Help me get my cursor back from the hijackers
November 23, 2017 2:31 PM   Subscribe

Last night it seemed I lost control of my cursor. As i tried to click it off it became obvious I’d been hijacked. I have disconnected from the net and don’t know what do do now.

I preface this with a description of my extreme incompetence with technology. I am suitably shamed. But I also approach not knowing the words to describe my problem or what I did or have done.

I have a two year old hp pavilion. And perhaps windows 10 os. I’m not even sure how to find that out. I can’t find my os disks but have my office disks.

I think nothing super precious will be lost if I wipe the lot. Most of my stuff is in google drive.

Halp me! What do I do? Jadepearl is the most wonderful human alive and will follow this thread and explain to me what you say. Because I need little words and diagrams.
posted by taff to Computers & Internet (28 answers total) 2 users marked this as a favorite
Oh. It’s an HP pavilion 15 notebook pc
Windows 10 home
Version 1703
Os build 15063.726
posted by taff at 2:43 PM on November 23, 2017

You need to describe what happened more clearly.
posted by humboldt32 at 2:45 PM on November 23, 2017 [1 favorite]

What kind of mouse are you using? Is it part of the laptop or a separate mouse you plug into the computer?

If it's a separate mouse, does it have a red laser light on the bottom? Those spaz out sometimes
posted by Jacen at 2:47 PM on November 23, 2017 [1 favorite]

I think it's much more likely that your laser mouse got confused and acted weird, or your ball-mouse got jammed somehow, or you had a smear on your trackpad, than it is that you were hacked. Try cleaning the bottom of the mouse, carefully, with some compressed air-duster and a few Q-tips slightly moistened with rubbing alcohol.
posted by pseudostrabismus at 2:50 PM on November 23, 2017 [5 favorites]

It’s a touchpad. It wouldn’t let me hit the power off button. Seemed to be opening up files and things. Like a picture.
posted by taff at 3:00 PM on November 23, 2017

Touchpads do do weird things sometimes. Or if you had a browser window open, it's possible it was spawning lots of ridiculous spam windows and picture pop-ups and things without actually having installed any malware on your computer. If that's the case, then turning the computer off, turning it back on again, and making sure the browser isn't running even in the background should mean that you don't see this behaviour anymore. When you open up your browser again, make sure it doesn't auto-open your previous tabs. (To be extra safe, you could uninstall and reinstall your browser, deleting all the user settings and not importing them into the new install. That will make sure any changes the dodgy website made to your settings won't carry over).

On the other hand, if you had just installed something before this started, or if you didn't have your browser open, or if the behaviour starts again when you turn the computer back on even with the browser not running, then yes, you probably have malware and that's beyond my capacity to help with.
posted by lollusc at 3:19 PM on November 23, 2017 [1 favorite]

Not sure if relevant, but computer yesterday afternoon gave me a blue screen but had a qr code. It was processing for awhile. I forced a shutdown and then it was fine until midnight when the cursor started to act as if someone was remote accessing. I could not regain control and only after shutting down WiFi did I regain control immediately.
Only other thing of unusual nature by me was paying for a one day Vpn to watch some geo coded material. The firm was hidemyname vpn.
posted by taff at 3:44 PM on November 23, 2017

Does it still work with WiFi turned off, or was that only a temporary reprieve?
posted by Huffy Puffy at 3:59 PM on November 23, 2017

It works fine without WiFi.
posted by taff at 3:59 PM on November 23, 2017

So, when you say it seems like you lost control of your cursor, do you mean that the cursor seems to fly about the screen erratically, and things open?

Or does it seem more intelligent, as if someone else is controlling it?
posted by umwhat at 4:13 PM on November 23, 2017

It was slow. Seemed purposeful and to be seeking out files. I’m reluctant to attribute it 100% to a hijack. But for all intents and purposes it looked like someone was slowly and carefully looking at things. Or opening things. I had so many browsers and things open it took me a while to get to the desktop to observe. And I just kept thinking my think pad was having a moment.
posted by taff at 4:26 PM on November 23, 2017

If I were you, or if you were my relative who called me with this problem, I would say to just wipe the system, just to be sure. The good thing about HPs is a lot of them have windows recovery programs built in so you won’t need a disk - windows 10 link.

Scroll down to the getting started section. (If you get an error, scroll back up and install the missing piece. You can download this to another computer, put the program on a usb drive, and then open it on your computer.) follow the directions on the webpage under the system recovery section. It should be fairly straightforward - I helped a relative over the phone with this and their hp desktop a few months ago, and I don’t remember any issues.

If you’re not in a rush, wait to see if anyone else has another solution first. I tend to be scorched-earth in these sorts of things. But, I know computer problems can be sort of panic-inducing, so if worst case scenario, you need to wipe it, you’ll be fine.
posted by umwhat at 4:31 PM on November 23, 2017

If we go scorched earth, what should get installed or removed? I just checked and there seemed to be multiple anti virals including mcafee, Avira and ms running but not no updates to their definitions which is odd. Did a full restart and forced checks for updates.
posted by jadepearl at 4:44 PM on November 23, 2017 [1 favorite]

Oof, yeah, I would put money on the VPN service having installed some malware for you. Because you can't really know what else it might have done that you didn't notice, wipe and reinstall would be my recommendation too.

I would not allow that computer to connect to the network again until after I'd backed up all my files to an external hard drive, reformatted and reinstalled Windows. And then the first thing I'd do after letting it reconnect would be to install and update antivirus, and do a full scan of the backup drive. Then I'd reinstall applications I needed, and restore my files. It's a huge pain in the ass, and probably overkill, but in this case I'd go with over rather than under reacting.
posted by hades at 5:09 PM on November 23, 2017

Why not give the excellent freeware Hijack This a shot before going all daisy cutter on the puter?
posted by Chitownfats at 5:11 PM on November 23, 2017 [1 favorite]

is this normal for Windows 10: Taff has her computer on airplane mode BUT it is over riding and hooked into my network. I was able to disconnect it but it seemed weird that it has airplane mode but went to wireless but listed itself still in airplane while wireless at the same time.
posted by jadepearl at 6:02 PM on November 23, 2017

Is a full factory reset suggested or just system recovery? Now that we have more info?
posted by jadepearl at 6:17 PM on November 23, 2017

it seemed weird that it has airplane mode but went to wireless but listed itself still in airplane while wireless at the same time.

That can be normal. Airplane mode for iOS just means "no cellular" You can definitely have wifi going and cellular off. Usually, however, you need to go into airplane mode and then affirmatively turn wifi ON to have the situation you describe.
posted by jessamyn at 6:33 PM on November 23, 2017 [1 favorite]

I personally would do a full format of the hard drive and reinstallation from the system DVD (first backing up my documents), if that's an option. (That'd be the "factory reset" option in the HP documentation.) But that's mainly because I don't understand exactly how Windows' system restore points work. And also because you don't know for sure when the infection was -- it could have been the VPN installation, or it could have been something that got installed weeks ago, and only exploited recently.

As for the airplane mode thing, issues with the airplane mode icon remaining on despite not being in airplane mode (and the opposite) look common enough that support/complaint threads about them are easily found. It could be a symptom, or it could just be Windows being Windows.
posted by hades at 6:39 PM on November 23, 2017

I agree with hades that the VPN probably loaded up malware that allowed remote access. But since it probably didn't come with Windows 10 discs (or 8 if it originally came with 8), do an HP System Recovery. Basically you'd turn off and reboot the laptop, tapping the F11 key until it goes into Recovery Manager. You'd want to return to factory settings, making the OS reinstall itself from the recovery partition and erasing everything else. There are links to instructions for the possible system configurations on the page I linked to. Then let it run Windows updates until it is finished, install drivers, install only one AV program (I like ESET, but Avira rates better with 10. Never more than one at a time!), and check for malware with something like Malawarebytes before you get any further. Do not do any sensitive tasks on that machine until you are certain that it isn't infected.

Downloading and installing Windows 10 from a flash drive is possible, but a lot more tricky to do. Discs would be worse.

The safest thing to do would be to physically remove the infected hard drive and replace it with a new one, but that's probably overkill. And would require getting an install copy of 10, as well as possibly having all of the HP drivers downloaded and ready to go.

Note: On every Windows laptop I've ever used, and every Android device, Airplane mode turned off all radios (wifi/cellular/bluetooth), but without a hard switch (as opposed to a software switch), that would be easy to spoof. The two business laptops I maintain have hardware switches, but the consumer one does not, and I think that they have become less common in general.
posted by monopas at 1:00 AM on November 24, 2017

There was a previous question about a very similar problem, the answers there might be helpful.
posted by EndsOfInvention at 1:58 AM on November 24, 2017

Status report:
1) Deezil's page is 2 years unupdated. Deezil, we miss you;
2) HP Recovery Manager was missing the recovery part and only gave the advanced options and reset PC;
3) Using Windows 10 instructions in the OS went with a PC Reset which is back to a factory install. Chose the do not keep any data option and just want the OS install. Debated if I should go with a more permanent delete option for data files but OS said choose that option if we were letting go of the machine;
4) Nuked and OS reinstalled from the hard drive;
5) Recreated account for user and did limited install of browsers and some utilties using either direct site load e.g., Mozilla or from Ninite.
6) None of the standard bloatware was loaded on reset e.g., Macafee
7) Ran malwarebytes
8) Manually, got OS updates to function, this took a few rounds;
9) Will run Avira and then Windows Defender

What next? Am open to doing another wipe and reinstall, just to be sure. Got three antivirals, can they play well with each other?
posted by jadepearl at 4:49 AM on November 24, 2017

Have you tried disabling the trackpad?
posted by EndsOfInvention at 5:12 AM on November 24, 2017

Got three antivirals, can they play well with each other?

No. Uninstall Avira and just use Defender. It's good enough these days. With realtime anti-malware, more is not in general better.

If you want to run something over the machine that isn't Defender when you suspect that something iffy might be going on, Malwarebytes is OK. But you'll want to turn off all its realtime stuff and tell it not to autostart with Windows after scanning with it, or it will try to duplicate Defender's work and just slow you down for no real reason.

The single most effective tool for keeping malware off your machine in 2017 is a decent ad blocker. Make sure every browser you use has uBlock Origin installed.

The next most effective thing you can do is never install free-of-charge but not-open-source stuff that has even the slightest whiff of letting you do something the movie industry thinks should be illegal. Because that's how you get ants.
posted by flabdablet at 5:33 AM on November 24, 2017 [2 favorites]

Debated if I should go with a more permanent delete option for data files but OS said choose that option if we were letting go of the machine

That was the correct call. What you did leaves all the old data sitting on the disk but marks the blocks that contain it as unused, letting the new OS installation overwrite them with new data. The only way to recover any of your old stuff (including the malware that prompted this question) after exercising the option you chose is with a tool like PhotoRec, which bypasses the OS and tries to reassemble whatever fragments of raw photo data it can find while brute-force scanning the whole drive.

The permanent delete option takes approximately forever to run, but actually overwrites every sector on the HD so that PhotoRec will have no left-behind old fragments to find. As the OS documentation hints, this is how you stop your reformatted machine's next owner from exhuming your old porn collection.

If you want to simulate the effect of the permanent delete option after you've already done a reformat and reinstall, you can clear out all the free space (that is, everything that hasn't already had something new written to it as part of the reinstall process) with sdelete.

If you've got a solid state drive rather than a spinny, overwriting all free space protects you against forensic discovery attacks run on the computer itself, but will not protect you completely against attackers capable of taking the SSD apart and reading it at component level; SSDs do internal data rearrangement for wear levelling that means you can never really be sure whether the old data have actually been overwritten or not.
posted by flabdablet at 8:18 AM on November 24, 2017

Status report:
1) more rounds of OS updates;
2) reset power to balanced and UI to performance. I do not believe she would want to walk away from Cortana;
3) installed ublock origin on three browsers;
4) Now using windows defender automatically and Malwarebytes as manual tool, removed Avira suite;
5) set maintenance to automatic at 2am;
6) in regards to ants, the vpn was paid for but it seemed dodgy sounding. Any vpn suggestions for Sydney, Australia? She does nothing weird, really to warrant the fire of the Dmca nor have a folder titled, “illegal in 50 countries”.
7) how does one get iCloud and gcloud to not do performance hits in windows 10? She uses both extensively but I have not installed.

Things noticed: I had to push for updates which seemed kind of laggy; ublock origin had a heck of a time installing in edge; no progress bar on maintenance; stripped down her login items to bare minimum; her system seems slow on start up but that could be due to all the updates and changes taking place. I assume a reset off the hard drive partition is safe... I say this since the equipment I would have used for a hard drive extraction were removed, recently, by house thieves.
posted by jadepearl at 6:02 PM on November 24, 2017

Final report for future users:
1) the computer became laggy after I installed the HP Assistant so I could check for all HP updates which, in the end, seemed not relevant. HP Assistant requires an install .Net and another piece of software from HP. However, you will want to go through the tech support site at HP to make sure that there have been NO RECALLS of relevant HP equipment such as, the battery and the power cord (I am giving you the hard stare HP Pavilion)
2) Unable to install successfully MS 10 update 1709 over 1.5 days. I followed online advice and actually lowered the firewall and a bunch of other security measures to no result. I went ahead and wiped the machine AGAIN and reinstalled the OS. Able to use MS built in update up to 1703. FINALLY got the 1709 update to install by manually going to the MS website and installing the update assistant and downloading the update. DO NOT press the built in OS update function in settings when you do this. Only do the 1709 install AFTER you have restarted the machine from the 1703 update and the OS gets into a bad update loop;
3) Ninite download of browsers and mail client (thunderderbird). Install of uBlock origin on all browsers;
4) One piece of advice, sort out your passwords and bookmarks situation prior to all the tech work. Unfortunately, XML file cannot be easily brought into chrome or firefox for stored passwords. I spent time voodooing that...
5) Another piece of advice, if the user throws out that they want to go to Linux without knowing that it looks like, restrain the urge to do so.

Thanks for all the tech support on Windows 10. It made me rethink my heretical thoughts on OSX...
posted by jadepearl at 12:56 PM on November 28, 2017

if the user throws out that they want to go to Linux without knowing that it looks like, restrain the urge to do so.

Personally I find that keeping Linux boxes working for the clueless requires less work than keeping Windows boxes working for the clueless. YMMV.
posted by flabdablet at 2:20 PM on November 28, 2017

« Older more adventures in boundary drawing!   |   Can I power a portable hard drive using a USB wall... Newer »
This thread is closed to new comments.