artphoto by splunge
artphoto by TheophileEscargot
artphoto by Kronos_to_Earth
artphoto by ethylene





Mecha Wiki

Metachat Eye


IRC Channels



Comment Feed:


15 February 2010

Ask MeCha: I have a problem ... [More:]
My desktop PC has a browser hijacker. (I'm on the netbook until it's sorted.) I've run every malware/spyware/antivirus application I can find, I've done the MajorGeeks malware process step-by-step and still my browser keeps being hijacked.

So, I've decided that the best thing to do would be to reformat. I'm backing up all documents, etc. onto my external hard drive, including a Belarc scan and MozBackUps of T-bird and FF. I have disks for MS Office and just about every other app I use is freeware.

My desktop is a HP Compaq Presario, and I intend to follow these steps. Will this destroy the evil worm?

I've never needed to reformat a computer before so this is all new to me. Hence, if this is a stupid question, feel free to point and laugh, I won't mind.
"MozBackUps of T-bird and FF" Just your data? Not the actual programs?
posted by arse_hat 15 February | 13:19
I can download T-bird and FF once the reformat is done. I did that with this netbook - and I'll make sure I download the same versions I've got now.
posted by essexjan 15 February | 13:43
Formatting should kill 'bout anything. The trick is not to re-introduce the worm as you recover your data onto the new build. You could use a tool like DBAN to really scrub the disk before starting anew. However - if you don't have a CD that is clearly the XP media, DO NOT use a tool like DBAN. Microsoft tried to discourage vendors from including a physical CD, and had them hide the XP installer on the HD... DBAN would destroy this.

The HP process looks good. As you know, it is designed to take you back to the "ground floor". More notably, it will return you to the default security posture of Windows XP, circa the date of manufacture of your PC. (SP1, SP2, etc...) That is invariably outdated. So once you are done with the HP process, you must immediately apply all available Service Packs and updates.

Grab the full installer for XP Service Pack 3. Grab the latest version of IE8. Run "Windows Update" from the start menu multiple times until it reports nothing left to update.

XP is pretty good about having drivers included "in the box", but it's safest to collect everything on your own in advance. Network & Wireless drivers especially, but Graphics, too. (If the network works, you can bootstrap the rest) I tend not to use the provided omnibus driver installer CD from the manufacturer, as they tend to install lots of useless & poorly crafted software that is not needed to run the PC. I try to manually download the individual driver packages - Stay as close to a 'pure' Microsoft install as possible. I once saw a statistic that roughly 80% of XP crashes were due to poorly-written Graphics drivers & ancillary video utilities.

As for backing up & restoring your data - I like the Microsoft tool "USMT" User State Migration Tool. It's designed for desktop support personnel who are moving users between PCs, so it grabs all the unseen profile settings. Treat the resulting backup as being 'dirty' - It may be infected with your malware, so only reload it if you find your other backups have missed an important document / setting.

Good luck, stay calm, you'll be fine.
posted by Triode 15 February | 13:56
Thanks Triode. I can't update to IE8 because the office remote access won't work on it, so I'll stick with IE7. The only thing I use IE for is the remote connection. But I'll make sure all the other service packs, etc. are updated. I'll do this on Wednesday when I'm working from home. That way I'll have all day to get everything loaded up.

posted by essexjan 15 February | 14:48
Sorry you have to do this. Setting up a machine again from scratch can be a pain. If you want to investigate further you could try some of these:

For redirects, I'd check the hosts file in an editor (like notepad). It's usually located at:

I'd also check for a proxy server:
In IE, go to internet options, connections tab, lan settings button, and check the proxy server setting. It should probably not be on unless you are intentionally running a proxy server for some reason.

I've come to like the eset online virus scanner lately, though I don't let it automatically clean or delete files. It's at:

I also like the autoruns tool ( to see what's running on my system. I've used it to disable viruses enough to allow me to run some scanners that wouldn't run otherwise... But it's kind of a geeky tool.

Good luck either way...
posted by DarkForest 15 February | 16:09
Thanks, DarkForest. All that is a bit over my head, to be honest.
posted by essexjan 15 February | 16:16
I recently, expecting to have to rebuild from scratch, solved this problem by downloading and running Malwarebytes.
posted by Obscure Reference 15 February | 20:46
I've tried that, OR, and it didn't remove the worm, which is a nasty one to resist all the recommended anti-malware stuff that's available.
posted by essexjan 16 February | 01:26
DarkForest - Good points. Did you know there are actually two available Proxy APIs for Windows software? There's WinHTTP and the older WinInet. Software can make calls to either one to sucessfully proxy connections to the internet... and the Windows/IE UI doesn't show any of the older WinInet settings. So there are hidden proxy settings which malware can hide behind.. You can stare at the correct (winhttp) proxy settings in IE control panel, and wonder how the hijack can still be working... it's probably using wininet instead. Fun stuff, huh?
posted by Triode 16 February | 02:57
Interesting, Triode. I'm not a Windows or PC expert by any means. I'm just a CS/embedded systems programmer guy. Still, the task of maintaining and fixing PCs for friends and family often falls to me, and I like tinkering with an infected PC just to see what's up with it.

The usual attitude nowadays seems to be to just reformat it and get on with life. Still, I know it can take me weeks or even months to get my PC back to where I really want it after a reformat. So I do what I can to avoid it.
posted by DarkForest 16 February | 07:36
the red carpet campaign || Sarah, plain and simple