look up stuff you will need to help eradicate it.
quote:
As I'm working this out on screen, it's looking like an fdisk/mbr solution is called for. What about it?
If the MBR (Master Boot Record) has been overwritten, this might help in that instance, but I believe the way to do it in XP is to boot from the install CD, then chose repair (Yes I know I'm skipping a few things) the boot record.
Do a google search for X-Cleaner Free. It will fit on a floppy disk. After you copy it to a floppy, write protect the floppy disk.
That will be a start.
HiJackThis can be put on the same floppy too. That will help identify which keys in the registry have been added/hacked.
Keep us posted on your progress. | |
| sandy7000 2004-08-14, 12:01 pm |
| I have the blaster patch. There are so many variants now. If he can't find the installation disk, he most likely hasn't kept up with the updates (i.e. he's not very computer savvy/aware) so this could be part of the issue.
I can't attach an .exe (gee I wonder why )
I'll turn it into a zip & upload it in a bit. | |
| sandy7000 2004-08-14, 12:30 pm |
| The file's still too big after zipping to attach. I don't think pm will work either. I've not seen the patch on MS website for a while. If you would still like it, just let me know.
Also, Mozilla Firefox is an effective internet browser once you get him repaired. | |
| enforcer 2004-08-14, 6:15 pm |
| why are you trying to upload an attachment? 
I would say nuke it. | |
| curiousgeorge 2004-08-15, 3:34 am |
| Try booting up in Safe Mode with Networking
then go to housecall.trendmicro.com and run an online scan.
After that, download the free av software from www.grisoft.com
Hope that helps. | |
| sandy7000 2004-08-15, 1:11 pm |
| Yeah, I wasn't thinking too much when I replied...knee jerk. It does say you can attach a zip.
Anyway, I'm not the brightest bulb on this string where this stuff is concerned. The others will have better advice. | |
| me? I dunno... 2004-08-16, 3:25 am |
| quote:
my computer doesnt work!!!!!!!!!!!!!
pfffft!
why not just call in the censors? | |
| enforcer 2004-08-16, 9:32 am |
| quote:
Originally posted by me? I dunno...
pfffft!
why not just call in the censors?
Why?
Are they the people we need to call to help us make sense of your posts?  | |
| yanqui 2004-08-16, 10:33 am |
| Lesson: there are certain users with whom no presupposition is valid, regardless of how reasonable the presupposition. The first thing I told her to do was call the ISP to find out if they were having issues at the server. When she called back, I (won't do it again!) assumed that she had called and that we were dealing with something else. She hadn't. When she finally did, guess what? Turns out that they had placed an order with the ISP to change the type of service, and the change called for cancelling current service and initiating the new service. The cancel got processed, but the new service didn't.
NOW they can download the fix for the bagle worm they have, and I think I have drilled into them the importance of protection. This fella is one of those that really would like not to have his children immunized, and it's sort of the same mindset. He's ready to go into the registry and make changes, but when we talked about doing that, I said, "no you really don't want to do that because you have to make a backup of the registry, and then you're backing up whatever virus entries are there as well. USE THE FIX FROM THE SITE I GAVE YOU! AND GET SOME AV PROTECTION AND GET A FIREWALL!" In fact, even if he just activiated the one XP has, he'd be better than having nothing.
Oh, one more thing. I think I've convinced them to ditch IE. | |
| jkhnwspec 2004-08-16, 11:18 am |
| quote:
Originally posted by yanqui
Lesson: there are certain users with whom no presupposition is valid, regardless of how reasonable the presupposition. The first thing I told her to do was call the ISP to find out if they were having issues at the server. When she called back, I (won't do it again!) assumed that she had called and that we were dealing with something else. She hadn't. When she finally did, guess what? Turns out that they had placed an order with the ISP to change the type of service, and the change called for cancelling current service and initiating the new service. The cancel got processed, but the new service didn't.
NOW they can download the fix for the bagle worm they have, and I think I have drilled into them the importance of protection. This fella is one of those that really would like not to have his children immunized, and it's sort of the same mindset. He's ready to go into the registry and make changes, but when we talked about doing that, I said, "no you really don't want to do that because you have to make a backup of the registry, and then you're backing up whatever virus entries are there as well. USE THE FIX FROM THE SITE I GAVE YOU! AND GET SOME AV PROTECTION AND GET A FIREWALL!" In fact, even if he just activiated the one XP has, he'd be better than having nothing.
Oh, one more thing. I think I've convinced them to ditch IE.
Thanks for the update!
I have a system at home right now, from a friend of mine and they should know better, that let their anti-virus subscription lapse and got behind on the latest XP patches... and managed to get the MyDoom.F virus. They brought it to me for a different reason (click of death, wouldn't boot), but when I finally got it running (actually their slave drive had the click of death), I discovered the MyDoom.F. I downloaded the MyDoom fix from Symantec's site and on first run, it found nearly 8,000 occurences of this (I can't say this here). I believe I have things in order now, but I can't make them do something that should be obvious. | |
| yanqui 2004-08-16, 11:28 am |
| My friend's husband is a good friend, a very smart guy, but he hates to admit that he's not as knowledgable about computers as someone else is. Maybe I hear this on the news, about hack attacks and such, because it's what I do, and maybe most people let it fly over their heads. I asked him, "with all this going on in the news, HOW could you even consider connecting to the 'net without virus protection, and HOW could you consider DSL without a firewall?"
And my friend's aunt's system got wiped out by someone who wanted to install ISP software that was not compatible with Microsoft Anything. So now she has no operating system and won't call for help.
On a side note, I tell people I'm a nerd, not an official geek because I've never contemplated installing a computer in a car. | |
| enforcer 2004-08-16, 11:29 am |
| quote:
Originally posted by yanqui
Oh, one more thing. I think I've convinced them to ditch IE.
I think you need to convince them to ditch using a computer | |
| yanqui 2004-08-16, 11:35 am |
| quote:
Originally posted by enforcer
I think you need to convince them to ditch using a computer
Maybe just to stick with what he knows. He has two profiles set up on it just because the computer is capable of it. I don't know, maybe I'm naive, but if I need to keep my spouse from access to my computer files, I need another place to do that work, or I need another spouse. OR something like that. He keeps talking about editing the registry, and I keep talking him out of it, so far. I think he really wants to reformat, just because it's something he knows how to do to fix things.  | |
| enforcer 2004-08-16, 11:35 am |
| quote:
Originally posted by yanqui
On a side note, I tell people I'm a nerd, not an official geek because I've never contemplated installing a computer in a car.
You trying to say something
As a side note the thing has managed to help me keep my driving licence (in fact it's totally points free at present), got me out of a few 'lost' positions and helps keep the kid quiet. | |
| yanqui 2004-08-16, 11:43 am |
| Let me tell you about Alabama and driving and technology--Alabama and driving mix well; technology fits nowhere in the mix.
I know several people who have done the carputer thing, just because it can be done; it's cool, I guess. Laptop? Same thing to me, and the portability aspect makes it better to my purposes. GPS works just fine with it. My neice, who is a cartographer, has a really cool GPS; she's never lost. (That would really look bad, wouldn't it? A mapmaker getting lost?)
Downside--went for another job interview a week ago Friday--fabulous job, the interviewer actually talked me into going for the interview; I applied for a lesser job, which in reality is the job I interviewed for, but with a different title. Didn't get it.
Upside--I'm still not giving up.
One of our techs here has given notice. Who cares? | |
| jkhnwspec 2004-08-16, 12:38 pm |
| quote:
Originally posted by yanqui
Upside--I'm still not giving up.
One of our techs here has given notice. Who cares?
You should care. Let them know again of your interest. They just might take notice this time. | |
| yanqui 2004-08-16, 12:43 pm |
| You're right, I have NOTHING to lose! I QUALIFY TO DO THE JOB!
so there. | |
| enforcer 2004-08-16, 1:12 pm |
| quote:
Originally posted by jkhnwspec
They just might take notice this time.
Yeah! they might just take her notice | |
| sandy7000 2004-08-16, 2:47 pm |
| quote:
He has two profiles set up on it just because the computer is capable of it. I don't know, maybe I'm naive, but if I need to keep my spouse from access to my computer files, I need another place to do that work, or I need another spouse.
Wow!!  Kind of puts you in between them, doesn't it? Good job on the fix, though. Sorry I couldn't be of help.
quote:
.....and helps keep me quiet.
Aren't you supposed to be the one driving, Enforcer? | |
| yanqui 2004-08-16, 2:53 pm |
| quote:
Originally posted by sandy7000
Wow!! Kind of puts you in between them, doesn't it?
Not at all, the lady knows her limitations: email, im, etc. She also knows her husband's limitations.
We're a team on the solution, and he's still thinking "reformat is the way to go." Whatever. I told her even with a reformat, he still needs to run a virus scan with the latest virus defs first thing, and DO NOT CONNECT WITHOUT A FIREWALL!!!!!
quote:
Aren't you supposed to be the one driving, Enforcer?
I understand that with him "driving" is a relative term with a very loose definition. | |
| sandy7000 2004-08-16, 3:01 pm |
| quote:
I don't know, maybe I'm naive, but if I need to keep my spouse from access to my computer files, I need another place to do that work, or I need another spouse.
Oh, I took that statement to mean he or she wanted to hide stuff from the other half.
I'm just getting old & cynical...which can be fun. | |
| yanqui 2004-08-16, 3:06 pm |
| quote:
Originally posted by sandy7000
Oh, I took that statement to mean he or she wanted to hide stuff from the other half.
No, he probably just set it up with two profiles because it can be done and he figured out how to do it. That's how he is about technology--should doesn't enter the picture if can is involved. It just never occured to him that it wouldn't be the best thing; he figures if it's available it must be good. He knows just enough to be dangerous to himself and others. He's a nice guy, and he's a chiropractor, but he's not my chiropractor! (I've seen what he does to computers--I'm not letting him NEAR my bones and joints! ) | |
| yanqui 2004-08-17, 5:17 pm |
| AND to top it off, the phone company over-anticipated the date of their impending move (it's Friday/Saturday) and cancelled their local phone service on Monday with a promised start date of this Friday. I'm not even sure these people walk on two legs! | |
| sandy7000 2004-08-17, 5:48 pm |
| quote:
He's a nice guy, and he's a chiropractor, but he's not my chiropractor! (I've seen what he does to computers--I'm not letting him NEAR my bones and joints!
Ouch!!!
quote:
AND to top it off, the phone company over-anticipated the date of their impending move (it's Friday/Saturday) and cancelled their local phone service on Monday with a promised start date of this Friday.
Double ouch!!! At least its an easily solved problem. Frustrating, though, I'm sure. | |
| yanqui 2004-08-17, 6:05 pm |
| quote:
Originally posted by sandy7000
Frustrating, though, I'm sure.
Yes, she's a full-time homemaker, which means her conversation is primarily geared toward that which can be understood by a child of 3 and one of 1. She calls me nearly everyday, and I enjoy hearing from her, and I know she appreciates having adult conversation at some point during the day. NOw that they're limited to airtime minutes, they have to be sort of conservative with them for a few days. Fortunately, ONLY a few days. | |
| sandy7000 2004-08-18, 1:49 pm |
| quote:
Yes, she's a full-time homemaker, which means her conversation is primarily geared toward that which can be understood by a child of 3 and one of 1.
She's fortunate to have you as an outlet.. and to save them some pc repair $.
I read somewhere that being a full-time homemaker is the equivalent of 2 full-time "paying" jobs. With the cost of day care, it's probably not going to turn out to be much money if both people work when they have little kids. I'm glad she can stay home. I don't know how women who work out of the home & have small children survive. That's 120 hours of labor/week! Paisleyskye's an example of that: career woman w/ 4 kids. I don't know how she does it. | |
| yanqui 2004-08-18, 1:58 pm |
| NEither option is easy. Not long ago I was loving the chance to be with my kids. When we had to buy another vehicle, I had skills to fall back on. My friend doesn't have any office skills, and you're right, daycare is really expensive if you can't make more than about $9 an hour, and without skills, that's not to be had.
I have another friend whose uncle just sat down and started monkeying around with her computer and now her MBR is screwed. As the story unfolded I was just shaking my head and asking, "WHY would he do that?" Well, both of the guys are examples of people who think they know a lot about computers. And it just flabbergasted me that someone would sit down at someone else's computer and start changing things.
Pity the fool who does that to mine. It's not much, but right now it works. | |
| me? I dunno... 2004-08-19, 12:47 pm |
| why not just unplug the network cable, boot the machine, press ctrl,alt,del, log on, head to task manager, kill any unwanted .exe, then connect and get online help?
I'm guessing the system restore option has been broken? | |
| yanqui 2004-08-19, 12:56 pm |
| All very good options. And all moot at this point, because of the "no internet at this time" factor.
There weren't lots of .exe's running, he's kept that pretty clear.
His msconfig kept shutting down, and "system restore" wouldn't even show its face, so there's infestation that has to be handled first, and lots of his problems will go away with that. we've run spybot and adaware, and until he has virus protection and enables his firewall, I hope he doesn't hook up his internet connection at all. (they're moving this weekend, it's a good time to do all the fixes needed as they set it all back up.) | |
| sandy7000 2004-08-19, 1:01 pm |
| It might be Trojan.AHero
Happy bug hunting! | |
| yanqui 2004-08-19, 1:08 pm |
| I can't remember which one, now, I have all that stuff written down along with the steps I took to troubleshoot and what I recommended to him. I can say definitely that one exists based on registry keys, symptoms and files that have appeared out of nowhere. And I feel strongly that when we eradicate the one, ther is another one still there, but until the one I know is there is gone, I can't accurately assess the symptoms.
I love this stuff! | |
| yanqui 2004-10-06, 10:56 am |
| People who "know a lot about computers" are their own worst enemies. AFter I kept telling the guy what he needed to do, he kept messing around to the point that now he really has to reformat. I had even tried to convince him to uninstall the OS and reinstall it, but he's going to do what he wants to do. Then while we were talking one evening another fella who "knows a lot about computers" got involved in the conversation and he swears he'll never get rid of IE, he's never had a problem with it and will never ever use netscape.
Kind of like running a stop sign repeatedly simply because you've never been hit.
It's all good.
How am I today? Cautiously optimistic.
wandering through my brain and I got lost. |
|
|
|
|