UPSB v4

Off-topic / My computer has been seized by Russians

  1. XYZaki
    Date: Mon, Oct 3 2011 03:35:47

    So since the onset of this summer, I started seeing these gibberish.exe files running in my task man, I actually first noticed because apparently whatever scareware type message that you'd expect a virus to display wasn't compatible with W7, so I'd get this message all the time: After some random shutoffs I finally got fed up and removed it with the most effective method I know of, reformatting. Though after several reformats, this bitch has came back. gibberish.exes in task man, Interactive Services Detection, Windows Security Center disabled, and the ability to see hidden folders disabled in the Folder Options context menu. Since you'd have to have more than your normal trojan to survive an fdisk AND a Gparted format, I figured some sort of utility that I was using after I installed windows was causing this outbreak...maybe the Windows 7 Loader or the uxtheme patcher... But after reformatting and using several different trusted utilities, I've been able to deduce that wasn't the cause. So after a while I just let the trojan chill on my computer, I've been to busy to give a damn, I just let whatever dfhbt3y.exe and VRT_____.tmp chill, until 2 days ago, I logged in and see this message: These guise are srsly after me or something. (Btw extorting someone for a penalty by means of a virus is pretty damn smart) So I formatted again and, within a day, the gibberish.exes came back and I'm now getting the same message again when I log in. If it helps, it seems that as soon as I activate the gibberish.exes are in my Task manager. Oh and none of the other computers on my network are affected by this, so I really don't know what it could be. I don't think I'm in a botnet because I don't have like hundreds of connections when I check netstat. Someone please help get these damn Russkies off of me.

  2. King
    Date: Mon, Oct 3 2011 03:40:16

    Scramble your mac address and change your router ip o.o

  3. gyrobius
    Date: Mon, Oct 3 2011 03:41:51

    Um...

  4. Vassenato
    Date: Mon, Oct 3 2011 03:50:05

    not sure if troll.

  5. PREDATORNET
    Date: Mon, Oct 3 2011 03:57:55

    Bring it to your nearest BestBuy or some sort of store with a tech crew, they'll probably know what to do.

  6. UEDan
    Date: Mon, Oct 3 2011 04:05:13

    I'll fix it for $40, if you pick it up/drop it off.

  7. Pen Ninja
    Date: Mon, Oct 3 2011 06:56:08

    You should probably SMS with the text RRR810 262191899 on number 97605 for an unblocking of your computer

  8. Zleepy
    Date: Mon, Oct 3 2011 08:11:41

    change ip?

  9. Froggy
    Date: Mon, Oct 3 2011 10:04:06

    ask imatt? Frog~

  10. Explosion101
    Date: Mon, Oct 3 2011 11:32:53

    @strat1227

  11. shoeman6
    Date: Mon, Oct 3 2011 11:48:19

    Um.... did you try reformatting and NOT connecting to the internet? Try installing linux on there, that'll throw em. Otherwise it's something you're installing every time that's infected.

  12. ChainBreak
    Date: Mon, Oct 3 2011 12:41:44

    I agree with shoeman. Get Linux and say goodbye to virusinfected windows OS. Linux is faster anyways =3

  13. neXus
    Date: Mon, Oct 3 2011 14:45:58

    Try a different windows installation than the one you previously used. Like re-download 7 off the internet from a different source than you did last time because it seems that this comes pre-disposed with your windows installation if it comes up again after formating.

  14. juggalo666666
    Date: Mon, Oct 3 2011 14:50:58

    Agreed, change IP Re-image your computer change processor,and look up their IP then.....REVENGE!!!

  15. sangara
    Date: Mon, Oct 3 2011 14:52:30

    добре

  16. Wisp
    Date: Mon, Oct 3 2011 17:12:07

    delete your system 32 folder, this hosts all external data. That should do the trick.

  17. zweebna
    Date: Mon, Oct 3 2011 20:22:22

    Wisp wrote: delete your system 32 folder, this hosts all external data. That should do the trick.
    Why would you even bother with this? He obviously knows enough about computers not to do it... 0/10

  18. SJ
    Date: Mon, Oct 3 2011 20:34:43

    not to be a jackass but i find this quite hilarious... lol sorry, i cant help :\

  19. NoRice4U
    Date: Tue, Oct 4 2011 00:58:40

    Why would you change your IP because of this; check your startup

  20. XYZaki
    Date: Tue, Oct 4 2011 01:41:06

    shoeman6;140008]Um.... did you try reformatting and NOT connecting to the internet? Try installing linux on there, that'll throw em. Otherwise it's something you're installing every time that's infected.[/QUOTE] Well when I'm not connected to the internet, the trojans cease to run period. Though as soon as I connect, the gibberish.exes are in the task man. [QUOTE=ChainBreak;140030]I agree with shoeman. Get Linux and say goodbye to virusinfected windows OS. Linux is faster anyways =3[/QUOTE] I'll use ubuntu for different Gnome utilities (like gparted for instance), but as far as everyday use goes, there's no way for Linux to be a substantial substitute for Windows for me. [QUOTE=neXus wrote: Try a different windows installation than the one you previously used. Like re-download 7 off the internet from a different source than you did last time because it seems that this comes pre-disposed with your windows installation if it comes up again after formating.
    I'll try this, but it seems unlikely because I've used the same disk for as long as 7 has been out with no trouble until now. Thanks.

  21. Frip
    Date: Tue, Oct 4 2011 03:02:32

    PREDATORNET wrote: Bring it to your nearest BestBuy or some sort of store with a tech crew, they'll probably know what to do.
    :trollface:

  22. iMatt
    Date: Tue, Oct 4 2011 03:02:38

    If this isn't a troll, the way you approach this as following. 1.) Nuke your HDD. http://www.dban.org/download Do the highest level wipe (that will erase ghosting). 2.) Completely reset your router (hard reset pinhole button). Then set it up for WPA2 AES/TKIP. Make the password at least 6 letters (at least 1 capital), 2 Numbers, and 2 Symbols. 3.) When installing windows, make sure you're offline. That should take care of it. Anyways, the virus itself I've seen before and even gotten. It's pretty fucken malicious. The only circumvention I could do was having Windows XP and Windows 7 dual booted. So when I got it in windows 7, I moved to windows XP to start the dirty work/moving files over to there. Essentially what you need to do is run a recovery command prompt and run a special utility (the name forgoes my mind right now) that'll re-enable the registry/policy changes. The only way to change the policy is to change the registry. That's how it hides folder options etc. From there you can access hidden folders/run admin programs. Then run combofix. That'll clean the crap out. Then use ccleaner/malware bytes/spybot to clean out the registry just in case. from there get Vipre Anti-Virus, that thing will annihilate anything out there in terms of viruses, new definitions update daily -

  23. strat1227
    Date: Tue, Oct 4 2011 04:03:53

    iMatt wrote: Make the password at least 6 letters (at least 1 capital), 2 Numbers, and 2 Symbols.
    The greatest trick the devil ever played was convincing the world that this actually mattered. http://xkcd.com/936/

  24. nateiskewl
    Date: Tue, Oct 4 2011 04:12:39

    strat1227 wrote: The greatest trick the devil ever played was convincing the world that this actually mattered. http://xkcd.com/936/
    That's assuming the password is being brute-forced. "Correct horse battery staple" would be easy to dictionary crack, no?

  25. strat1227
    Date: Tue, Oct 4 2011 04:34:42

    @nateiskewl Actually, there are 176,000 words in the english dictionary. so even to dictionary hack they'd have to go through 176000^4 options, that would take even longer than brute forcing it and even to fix this problem just add your mom's name as one of the words or some shit, then they can't dictionary crack it

  26. Colin
    Date: Tue, Oct 4 2011 05:02:14

    Pen Ninja wrote: You should probably SMS with the text RRR810 262191899 on number 97605 for an unblocking of your computer
    Ill do it. Computer Mobile IM ftw.

  27. iMatt
    Date: Tue, Oct 4 2011 05:32:30

    Or. Put it in spanish. MINDFUCKED.

  28. strat1227
    Date: Tue, Oct 4 2011 06:40:19

    iMatt wrote: Or. Put it in spanish. MINDFUCKED.
    Lol yeah, either way that whole "one capital and one batman symbol and four greek characters" bullshit is useless. I hate when things require that shit

  29. ChainBreak
    Date: Tue, Oct 4 2011 10:43:27

    it's actually not so unlikely that your disc has been infected when you just put it in. The virus just copied itself on the disc. I recommend you get a new CD with Win7, delete all data on your harddrive(I mean all data not like delete everything except for the OS) there are some programs that do just that for you, then put in the new disc which is most likely not infected. That should get rid of all viruses =3 Or you just learn programming, get a faster Linux than Ubuntu and start hunting the virus down... but that would probably take some time.

  30. Vaan
    Date: Tue, Oct 4 2011 10:47:49

    dont know what to say. never used of mac ^^

  31. iMatt
    Date: Tue, Oct 4 2011 20:17:26

    ChainBreak wrote: it's actually not so unlikely that your disc has been infected when you just put it in. The virus just copied itself on the disc. I recommend you get a new CD with Win7, delete all data on your harddrive(I mean all data not like delete everything except for the OS) there are some programs that do just that for you, then put in the new disc which is most likely not infected. That should get rid of all viruses =3 Or you just learn programming, get a faster Linux than Ubuntu and start hunting the virus down... but that would probably take some time.
    Yes. The data copied onto a windows 7 installation disk (non-rewritable/closed session media). Why use Linux, you can easily just boot into pocket XP and work in an environment that isn't foreign.

  32. UEDan
    Date: Wed, Oct 5 2011 20:11:54

    iMatt wrote: Why use Linux, you can easily just boot into pocket XP and work in an environment that isn't foreign.
    tsk tsk tsk... kids nowadays =P Actually Zaki, these "We infected you, now pay us and we'll take it off" scams have been around for while. I don't get why you guys keep saying "Change your IP" because unless you have a business account(usually) your ip will be dynamic(constantly changing). So [B]if[/B] that texting thing really does work, the virus probably would have some way of relaying your current IP to them Russians. You know, if this thing was able to completely lock up your system I wouldn't be surprised if it were capable of worming through your network. Have you double checked the other systems in your network? And after the format, how did you install your programs? Old installers? One of them might be the infected bastard.

  33. XYZaki
    Date: Wed, Oct 5 2011 23:41:35

    UEDan wrote: You know, if this thing was able to completely lock up your system I wouldn't be surprised if it were capable of worming through your network. Have you double checked the other systems in your network? And after the format, how did you install your programs? Old installers? One of them might be the infected bastard.
    It didn't completely lock up the system, it was really just a forced full screen window. I used CtrlAltDel to log out/shut down just fine. And I've checked all of the 4 other computers in my house, they're all fine. Which would lead to the conclusion that an installer I'm using is infected, but I've considered everything and the only thing it could POSSIBLY be is the Windows 7 Loader, which sounds like an obvious one, but I've only been using the popular ones that are known to work. This also wouldn't make sense because the first signs of infection showed up months after the most recent format during that time frame. In fact I can't point out any distinct juncture that might have allowed the infection in, other than increased League of Legends playing as Spring transitioned into Summer. Oh and my IP is static as fuc. It's been the same for as long as I can remember, I even tried a number of methods to change it, no avail.

  34. exclusive
    Date: Thu, Oct 6 2011 21:22:09

    im wondering how i got hacked in this game a long time ago my username was like mnisgg and my password was simple lol i wonder how they found out my username tho

  35. Ed
    Date: Thu, Oct 6 2011 22:14:56

    WTF, Russians are now hard and smart?

  36. Vassenato
    Date: Fri, Oct 7 2011 02:10:22

    Ed wrote: WTF, Russians are now hard and smart?
    >Implying Russians haven't been smart I give up.

  37. zweebna
    Date: Fri, Oct 7 2011 02:13:49

    NOPE, RUSSIANS HAVE USED TO BE DUMB, JUST LIKE THE MEXICANS AND THE BLACKS.

  38. Vassenato
    Date: Fri, Oct 7 2011 02:24:26

    OH YOU

  39. XYZaki
    Date: Sun, Oct 30 2011 06:25:23

    Update: I hard reset my router and setup WPA/WPA2. I formatted and installed W7 again, I haven't activated or patched uxtheme yet. So far so good, nothing suspicious in taskman. Edit: Oh and as for the nuke, I actually tried nuking my HD back in summer, but dban gave me an error >_>

  40. Mufoofee
    Date: Sun, Oct 30 2011 07:21:02

    Download HiJackThis. And Malware Bytes Scan using Hijackthis, and post log here. Do NOT run Malwarebytes yet. @XYZaki

  41. XYZaki
    Date: Sun, Oct 30 2011 07:30:40

    Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 12:29:39 AM, on 10/30/2011 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal Running processes: C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\sttray.exe C:\Windows\system32\taskhost.exe C:\Program Files\Opera\opera.exe C:\Program Files\MediaMonkey\MediaMonkey.exe C:\Program Files\iTunes\iTunes.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe C:\Windows\system32\conhost.exe C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe C:\Windows\system32\conhost.exe C:\Program Files\Digsby\lib\digsby-app.exe C:\Program Files\Digsby\lib\aspell\bin\aspell.exe C:\Windows\system32\conhost.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV.exe -- End of file - 3185 bytes

  42. Zombo
    Date: Sun, Oct 30 2011 15:54:24

    strat1227 wrote: @nateiskewl Actually, there are 176,000 words in the english dictionary. so even to dictionary hack they'd have to go through 176000^4 options, that would take even longer than brute forcing it and even to fix this problem just add your mom's name as one of the words or some shit, then they can't dictionary crack it
    what if YOUR MOM's name is in the dictionary ooooooooooooooohhhhhhhhhhhhwowowowoh

  43. Mufoofee
    Date: Sun, Oct 30 2011 22:59:29

    First of all, you have 3 "conhost.exe" running. Go to the folder that they are located in, and find the date that they have been created. And try this to see your hidden files again: 1. Go to Start 2. Go to Run (or press the "Windows" button between Ctrl and Alt on your keyboard and "R") So Windows key + "R" 3. Paste this!

    HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/Current Version/Explorer/Advanced/Folder/Hidden/SHOWALL
    This should enable you to see your hidden files, but if the virus is still running, it should be quickly disabled. Can you run Regedit (using "Run")?

  44. XYZaki
    Date: Sun, Oct 30 2011 23:39:07

    Mufoofee wrote: Go to the folder that they are located in, and find the date that they have been created. And try this to see your hidden files again: 1. Go to Start 2. Go to Run (or press the "Windows" button between Ctrl and Alt on your keyboard and "R") So Windows key + "R" 3. Paste this! This should enable you to see your hidden files, but if the virus is still running, it should be quickly disabled. Can you run Regedit (using "Run")?
    Have you been reading this thread? I just reformatted, of course I can see my hidden files...

  45. Mufoofee
    Date: Mon, Oct 31 2011 00:04:33

    XYZaki wrote: Have you been reading this thread? I just reformatted, of course I can see my hidden files...
    The dates man, I need the dates.

  46. XYZaki
    Date: Mon, Oct 31 2011 00:13:42

    Mufoofee wrote: The dates man, I need the dates.
    Date created: 10/30/2011 2:57 AM Date modified: 7/15/2011 9:31 PM

  47. Zombo
    Date: Mon, Oct 31 2011 00:22:51

    if u wait 12 hours from the message, does it really format your computer?

  48. XYZaki
    Date: Mon, Oct 31 2011 00:26:21

    Zombo wrote: if u wait 12 hours from the message, does it really format your computer?
    I highly doubt it, but I don't think I'll be able to try again now that I'm on WPA2 :>

  49. chris
    Date: Mon, Oct 31 2011 02:19:16

    wait that seems strange. created recently but modified months ago? :?

  50. Mike
    Date: Mon, Oct 31 2011 03:07:48

    chrisPS wrote: wait that seems strange. created recently but modified months ago? :?
    Modified when it was written on the CD.

  51. Nicetricks
    Date: Thu, Nov 3 2011 03:53:25

    Colin wrote: Ill do it. Computer Mobile IM ftw.
    You should let us know how that goes...

  52. XYZaki
    Date: Sun, Nov 13 2011 00:26:13

    FUCK NIGGA. AGAIN WITH THIS SHIT. @UEDan Note that this is after changing to WPA2 and formatting. I used a different Windows 7 image and I haven't used any shady software (Haven't even activated windows/patched uxtheme). Also I'll repeat that Dban isn't a resort because it gives me an error.

  53. XYZaki
    Date: Sun, Nov 13 2011 00:35:57

    They be after me.

  54. Pen Ninja
    Date: Sun, Nov 13 2011 05:31:10

    Windows doesnt work? I KNOW! I'll use Windows to find the solution!!! what's the chance of you buying a new hard drive and starting from scratch? new hard drive, new copy of windows the only other place that it could be hiding is like... bios or some shit... which i highly doubt

  55. XYZaki
    Date: Sun, Nov 13 2011 05:40:23

    Pen Ninja wrote: what's the chance of you buying a new hard drive and starting from scratch? new hard drive, new copy of windows the only other place that it could be hiding is like... bios or some shit... which i highly doubt
    I think the time/cost of buying and installing a laptop hard drive is more than my laptop is even worth (*cough* $200 *cough*). After I trade some stocks, I'll buy a Sager hopefully, but for now I need to do my schoolwork on this thing, so having to deal with this virus is onerous.

  56. XYZaki
    Date: Sun, Nov 13 2011 20:43:15

    Is it possible for a virus to be stored in the RAM? NOD32 found a trojan on the operating memory, but I would assume it would be removed when the computer shuts off. My only option here seems to be flashing the bios .-.

  57. Pen Ninja
    Date: Sun, Nov 13 2011 22:49:36

    I've never seen that before but it's rather clear ur going to need to be very drastic here =[

  58. XYZaki
    Date: Mon, Nov 14 2011 03:38:10

    Apparentlu so; it blocked me from the internet using some sort of proxy.

  59. UEDan
    Date: Mon, Nov 14 2011 04:31:20

    My guess would be you're getting this shit from an infected website since you've pretty much covered all the other bases.

  60. iMatt
    Date: Mon, Nov 14 2011 04:36:20

    The harnig is a relatively harmless trojan. You can get it from a bad pop up. It's not difficult to remove. 1. Remove the registry entries hidden by Trojan.Downloader.Win32.Harnig.s If you notice that the programs on your computer are running abnormally, please check the following entries in the Registry, and directly delete the spyware-related registry entries if found. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \RunServicesOnce HKEY_CURRENT_USER/Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER \Software \Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer\Run HKEY_CURRENT_USER\ Software\ Microsoft \Windows\ CurrentVersion Explorer/ShellFolders Startup="C:\windows/start menu/programs\startup 2. It is possibly a way to load the "Trojan.Downloader.Win32.Harnig.s" malicious programs, by hiding within the system WIN.INI file and the strings "run=" and "load=", so this must be carefully checked. 3. Clean up “IE Temporary File folder” where the original carrier of spyware threats is likely stored. Instead clean firefox/chrome/browsers etc. *Reply taken from spydig.

  61. Pen Ninja
    Date: Mon, Nov 14 2011 04:37:16

    that's one hell of a computa haxx coming from like site cookies or something

  62. XYZaki
    Date: Mon, Nov 21 2011 22:17:44

    I'ma flashin my BIOS.