Computer hijacked

ssal

ssal

Active Member
I had to restore from an image for my laptop. The image was from earlier this year.

After the restoration, I browsed some of the sites I frequently visited. All of a sudden, the hijack message came up. There was not anything I could do to get rid of it. I tried updating my AVG and Malwarebyte, but they were stuck in the process. I guess the virus was smart enough to disable these updates.

Thank God I religiously creating image with Reflect. Here again, I am restoring from the image for the 2nd time today.

I know the first thing I will do after it is done is to update the antivirus so it may not happen again.

Curious if I have to restore all partitions. Can I just restore some partition where this virus would reside? And which partition is it?
 
Are you sure it was hijacked? A lot of times, if you visit a bad website it will change your homepage or possibly pop up with a fake bluescreen. To get rid of the fake bluescreen you just have to open task manager and kill it. If it continues to pop up then you have been infected with something. What is the exact issue you were having?
 
It was hijacked.

The screen locked up with message, both audio and display telling me to call a 8xx number with my credit card. Reboot did nothing. The message came right back when I opened the browser again.
 
ssal said:
After the restoration, I browsed some of the sites I frequently visited
Click to expand...
What sites?

It sounds like you may have either already been infected when the image was taken, or the image was in a prepatch version of windows using vulnerable old software like an ancient version of Chrome or similar.

It'd be worth revising your backup scheme to a data based one instead of image as you could simply just fresh install Windows instead of relying on a full OS image.
 
Your homepage was hijacked. All you have to do is change it instead of restoring. What browser are you using?
 
The drive was restored from image. I immediately updated the AVG and Malwarebytes and they found nothing.
A couple of days later, the same thing happened again.

This time, instead of going directly to image, I shut down Firefox from Task Manager. Went into Control Panel/Programs and App to see what has been installed. The latest one had a name like "Microsoft Verification" something. I uninstalled that and rebooted. The problem went away and FF operates normally.

Any clue?
 
In the haste of getting my system back up, I didn't take down those info because I wasn't 100% sure that was the problem.

If I come across it next time, I will copy it down.
 
Here is the popup:
Error-2.jpg

This time, I forced closing of Firefox from Task Manager. Went into Program and App to find the culprit, but found none.
Rebooted the machine, and the machine functions like normal.
 
Thats a scam. If this is popping up without you opening firefox then you are infected and you need to scan your system. If this only appears while firefox is open then you are visiting a scam website and you need to stop going there.
 
Install AdBlock or uBlock Origin (that's what I use). This is likely just from crappy websites. What specific sites are giving you these messages? This is likely just scareware and not actually an infection, although that's possible.

Edit: I'll defer to @johnb35 on whether or not it's a true infection but at least from what I've seen at work the past several weeks this is usually just crappy websites. I have seen something called DNSUnlocker pretty frequently that does this and is an actual infection. Might be worth a cruise through your installed apps to see what all is there. And your browser extensions for that matter. If it's doing it on all websites it's more likely an infection issue.
 
Darren said:
dit: I'll defer to @johnb35 on whether or not it's a true infection but at least from what I've seen at work the past several weeks this is usually just crappy websites.
Click to expand...
As I said in my previous post, it all depends on if this only happens while firefox is open or if it happens when its not as well. Infection if it happens while firefox isn't open or just bad websites if it happens when its open.
 
johnb35 said:
As I said in my previous post, it all depends on if this only happens while firefox is open or if it happens when its not as well. Infection if it happens while firefox isn't open or just bad websites if it happens when its open.
Click to expand...
Noted. I'm still learning a lot on how infections act at my new job, so thanks for the guidance. I quite frankly don't have much exposure because I don't deal with in on my own stuff, which is how I've learned most everything to this point. Normally I've been able to fix this kind of stuff with just a MalwareBytes run and Super AntiSpyware. DNSUnlocker is the only one I've really seen much of as far as true infections that have been tough to remove. That was deep in the registry and took some registry wizardry to get it out, despite uninstalling it already. I think I saw 3-4 machines within a few days all have it and my manager said he's been seeing it a lot and it's pretty new.
 
I've also seen homepage hijacked so when you open your browser, you see this scam page. All it takes is to change your homepage. And just a couple weeks ago came across a laptop that something like this. Ran scans, removed a bunch of junk still popped up. Used task manager to track down process that was causing the popup. Ended up being a folder created in program files by malware but not caught during any scans. Once I deleted the folder, it stopped appearing. So I guess it could go either way.
 
You must log in or register to reply here.
Back
Top