I suggest you scan your computer with tdsskiller.
This is a nasty one that creates an encrypted partition on your windows installation and also install itself in your boot record That allows it to re
install itself if you format your windows partition.
my computer is hacked and weird files found on my machine what do i do?, page 3
reply posted on 29-2-2012 @ 09:48 AM by autowrench
Originally posted by Mandrakerealmz
reply to post by XPLodER
Format Reinstall windows
Install Linux if your pro and baym No viruses or hacking attempts.
This is a misconception that needs to be addressed. A simple "format" only rearranges files for the installation, it does not securely write over anything. If you want a secure erase, then you have to do a secure erase. I use Ultimate Boot CD for this, it has many tools for most anything you need to service. D-Ban or CopyWipe either one will do a good full erase, I do a 7 time pass myself for an infected HDD, or an older HDD with many files on it. Then do a fresh install.
From your post, OP sounds like someone has your number. Were I you, I would call my provider for a new IP address, and change up a piece of hardware or two for a different MAC address.
I have seen several of the newer virus programs that can live though a format, and can go right through a Windows Firewall. Just a few weeks ago, a lady I worked for had a newer Dell running Vista. She has AVG virus protection on it. The virus went through AVG like it wasn't even there, and created a new Administrator account, disabling her old account. The Dell was using 100% CPU and RAM also. She had tried using the restore CD, which does a "format. When the restore disc was finished, the computer was still hacked. I used G-Parted to look at partitions, the Dell had three of them, one was a FAT 16, which is Windows DOS.
Good luck.
reply posted on 29-2-2012 @ 02:52 PM by PhoenixOD
reply to post by autowrench
With those manufacture proprietary restore disks you are not doing a full disk format, they usually only format the boot partition (the partition containing the system) and reinstall windows from another partition on the hard drive. The partition that holds the windows instalation files is usualy a FAT file system so this is not unusual. Its possible that the trojan / virus could relocate itself to one of the other partitions and then reinstall itself once the system has been restored.
There are some nasty programs that can hide in the boot sector but you can kill these with a full format:
formating with DBAN is always a good option but it is overkill in most cases.
I think thats good advice to request a new IP to be on the safe side
With those manufacture proprietary restore disks you are not doing a full disk format, they usually only format the boot partition (the partition containing the system) and reinstall windows from another partition on the hard drive. The partition that holds the windows instalation files is usualy a FAT file system so this is not unusual. Its possible that the trojan / virus could relocate itself to one of the other partitions and then reinstall itself once the system has been restored.
There are some nasty programs that can hide in the boot sector but you can kill these with a full format:
“A traditional rootkit installs as a driver, just as when you install any hardware or software,” said Oliver Friedrichs, director of Symantec’s security response team. “Those drivers are loaded at or after the boot process. But this new rootkit installs itself before the operating system loads. It starts executing before the main operating system has a chance to execute.” Control the MBR, Friedrichs continued, and you control the operating system, and thus the computer.
The rootkit is effective on Windows XP systems but requires explicit permissions on Vista. It takes advantage of several unpatched vulnerabilities in Windows. One suggestion to solve the problem is to reformat the hard drive and create new partitions.
If you delete all partitions on a hard drive, and then create and format new partitions, a new MBR is created. The old one is gone. I do not know of any malware that will survive this action but there "may" be some out there that can.
formating with DBAN is always a good option but it is overkill in most cases.
I think thats good advice to request a new IP to be on the safe side
edit on 29-2-2012 by PhoenixOD because: (no reason given)
reply posted on 29-2-2012 @ 08:16 PM by Mandrakerealmz
reply to post by autowrench
Fine then. Install Linux on USB Stick.
Destroy HDD with corruption tools to flip the bits a couple trillion times.
Format reinstall
Fine then. Install Linux on USB Stick.
Destroy HDD with corruption tools to flip the bits a couple trillion times.
Format reinstall
edit on 29-2-2012 by Mandrakerealmz because: (no reason given)
reply posted on 2-3-2012 @ 12:22 AM by XPLodER
Originally posted by brainswippin
I suggest you scan your computer with tdsskiller.
This is a nasty one that creates an encrypted partition on your windows installation and also install itself in your boot record That allows it to re install itself if you format your windows partition.
first let me thank everybody for the help
in the last few days i have been trying to "fight" of a root kit that absolutely amazed me with its complex nature,
after a reinstall it has reinfected my machine, while i was in the process of updating my OS,
i lost control of the ability to stop processes and at times certain web sights were inacesable,
other times ie9 opened up and stayed blank while data was sent and received from my machine,
i installed a network monertering tool and traced the flow to an exterior sight.
i then tryed to fdisk and reinstall and just as i got everything up again i was root kitted again
this really mad me mad.
how the hell did that happen?
well i have traced the source of the infenction to a directed attack,
and have reported the ARP poisen cash to the police,
they were uninterested,
my isp asked for logs and data to attempt to block this attack at a national level
then i discovered "whowas" the owner of the servers that were attacking me,
turns out it was a pair of machines at different sights owned by a single company,
as i have given the details to the authorities i cant publish them here,
i can say after battling with this kit i NEVER want to get infected on this level ever again.
i had to remove my hard drive and slave it to a machine for a destructive format process with many many passes,
i was worried about reinfection.
at times i could have sworn that there was a remote user watching me and preventing me from working to adress the problem.
some antivirus sights were blocked and files i downloaded disapaired after a short while.
the websight is still currently attacking my network, but as the ISP is now monitering for this attack i feel confident they will decide to stop.
i would like to thank everybody for their help
and will post updates when available
xploder
reply posted on 2-3-2012 @ 12:33 AM by XPLodER
reply to post by autowrench
in my country we have a random ip system where if you disconect power from adsl the IP will be given to someone else, and a new adress supplied when reconnection occours
in this way i can swap IP adresses many times a day,
problem was the "trusted sight" was used by members on my network,
and like a becon everytime they logged on the attacks resumed.
xploder
in my country we have a random ip system where if you disconect power from adsl the IP will be given to someone else, and a new adress supplied when reconnection occours
in this way i can swap IP adresses many times a day,
problem was the "trusted sight" was used by members on my network,
and like a becon everytime they logged on the attacks resumed.
xploder
reply posted on 3-3-2012 @ 08:51 AM by InsideYourMind
Originally posted by XPLodER
reply to post by autowrench
in my country we have a random ip system where if you disconect power from adsl the IP will be given to someone else, and a new adress supplied when reconnection occours
in this way i can swap IP adresses many times a day,
problem was the "trusted sight" was used by members on my network,
and like a becon everytime they logged on the attacks resumed.
xploder
If you think dynamic address allocation will protect you from an attacker being able to connect to your computer, think again.
Almost all form's of malware toolkits when installed on a host will perform reverse connections to the attacker or command and control server. It's what one would call a "phone-home" connection. In the case where most home connections rely on dynamic ip allocation from their ISP, a piece of malware is most usually hard-coded with a server address or ip address so that it can always connect back to the attacker.
Changing an ip address will do absolutely nothing to protect you if your computer has been compromised. In the event a computer is compromised... unplug it from the network and don't reconnect it until the OS has been reinstalled to guarantee the malware has been removed.
reply posted on 3-3-2012 @ 03:12 PM by XPLodER
reply to post by InsideYourMind
it was due to the reverse conection that i found the infected machine,
it was sending out covert packets of data that i couldnt stop, straight through the software firewall and through the hard ware firewall.
i have asked the ISP to moniter my connection and log all traffic,
after the secondary infection on the first machine was taken care of,
another machine then started showing signs of infection,
what ever it was jumped to other machines on the netwrok,
this is costing alot of time and inconvienence,
im now trying to destruct the drive with a multipass tool,
i found an encrypted partition on the second machine that i couldnt access or delete,
i am hoping no more machines come down with the same but at this point i feel it nessacery to rebuild all of them
this is a nightmare,
i will be changing hardware to provide more protection,
but the costs are huge.
be aware this encrypted partition seems to defend itself,
i know that sounds silly but i have tryed many different approaches and destrutive wipe is the only option to prevent reinfection.
i hope no one else has to deal with this infection, it has caused alot of damage and none of the usual detection and removal tools could remove it.
i have sent logs and data to my security provider and isp
ill report back after a network sweep
wish me luck
xploder
it was due to the reverse conection that i found the infected machine,
it was sending out covert packets of data that i couldnt stop, straight through the software firewall and through the hard ware firewall.
i have asked the ISP to moniter my connection and log all traffic,
after the secondary infection on the first machine was taken care of,
another machine then started showing signs of infection,
what ever it was jumped to other machines on the netwrok,
this is costing alot of time and inconvienence,
im now trying to destruct the drive with a multipass tool,
i found an encrypted partition on the second machine that i couldnt access or delete,
i am hoping no more machines come down with the same but at this point i feel it nessacery to rebuild all of them
this is a nightmare,
i will be changing hardware to provide more protection,
but the costs are huge.
be aware this encrypted partition seems to defend itself,
i know that sounds silly but i have tryed many different approaches and destrutive wipe is the only option to prevent reinfection.
i hope no one else has to deal with this infection, it has caused alot of damage and none of the usual detection and removal tools could remove it.
i have sent logs and data to my security provider and isp
ill report back after a network sweep
wish me luck
xploder
reply posted on 3-3-2012 @ 04:18 PM by InsideYourMind
reply to post by XPLodER
If you have reinstalled your OS (reformat etc) and the rootkit is still present after a fresh install... It's not unheard of.
Few possible scenario's i can think of:
#1 Pirated/Warez version of a windows install disc contains a rootkit. (unlikely, as it would be obvious to you if this were the case).
#2 You have a boot sector virus. As far as i recall when you reinstall windows it doesn't overwrite the boot sector if a windows loader already exists in the first few sectors of your drive, you will have to completely wipe the disc to be sure (or rather, wipe the boot sector).
#3 The very might well have a bios infection, it's quite rare but possible, there was a rootkit going around a few months back that was found by some security companies. One thing to try is to open the side of your pc, unplug the CMOS battery from the board for a few seconds and place it back in. You could try reinstalling windows again and hope that's solved it.
#4 Reflash your bios, although this might be a problem because most bios vendors only supply a windows executable for this (sad as it is). If you're lucky your bios vendor will issue a bootable cd for reinstalling/updating the bios.
The only other thing i can think of, have a read through this paragraph: en.wikipedia.org...
It sounds like this is what you are getting as you say its able to survive a reinstall/reformat.
Think, have you bought any new hardware lately? Another possiblity is that you could have (for example) bought a printer or bluetooth d ongle that contains dodgy firmware packed with windows exploits.
I know this isn't for everyone, but you could think about trying a linux variant on your desktop. Most malware/rootkits (if not, all of them) obtained through windows cannot infect or run under a linux host. Just a suggestion, but have you tried downloading and installing a linux distro?
Easy to use example: www.linuxmint.com...
It may be worth using for the meantime before you can fix your computer. I wouldn't reccomend browsing the web (let alone connecting to a network) a rootkitted computer.
If you have reinstalled your OS (reformat etc) and the rootkit is still present after a fresh install... It's not unheard of.
Few possible scenario's i can think of:
#1 Pirated/Warez version of a windows install disc contains a rootkit. (unlikely, as it would be obvious to you if this were the case).
#2 You have a boot sector virus. As far as i recall when you reinstall windows it doesn't overwrite the boot sector if a windows loader already exists in the first few sectors of your drive, you will have to completely wipe the disc to be sure (or rather, wipe the boot sector).
#3 The very might well have a bios infection, it's quite rare but possible, there was a rootkit going around a few months back that was found by some security companies. One thing to try is to open the side of your pc, unplug the CMOS battery from the board for a few seconds and place it back in. You could try reinstalling windows again and hope that's solved it.
#4 Reflash your bios, although this might be a problem because most bios vendors only supply a windows executable for this (sad as it is). If you're lucky your bios vendor will issue a bootable cd for reinstalling/updating the bios.
The only other thing i can think of, have a read through this paragraph: en.wikipedia.org...
It sounds like this is what you are getting as you say its able to survive a reinstall/reformat.
Think, have you bought any new hardware lately? Another possiblity is that you could have (for example) bought a printer or bluetooth d ongle that contains dodgy firmware packed with windows exploits.
I know this isn't for everyone, but you could think about trying a linux variant on your desktop. Most malware/rootkits (if not, all of them) obtained through windows cannot infect or run under a linux host. Just a suggestion, but have you tried downloading and installing a linux distro?
Easy to use example: www.linuxmint.com...
It may be worth using for the meantime before you can fix your computer. I wouldn't reccomend browsing the web (let alone connecting to a network) a rootkitted computer.
reply posted on 3-3-2012 @ 04:59 PM by XPLodER
reply to post by InsideYourMind
i have been locked out of the bios by both machines,
i used a tool to override the lockout and reflashed the bios
this worked one machine but not the other,
it replyes with rom unable to access due to lack of authority
very weird,
also the bios password has changed
also very weird
every time i get close to beating this something else pops up to make my day hell.
i will dismantle the machine (laptop) and remove the bios battery for a hour to see if that works,
thanks for the idea i was really scratching my head on how to get into the bios without sending to OEM repairer
ill report back the results shortly.
good news is now the bnetwork is clean and the other machines are icolated from the infected machines
hopefully means less chance of reinfection.
i have thrown away about three usb keys that are now suspected of reintroducing threats,
end users suck huh lol
installed a usb blocker in the short term to prevent anyone else spreading this,
as of now im upto 5 days on this, with very litttle sleep,
have advised all to contact banks and credit cards as well as logons ect.
wish me luck with the laptop as i will have to disasemble to remove cmos batt and bios battrey
will report back
ps thanks
xp
i have been locked out of the bios by both machines,
i used a tool to override the lockout and reflashed the bios
this worked one machine but not the other,
it replyes with rom unable to access due to lack of authority
very weird,
also the bios password has changed
also very weird
every time i get close to beating this something else pops up to make my day hell.
i will dismantle the machine (laptop) and remove the bios battery for a hour to see if that works,
thanks for the idea i was really scratching my head on how to get into the bios without sending to OEM repairer
ill report back the results shortly.
good news is now the bnetwork is clean and the other machines are icolated from the infected machines
hopefully means less chance of reinfection.
i have thrown away about three usb keys that are now suspected of reintroducing threats,
end users suck huh lol
installed a usb blocker in the short term to prevent anyone else spreading this,
as of now im upto 5 days on this, with very litttle sleep,
have advised all to contact banks and credit cards as well as logons ect.
wish me luck with the laptop as i will have to disasemble to remove cmos batt and bios battrey
will report back
ps thanks
xp
reply posted on 3-3-2012 @ 06:33 PM by XPLodER
reply to post by InsideYourMind
on the second machine,
i am really worried now,
boot sector files were corrupted,
MBR corrupt,
BOOTMGR GONE
cmos reset done windows wont boot,
and this is after a complete reinstall
i will down load the os you suggested and attempted to boot off removable media,
it would seem like everything on the second machine that could go wrong has
lol
i need a beer and a tissue lol
xp
wish me luck this is getting very bad very fast
xploder
on the second machine,
i am really worried now,
boot sector files were corrupted,
MBR corrupt,
BOOTMGR GONE
cmos reset done windows wont boot,
and this is after a complete reinstall
i will down load the os you suggested and attempted to boot off removable media,
it would seem like everything on the second machine that could go wrong has
lol
i need a beer and a tissue lol
xp
wish me luck this is getting very bad very fast
xploder
reply posted on 3-3-2012 @ 06:56 PM by XPLodER
reply to post by InsideYourMind
ok just realised it requires an iso dvd burn
lol
i will attempt to burn disc and report back
ps have you ever used this os?
xp
ok just realised it requires an iso dvd burn
lol
i will attempt to burn disc and report back
ps have you ever used this os?
xp
reply posted on 3-3-2012 @ 07:12 PM by InsideYourMind
Originally posted by XPLodER
reply to post by InsideYourMind
ok just realised it requires an iso dvd burn
lol
i will attempt to burn disc and report back
ps have you ever used this os?
xp
Yes in the past, its probably the most user friendly linux variant available, there isn't much of a learning curve as almost every task can be done with clicking a mouse just like windows. You don't have to install it to use it though. You can access almost anything you need just from booting off the cd (firefox, flash, java, email, etc). However it will obviously be slower running off the cd (as opposed to installing it to the harddrive) due to everything being read into ram.
Live CD's (bootable linux distro's) are actually something beneficial to hold onto when problems like what you are getting might happen, even if you don't plan on using Linux day-to-day it's still handy as you can simply throw in the CD and browse the web for a solution to malware/rootkits without being plundered by the malware on your infected windows.
The bootkit/rootkit in your bios (if that is what is really going on...) is probably designed to hook into the windows kernel and probably won't do anything when booting up linux.
I think your best bet, is to find a computer repair store or whatever and tell them about your problem (don't get ripped off if you do though, many places will over charge extremely even for the most simple solution).
reply posted on 3-3-2012 @ 11:50 PM by XPLodER
reply to post by InsideYourMind
i must admit that this new os is easy to use, thank you,
and it runs rings around bartpe
i cant get it to run from thr hard drive because of the boot manager problems,
but for the moment i can at least use the machine,
as it is an older machine i think replacement wont be a problem,
but as i am enjoying exploring the new OS and it runs very well i think i will use it as a crash and burn machine
i would like to thank you for your help
what is the best anti virus/antispyware to use with this os?
and what is required to run off a thumb drive?
xploder
i must admit that this new os is easy to use, thank you,
and it runs rings around bartpe
i cant get it to run from thr hard drive because of the boot manager problems,
but for the moment i can at least use the machine,
as it is an older machine i think replacement wont be a problem,
but as i am enjoying exploring the new OS and it runs very well i think i will use it as a crash and burn machine
i would like to thank you for your help
what is the best anti virus/antispyware to use with this os?
and what is required to run off a thumb drive?
xploder
reply posted on 4-3-2012 @ 02:09 PM by InsideYourMind
reply to post by XPLodER
You shouldn't need an anti-virus for the linux install itself. All you really need is a firewall, linux mint comes with one enabled. You can get anti-virus software which runs on linux, although it is only really useful for scanning files from a windows machine, for example most people running linux only bother to run an antivirus if they send alot of emails to windows users to make sure they aren't acting as a carrier when sending email:
www.makeuseof.com...
You can install it onto a bootable usb drive this way:
www.howtoforge.com...
You shouldn't need an anti-virus for the linux install itself. All you really need is a firewall, linux mint comes with one enabled. You can get anti-virus software which runs on linux, although it is only really useful for scanning files from a windows machine, for example most people running linux only bother to run an antivirus if they send alot of emails to windows users to make sure they aren't acting as a carrier when sending email:
www.makeuseof.com...
You can install it onto a bootable usb drive this way:
www.howtoforge.com...
reply posted on 4-3-2012 @ 07:04 PM by XPLodER
reply to post by InsideYourMind
have you ever seen a cmos battery soildered onto the board,
ie it cant be removed?
the other thing is i was looking at the board and found some unusual things,
in the board identifyer a board number that doesnt match listed manufacturer numbers,
also in the functions stamp there is a series of features enabled,
on of the stamps is KILL,
do you know if some manufacturers have hardware kill switches onboard?
the 9x9 descriptor states all the functions of the model i have as well as KILL
i am very curious to know how many manufacturers use hard ware kill on main board?
or am i miss identifying what KILL means on the stamp?
xp
have you ever seen a cmos battery soildered onto the board,
ie it cant be removed?
the other thing is i was looking at the board and found some unusual things,
in the board identifyer a board number that doesnt match listed manufacturer numbers,
also in the functions stamp there is a series of features enabled,
on of the stamps is KILL,
do you know if some manufacturers have hardware kill switches onboard?
the 9x9 descriptor states all the functions of the model i have as well as KILL
i am very curious to know how many manufacturers use hard ware kill on main board?
or am i miss identifying what KILL means on the stamp?
xp
edit on 4-3-2012 by XPLodER because: (no reason given)
How Does a Friend of Mine get Rid Of http://isearch.claro-search.com from his PC......?
Posted 14 days ago with 2 member flags
Posted 14 days ago with 2 member flags
Newest topics, updated in real-time:
16 year old girl makes bio-fuel from algae in her parent's garage with no chemicals!
Other Current Events: 3 minutes ago
Other Current Events: 3 minutes ago
Newest topics getting flags, in real-time:
Journalist Michael Hastings dies in L.A. car crash (Single car crash??)
Breaking Political News: 16 hours ago, 36 flags
Breaking Political News: 16 hours ago, 36 flags
The NSA is in so much trouble...and here is an example of how.
General Conspiracies: 14 hours ago, 22 flags
General Conspiracies: 14 hours ago, 22 flags
Pics from The Akron Zoo - Honest Feedback? Like them or not and why?
Member Art: 6 hours ago, 12 flags
Member Art: 6 hours ago, 12 flags
Cummings: Full IRS interview shows White House didn’t direct tea party targeting
Breaking Political News: 17 hours ago, 10 flags
Breaking Political News: 17 hours ago, 10 flags
ObamaCare Rule: HHS, IRS Can Share Private Health Information
US Political Madness: 6 hours ago, 9 flags
US Political Madness: 6 hours ago, 9 flags
Newest topics getting replies, in real-time:
Journalist Michael Hastings dies in L.A. car crash (Single car crash??)
Breaking Political News: 16 hours ago, 98 replies
Breaking Political News: 16 hours ago, 98 replies
Cummings: Full IRS interview shows White House didn’t direct tea party targeting
Breaking Political News: 17 hours ago, 47 replies
Breaking Political News: 17 hours ago, 47 replies
NYC Council - Stupid Bill Forbidding Cops from Describing Suspects
Other Current Events: 7 hours ago, 20 replies
Other Current Events: 7 hours ago, 20 replies
The Above Top Secret Web sites are a
wholly owned social content community of
The Above Network, LLC.
This content community relies on
user-generated content from our member contributors.
The opinions of our members are not those of site ownership
who maintains strict editorial agnosticism and simply provides
a collaborative venue for free expression.
ATS Server: www3.theabovenetwork.com
Header data: 0.002 seconds
Page processed in: 0.308 seconds
wholly owned social content community of
The Above Network, LLC.
This content community relies on
user-generated content from our member contributors.
The opinions of our members are not those of site ownership
who maintains strict editorial agnosticism and simply provides
a collaborative venue for free expression.
ATS Server: www3.theabovenetwork.com
Header data: 0.002 seconds
Page processed in: 0.308 seconds
