Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Computer Hacked, Then Hijacked [Closed]


  • This topic is locked This topic is locked

#31
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets try this

1. Restart the computer.

2. Repeatedly tap the F8 key until you see the Advanced Boot Option Screen.

3. Select Repair Your Computerand hit Enter.

4. Select your country >> OK.

5. On the System Recovery Options Screen select Restore Application.

6. Follow the on-screen instructions.

8. When prompted, select on "Full Factory Recovery"

9. Select Next >> Yes.

10. After a couple of minutes the recovery will be completed.
  • 0

Advertisements


#32
traveler818

traveler818

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
This time F8 worked 2 out of 2 times. But...

(I believe this is the right order, but don't think it matters here). When I select the country, I get prompted for a password, and I get a list of 3 users: Me with my name misspelled (e at the end), HomeGroupUser$, and Singer. This time, I tried HomeGroupUser$, which redirected me to a password for my homegroup(I haven't had time to figure out what a homegroup is...). Twice, I tried the new homegroup password, but the computer said it was wrong. I then chose Singer, and tried every password I can remember using recently to no avail. So having password protected my name with the right spelling (a on the end), it still took my password, but gave me the same window I got before: "System Recovery Options," and again, my only option was "Startup Repair." I don't recall where it appears, but I do recall selecting it both times: "Advanced Recovery Options."Someone at Microsoft said he preferred I remove this computer altogether because the hacker has too much information about it. I can't afford that, so the other option was to get an IP address that changes (I think I have that, but my ISP has a bad habit of throwing out answers without being sure.) And I was to change my online identity & all passwords. Singer was going to be my new online ID, but I felt I had jumped the gun so did not use it. It never had an acct. or a password. But it appeared somewhere, so the password holder knew about it.

I did some research and discovered a few things, which, to avoid confusion, I will post in a new window if possible.

Edited by traveler818, 12 November 2012 - 09:39 AM.

  • 0

#33
traveler818

traveler818

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Today's research (Sunday):I double-clicked the X17....iso icon on the desktop. I got "What program do you want to use to open it--there were several choices, but I am not that advanced, so I chose Internet Explorer.

That got me View Downloads. (addendum to last post: My inability to get the boot from CD/DVD window may not mean anything since that is standard, sometimes things work, oftimes they don't. I do not recall how I got that window before).

Under View Downloads was a list (the option to select was not available so I have to type it all in) here's the list:

o--X17-58996.iso 2.38 GB Under Actions, I got "Do you want to open or save this file?" Each file had it's own box and on the second line under X17..., was SINGER-PC. I chose open and the file disappeared. Somehow I got it back. Now one of my options under "Action" were run and save which I chose. The path on the second line was now: file:///C:/Users/Mette/Desktop

Under location, on the following files, I got desktop, and under Action, I got "Run." On the second line, I got the path--I will type it on the first entry only (for my sake)

o OTL.scr
oldtimer.geekstogo.com

o Setup IMGBurn_2.5.7.0.exe

o MajorGeeks.com

o OTL.exe

o Reimage Repair

o x17-58996.iso This time under "Actions" I got "Run" and on the second line, msft.digitalrivercontent.net

o The last was Firefox setup.

There should have been 4 OTL files, since he gave 3, you gave one. I tried to run the OTL.exe file, but I think I got blocked by the password,which may be why the other OTL file(s) I downloaded don't appear (I was probably blocked by the password, but did so much yesterday, I do not recall any more than trying to download them). I have spent far too many hours on this and am doing my best to stay on top of it, but i am tired, and far from a seasoned user.

I double-clicked the OTL icon again and it downloaded from desktop to desktop. Then I got the Disc Image Burner.

I was trying to get to UAC to see what was up with singer, but needed a password to get in. As I recall, the 3 users in UAC are HomeGroupUser$, Singer, and Metta (not sure how she spelled it).

I probably should have left this alone since I have no idea what it is but I found the Credentials Manager. It had 3 options, but none had credentials. The third was generic credential, and i added Singer-PC since she had created that. I am beginning to suspect that is what she is using as her administrator acct. Even SYSTEM is gone. I wrote persistence: enterprise, but don't recall why--I am getting little rest and fighting a cold, and burnt out--failure after failure and being sick do that to me. Finding that I couldn't undo the generic credential (I think I can but wasn't going to try anything else that was unclear. There were a couple of options, but they made no sense to me--I had discovered that as far as I know that had no effect. I hoped it would somehow get me into UAC, but nothing worked.

I then found "Profiles stored on this computer" There was one: singer-PC\Mette 9.61GB Local

Under Variables Environment,I found os-Windows-NT, and 2 temp files (one was temp, one was tmp). Then Username: SYSTEM. If you need the names of those temp files, I may need your help getting back there. What was noteworthy to me were:

singer-PC\Mette and finding SYSTEM. But I do not know what it means or if it is of any help. Except for the credentials mgr (a desperate act), all I did on the rest of these is mostly just look, unless it is posted in this box. This is where I found myself listed as a standard user.

In trying to burn IMGBurn, I clicked a link from koyotesoftware.com. This came as a surprise: I was asked again for an administrator password to remove it, but I do not recall installing it, nor have I seen it in my control panel.

Edited by traveler818, 12 November 2012 - 09:40 AM.

  • 0

#34
traveler818

traveler818

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Monday: I created the X17...iso file twice. When asked if I wanted to save or run the file I was going to download, I did one of each. When I click their icons on the desktop, I get Disc Image Burner. But a third icon, labeled Mettas© shortcut gives me what looks like the whole os. I don't recall creating it , but i may have. I don't know if I put Mettas ( C) on it. The icons look like the one for the flash drive when i click computer, and the one with Mettas... has the Windows shield on it.

If I go to the library, do I want to burn IMGBurn onto the third DVD, or onto it's own CD?

Edited by traveler818, 12 November 2012 - 09:52 AM.

  • 0

#35
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Imgburn is the programme to use that will burn the ISO to a disc for you to then boot from

So the order will be

1. Download the ISO to your desktop
2. Download and then install Imgburn
3. Run Imgburn
4. Insert DVD in the drive
5. Select write image file to disc
[attachment=61460:screenshot_ezmodepicker.png]
6. In the dialogue that opens select the Windows ISO on the desktop
7. Select write
8. once done you will have a bootable windows install disc
  • 0

#36
traveler818

traveler818

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Thank you. i have 2 simple questions but am too tired (and caught a cold) to create clear sentences-I tried twice, so I will post them tomorrow since right now my brain is cotton.

And thank you.

Edited by traveler818, 12 November 2012 - 08:20 PM.

  • 0

#37
traveler818

traveler818

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Take 3. I meant no offense with the bold type. I felt my post was too long, and my eyes saw little difference between the 2. Italics were worse. I should have clarified--my intent was to try as best I could to highlight what I thought most important, but not wanting to leave out anything important, I hoped you could just scan that part. I was also too tired to realize that you had no way to know that. Because everything gets deleted, I have been working on this for about 4 hours--that is typical and it was the same last night. I couldn't see the difference in the text until daylight. Please accept my apology--I was trying to give you less reading but was too tired to realize that you couldn't know my intentions were good, (and I will get a brighter light). I am truly grateful to you. I hope this takes..

I got control back but I still want to restore this to factory default. It is a nightmare to work with. It will not read the green discs, so can we move ahead? Things were changing on the desktop while I was typing. Yesterday I had 3 unlabelled icons--the same ones used for drive E. They all had the Microsoft shield on them. Today the first two are labelled:

They are shown as Type: Disc Image File. The first one is the one I saved. It is labeled X1758996, and the second I chose run. It is also Type:Image File, labelled X1758996(1).

Those now have icons that look like text files but with a CD in the middle. The shield is gone.

When I R clk the first two, I get, along with the usual, Burn Disc Image first in bold type, open file location: IE, Windows Disc Image Burner, and choose default.

The third is still labelled "myname's© shortcut". Instead of Type Disk Image, I get location myname's ©. The menu starts with Open in bold, open file location, format and the usual. This one still has the icon for drive E and the Microsoft shield.
  • 0

#38
traveler818

traveler818

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
I couldn't bear to start over a 4th time. so this is part 2. Before I became the administrator, the third icon opened and appeared to contain my program files. I just took another look (L. clk) and see the same thing with a couple I do not recognize--They may have been installed by the other person. Oddly that is 2/3 of the page, the third part is my favorites list, which is one of many that has been continually popping up over my work. Though today the main problem for now is deleting.

I prefer to leave that alone, meaning without guidance. Do you need to see it or any of the files? I can use the snipping tool and send a copy of the list. I can open any file and do the same but not unless you tell me to.

Ie the ISO disc, is that the one i described with the program files? If so then it is on the desktop. Where do I burn and install IMGBurn (onto a CD or...? We are now completely out of my league.

After that should I run the malware/spyware cleaner first before--I just had a long call from Europe and have spent most of today trying to type this. I am going to post this and take a quick look at the X17 file. If i find anything noteworthy I will post it.

I really hope you understand that I was trying to make less work for you and you have my genuine respect. I fear I made more unintentionally. Worse, I pray you did not take it as any kind of message. If I had a problem, I would tell you (and I would be an idiot to do that). Perhaps I was too tired to remember to tell you my motive. After retyping for many hours a day, my brain gets fried. I will not preview this. It is too risky.
  • 0

#39
traveler818

traveler818

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
The disc contains more than my favorites. It has a list of everything--desktop, computer, music, network etc. I misread it--it doesn't show my favorites list, it is just one of the parts of the computer.
  • 0

#40
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
This is what you should see in the X17 folder when opened

[attachment=61535:Capture.JPG]

It is the entire windows installation files/folders

What we need to do is burn the X17.iso folder to a DVD as a bootable system

Install Imgburn

Insert a blank DVD
Run Imgburn and select write image file to disc

Posted Image

Navigate to and select the ISO file

Posted Image

Once selected then press the write button

The DVD will then commence burning

Posted Image

Once it has burned it will open the CD tray and then close it again so that it can verify that the burn was correct

Posted Image

Once the verification is complete the CD tray will open once again.... You now have a Windows 7 DVD

To now reinstall windows from the DVD follow the step by step guide here
  • 0

Advertisements


#41
traveler818

traveler818

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
I am at a complete loss. I have viewed all 3 iso files on the desktop every way I can think of.

As before, when I open the iso icon that looks like the drive E icon, I get a window similar to the first one you posted, with program files on the right, and the start menu on the left. I get none of the options across the top of the page in your post.

I don't understand Capture--I don't know how else to get a picture. I took a rectangular snip, but get the whole page and I cannot get it here.

I tried cut and paste, and drag & drop. I can't select it. I tried copying it to a CD in hopes I could then copy it from there to here, but got a warning that running the file could destroy the computer(?--I wasn't trying to run anything). It looks to me like my window contains all of Windows, but it's not the same window as yours.

The former administrator is not done. She made so many changes that I no longer know this computer. SYSTEM is not in UAC--I was blocked by it when I tried something. I wish I had contacted you first. I was blocked from doing something else because I needed permission from the TrustedInstaller. (I just cracked a rib and have spent 4 nights awake with a mosquito & a cold--fuzzmuddled). I really need my computer back so I can get medical care before things get worse.

NEW PROBLEM: After I shut down, the internet and DSL lights stay green: If I unplug the DSL cable, they flash red. I can do a lot more as admin, but she still has control. I turned off remote access.

I'm sorry this is being so hard. All I asked from her was help getting back in & free of the hacker. I hope you will walk me through this though I no longer know my own computer, I can follow directions, but am getting the wrong results. Maybe with admin privileges, if I get past this, I should be able to follow through. (I don't want to cancel).
  • 0

#42
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK when you run ImgBurn do you get the same picture as my screenshot here
Posted Image
  • 0

#43
traveler818

traveler818

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Is this at a point where I'm missing something and maybe we are close--I think I have all the program files, but can't seem to get that window you posted. I have learned to trust the experts and leave it alone if I do not understand it.

Or, now that i can download, would it be easier to start over with Toshiba's instructions? When i tapped F8, it worked--the hitch was that I couldn't get the entire options window--as admin, I should be able to, though I do not know what else was changed on this computer.

(Do these procedures restore my Toshiba files?--the hacker deleted most of them).

I think i saw a reference yesterday to a recovery partition (I saw it before too, maybe on their website (?). It's hidden, but I think it is there, and one of these procedures will get to it.

If I can download and run programs, then it is a matter of choosing the best/easiest/quickest way to go from here, whether or not we find the partition. It really is serious--I have to get medical care and it isn't here. Thank you for all you have done so far. I am really trying to work with you as best I can for us both. I have a lot to learn, and changing my computer to suit the preferences of someone who won't be using it has made this so much harder.

Cancel keeps popping up--is that what you want me to do? (not my choice) If so, is there someone else who will fill in? If not, I'll keep checking back.

Edited by traveler818, 16 November 2012 - 04:45 PM.

  • 0

#44
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Is this it ?

OK lets try this

1. Restart the computer.

2. Repeatedly tap the F8 key until you see the Advanced Boot Option Screen.

3. Select Repair Your Computer and hit Enter.

4. Select your country >> OK.

5. On the System Recovery Options Screen select Restore Application.

6. Follow the on-screen instructions.

8. When prompted, select on "Full Factory Recovery"

9. Select Next >> Yes.

10. After a couple of minutes the recovery will be completed.


  • 0

#45
traveler818

traveler818

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Everything got deleted and it is late as I had a lot of computer problems today so I will cut to the chase.

I am almost certain that the misspelling of my name is the problem.

I got to recovery options but had only 2 passwords to choose from, HomeGroupUser$ and my name misspelled. Hopefully I can use TA for the proper spelling and TE for hers, if it's OK with you. (For ex. Karen\Caren (KA\CA). Where she did not want me to go, the computer was programmed to add the suffix, which limits what I can do: in my case: I typed TA-PC. The computer added to it-- TA-PC\TE, thus limiting my admin privileges hoping I wouldn't dig any deeper.

I changed the wrong spelling wherever I could. I can't change the spelling in Recovery Options. And since it was wrong, I got maybe 4-5 entries, but not the ones we need--Restore Application....Then the computer said it couldn't start (still in the same window with the Options). It repaired itself eventually. Why, I don't know because all I did was look.

If I am trying to do something to which she would object, the computer adds a suffix. So where I type TA-PC, it types TA-PC\TE. This apparently gives me limited administrative privileges so I got more options, but not all, not what we needed. She renamed the computer Singer-PC. I hope this is enough for now. I don't have a lot of life left and it is every day at this computer. I am too tired to go on, and hope you got the importamt part, which is the majority.

SYSTEM blocked me today but I have no idea where it is and can no longer access the window that gives user names and permissions. It was her intent that I find the window showing only me as the Admin, and maybe the other that added guest as off. She created and hid an acct for herself. All told, several, under Default Files (I think) then Network: (Users share) An empty Admin folder, TE, singer, and Public. TE and singer have lock icons. Singer is her acct.

So I now have 2 User accts (can explain 2 tomorrow) & one Admin acct. She renamed the computer Singer-PC. Under my profile, I am singer-PC\TE. My changes haven't been taking lately--I will see tomorrow. But I have no doubt that that is the main issue. If I can get my name spelled right systemwide, I can have my computer back. Please tell me that is easy.

I created a system repair disc today (from Windows), but need to try to get it to work tomorrow--no luck today. I doubt it would look for misspelled foreign names. i must admire you--this stuff is hard, but i need to know all I can.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP