my computer is hacked and weird files found on my machine what do i do?

I suggest you scan your computer with tdsskiller.
This is a nasty one that creates an encrypted partition on your windows installation and also install itself in your boot record That allows it to re install itself if you format your windows partition.

Originally posted by Mandrakerealmz
reply to post by XPLodER

 

Format Reinstall windows

Install Linux if your pro and baym No viruses or hacking attempts.

This is a misconception that needs to be addressed. A simple "format" only rearranges files for the installation, it does not securely write over anything. If you want a secure erase, then you have to do a secure erase. I use Ultimate Boot CD for this, it has many tools for most anything you need to service. D-Ban or CopyWipe either one will do a good full erase, I do a 7 time pass myself for an infected HDD, or an older HDD with many files on it. Then do a fresh install.
From your post, OP sounds like someone has your number. Were I you, I would call my provider for a new IP address, and change up a piece of hardware or two for a different MAC address.
I have seen several of the newer virus programs that can live though a format, and can go right through a Windows Firewall. Just a few weeks ago, a lady I worked for had a newer Dell running Vista. She has AVG virus protection on it. The virus went through AVG like it wasn't even there, and created a new Administrator account, disabling her old account. The Dell was using 100% CPU and RAM also. She had tried using the restore CD, which does a "format. When the restore disc was finished, the computer was still hacked. I used G-Parted to look at partitions, the Dell had three of them, one was a FAT 16, which is Windows DOS.
Good luck.

reply to post by autowrench


With those manufacture proprietary restore disks you are not doing a full disk format, they usually only format the boot partition (the partition containing the system) and reinstall windows from another partition on the hard drive. The partition that holds the windows instalation files is usualy a FAT file system so this is not unusual. Its possible that the trojan / virus could relocate itself to one of the other partitions and then reinstall itself once the system has been restored.

There are some nasty programs that can hide in the boot sector but you can kill these with a full format:

“A traditional rootkit installs as a driver, just as when you install any hardware or software,” said Oliver Friedrichs, director of Symantec’s security response team. “Those drivers are loaded at or after the boot process. But this new rootkit installs itself before the operating system loads. It starts executing before the main operating system has a chance to execute.” Control the MBR, Friedrichs continued, and you control the operating system, and thus the computer.

The rootkit is effective on Windows XP systems but requires explicit permissions on Vista. It takes advantage of several unpatched vulnerabilities in Windows. One suggestion to solve the problem is to reformat the hard drive and create new partitions.

If you delete all partitions on a hard drive, and then create and format new partitions, a new MBR is created. The old one is gone. I do not know of any malware that will survive this action but there "may" be some out there that can.

formating with DBAN is always a good option but it is overkill in most cases.

I think thats good advice to request a new IP to be on the safe side

reply to post by autowrench


Fine then. Install Linux on USB Stick.

Destroy HDD with corruption tools to flip the bits a couple trillion times.


Format reinstall

Originally posted by brainswippin
I suggest you scan your computer with tdsskiller.
This is a nasty one that creates an encrypted partition on your windows installation and also install itself in your boot record That allows it to re install itself if you format your windows partition.

first let me thank everybody for the help
in the last few days i have been trying to "fight" of a root kit that absolutely amazed me with its complex nature,
after a reinstall it has reinfected my machine, while i was in the process of updating my OS,
i lost control of the ability to stop processes and at times certain web sights were inacesable,
other times ie9 opened up and stayed blank while data was sent and received from my machine,
i installed a network monertering tool and traced the flow to an exterior sight.

i then tryed to fdisk and reinstall and just as i got everything up again i was root kitted again
this really mad me mad.
how the hell did that happen?

well i have traced the source of the infenction to a directed attack,
and have reported the ARP poisen cash to the police,
they were uninterested,
my isp asked for logs and data to attempt to block this attack at a national level
then i discovered "whowas" the owner of the servers that were attacking me,
turns out it was a pair of machines at different sights owned by a single company,

as i have given the details to the authorities i cant publish them here,

i can say after battling with this kit i NEVER want to get infected on this level ever again.

i had to remove my hard drive and slave it to a machine for a destructive format process with many many passes,
i was worried about reinfection.

at times i could have sworn that there was a remote user watching me and preventing me from working to adress the problem.

some antivirus sights were blocked and files i downloaded disapaired after a short while.

the websight is still currently attacking my network, but as the ISP is now monitering for this attack i feel confident they will decide to stop.

i would like to thank everybody for their help
and will post updates when available

xploder

reply to post by autowrench


in my country we have a random ip system where if you disconect power from adsl the IP will be given to someone else, and a new adress supplied when reconnection occours
in this way i can swap IP adresses many times a day,

problem was the "trusted sight" was used by members on my network,
and like a becon everytime they logged on the attacks resumed.

xploder

Originally posted by nineix

I worked information systems for well over a decade, and not once, have I EVER absolutely HAD to format/wipe a system due to compromise.

For the sake of economy in time, I've wiped, but, if you want to take the time, and would rather not wipe your system, there really is not excuse or reason to wipe your system.

Wiping a system is unnecessary.

If a computer is suspected of being infected with a virus, only a fool would still trust it.

Expensive security software is a monopoly, you don't need to pay for security suites to protect a computer, there are thousands of IDS/NDS packages all of which are open source and entirely free to use and modify. Even the most dumb-founded user can ignore common sense entirely if given a secure operating system with arguable security put into place. They will never receive a virus or some form of backdoor, with the exception of social engineering if this is done beforehand.

Part of the problem is with windows and it's userbase being persuaded by anti-virus firms that throw software packages at them with the "100% protection from malware" motto's. It's a misconception because half the time these programs are unable to even remove a virus because it's not aware the host machine has been compromised.

It's like putting a security guard in front of your house and leaving the back door unlocked. When you get home from your day and you ask the security guard if anyone tried to break in he says "no", yet the backdoor is open and all your belongings have been moved around and replaced.

There's no such thing as 100% security. There is every reason to wipe a computer if it's suspected of being compromised because the root of the problem is still there, you can't be sure if everything is as it should be, if one were to trust a message box stating "your computer is clean" they would be a fool.

Originally posted by XPLodER
reply to post by autowrench

 

in my country we have a random ip system where if you disconect power from adsl the IP will be given to someone else, and a new adress supplied when reconnection occours
in this way i can swap IP adresses many times a day,

problem was the "trusted sight" was used by members on my network,
and like a becon everytime they logged on the attacks resumed.

xploder

If you think dynamic address allocation will protect you from an attacker being able to connect to your computer, think again.

Almost all form's of malware toolkits when installed on a host will perform reverse connections to the attacker or command and control server. It's what one would call a "phone-home" connection. In the case where most home connections rely on dynamic ip allocation from their ISP, a piece of malware is most usually hard-coded with a server address or ip address so that it can always connect back to the attacker.

Changing an ip address will do absolutely nothing to protect you if your computer has been compromised. In the event a computer is compromised... unplug it from the network and don't reconnect it until the OS has been reinstalled to guarantee the malware has been removed.

reply to post by InsideYourMind


it was due to the reverse conection that i found the infected machine,
it was sending out covert packets of data that i couldnt stop, straight through the software firewall and through the hard ware firewall.

i have asked the ISP to moniter my connection and log all traffic,
after the secondary infection on the first machine was taken care of,
another machine then started showing signs of infection,
what ever it was jumped to other machines on the netwrok,

this is costing alot of time and inconvienence,

im now trying to destruct the drive with a multipass tool,

i found an encrypted partition on the second machine that i couldnt access or delete,

i am hoping no more machines come down with the same but at this point i feel it nessacery to rebuild all of them
this is a nightmare,

i will be changing hardware to provide more protection,
but the costs are huge.

be aware this encrypted partition seems to defend itself,
i know that sounds silly but i have tryed many different approaches and destrutive wipe is the only option to prevent reinfection.

i hope no one else has to deal with this infection, it has caused alot of damage and none of the usual detection and removal tools could remove it.

i have sent logs and data to my security provider and isp

ill report back after a network sweep
wish me luck

xploder

reply to post by XPLodER


If you have reinstalled your OS (reformat etc) and the rootkit is still present after a fresh install... It's not unheard of.

Few possible scenario's i can think of:
#1 Pirated/Warez version of a windows install disc contains a rootkit. (unlikely, as it would be obvious to you if this were the case).

#2 You have a boot sector virus. As far as i recall when you reinstall windows it doesn't overwrite the boot sector if a windows loader already exists in the first few sectors of your drive, you will have to completely wipe the disc to be sure (or rather, wipe the boot sector).

#3 The very might well have a bios infection, it's quite rare but possible, there was a rootkit going around a few months back that was found by some security companies. One thing to try is to open the side of your pc, unplug the CMOS battery from the board for a few seconds and place it back in. You could try reinstalling windows again and hope that's solved it.

#4 Reflash your bios, although this might be a problem because most bios vendors only supply a windows executable for this (sad as it is). If you're lucky your bios vendor will issue a bootable cd for reinstalling/updating the bios.

The only other thing i can think of, have a read through this paragraph: en.wikipedia.org...
It sounds like this is what you are getting as you say its able to survive a reinstall/reformat.

Think, have you bought any new hardware lately? Another possiblity is that you could have (for example) bought a printer or bluetooth dongle that contains dodgy firmware packed with windows exploits.

I know this isn't for everyone, but you could think about trying a linux variant on your desktop. Most malware/rootkits (if not, all of them) obtained through windows cannot infect or run under a linux host. Just a suggestion, but have you tried downloading and installing a linux distro?

Easy to use example: www.linuxmint.com...

It may be worth using for the meantime before you can fix your computer. I wouldn't reccomend browsing the web (let alone connecting to a network) a rootkitted computer.

reply to post by InsideYourMind


i have been locked out of the bios by both machines,
i used a tool to override the lockout and reflashed the bios
this worked one machine but not the other,

it replyes with rom unable to access due to lack of authority

very weird,
also the bios password has changed
also very weird

every time i get close to beating this something else pops up to make my day hell.

i will dismantle the machine (laptop) and remove the bios battery for a hour to see if that works,

thanks for the idea i was really scratching my head on how to get into the bios without sending to OEM repairer

ill report back the results shortly.

good news is now the bnetwork is clean and the other machines are icolated from the infected machines
hopefully means less chance of reinfection.

i have thrown away about three usb keys that are now suspected of reintroducing threats,
end users suck huh lol

installed a usb blocker in the short term to prevent anyone else spreading this,

as of now im upto 5 days on this, with very litttle sleep,
have advised all to contact banks and credit cards as well as logons ect.

wish me luck with the laptop as i will have to disasemble to remove cmos batt and bios battrey

will report back

ps thanks

xp

reply to post by InsideYourMind


on the second machine,

i am really worried now,
boot sector files were corrupted,
MBR corrupt,
BOOTMGR GONE
cmos reset done windows wont boot,
and this is after a complete reinstall

i will down load the os you suggested and attempted to boot off removable media,

it would seem like everything on the second machine that could go wrong has

lol

i need a beer and a tissue lol

xp


wish me luck this is getting very bad very fast

xploder

reply to post by InsideYourMind


ok just realised it requires an iso dvd burn
lol

i will attempt to burn disc and report back
ps have you ever used this os?

xp

Originally posted by XPLodER
reply to post by InsideYourMind

 

ok just realised it requires an iso dvd burn
lol

i will attempt to burn disc and report back
ps have you ever used this os?

xp

Yes in the past, its probably the most user friendly linux variant available, there isn't much of a learning curve as almost every task can be done with clicking a mouse just like windows. You don't have to install it to use it though. You can access almost anything you need just from booting off the cd (firefox, flash, java, email, etc). However it will obviously be slower running off the cd (as opposed to installing it to the harddrive) due to everything being read into ram.

Live CD's (bootable linux distro's) are actually something beneficial to hold onto when problems like what you are getting might happen, even if you don't plan on using Linux day-to-day it's still handy as you can simply throw in the CD and browse the web for a solution to malware/rootkits without being plundered by the malware on your infected windows.

The bootkit/rootkit in your bios (if that is what is really going on...) is probably designed to hook into the windows kernel and probably won't do anything when booting up linux.

I think your best bet, is to find a computer repair store or whatever and tell them about your problem (don't get ripped off if you do though, many places will over charge extremely even for the most simple solution).

reply to post by InsideYourMind

i must admit that this new os is easy to use, thank you,
and it runs rings around bartpe
i cant get it to run from thr hard drive because of the boot manager problems,
but for the moment i can at least use the machine,
as it is an older machine i think replacement wont be a problem,
but as i am enjoying exploring the new OS and it runs very well i think i will use it as a crash and burn machine
i would like to thank you for your help

what is the best anti virus/antispyware to use with this os?
and what is required to run off a thumb drive?

xploder

reply to post by XPLodER


You shouldn't need an anti-virus for the linux install itself. All you really need is a firewall, linux mint comes with one enabled. You can get anti-virus software which runs on linux, although it is only really useful for scanning files from a windows machine, for example most people running linux only bother to run an antivirus if they send alot of emails to windows users to make sure they aren't acting as a carrier when sending email:
www.makeuseof.com...

You can install it onto a bootable usb drive this way:
www.howtoforge.com...

reply to post by InsideYourMind


have you ever seen a cmos battery soildered onto the board,
ie it cant be removed?

the other thing is i was looking at the board and found some unusual things,
in the board identifyer a board number that doesnt match listed manufacturer numbers,

also in the functions stamp there is a series of features enabled,
on of the stamps is KILL,

do you know if some manufacturers have hardware kill switches onboard?


the 9x9 descriptor states all the functions of the model i have as well as KILL
i am very curious to know how many manufacturers use hard ware kill on main board?

or am i miss identifying what KILL means on the stamp?

xp

even though linux/os x and other *nix variants themselves may be very hard to get viruses/nasty stuff onto its always good to have some sort of upto date anti virus on the machine so you dont pass it on by accident while forwarding some email from a friend with a compromised machine

Here is the solution to your problems. You won't reget it.