Overclock.net › Forums › Software, Programming and Coding › Networking & Security › [resolved] Computer hijacked.
New Posts  All Forums:Forum Nav:

[resolved] Computer hijacked. - Page 5

post #41 of 75
And while I'm generally a fan of repairing a computer, when it's this pervasive there's no such thing as overboard. Always err on the side of caution in these instances.

I had a similar attempt made on my network / computer. Unplugged, fixed my computer, fixed the router, reattached internet and watched the IP's flail at trying to breach my network again.
Maximum Dwarf
(15 items)
 
Density!
(12 items)
 
 
CPUMotherboardGraphicsRAM
i5-3570k ASUS MAXIMUS IV GENE HD7970 Gen 1 Ripjaws Z 2x8GB 2133MHz 
Hard DriveHard DriveOptical DriveCooling
1TB RE4 2x3TB WD Red LG 10x BD-R Corsair H80i w/push pull 
OSMonitorKeyboardPower
Win 7 Ultimate 3x 1920x1080 LG IPS displays. Razer Mass Effect 3 Blackwidow Ultimate Cooler Master Silent Pro M850 
CaseMouseMouse Pad
Silverstone TJ08B-E R.A.T. 7 An ergonomic one 
CPUMotherboardRAMHard Drive
i7 3770k Gigabyte Sniper M3 1155 mATX CORSAIR Vengeance 8GB (2 x 4GB) 1600MHz 1TB WD RE4 
Hard DriveHard DriveHard DriveHard Drive
2TB WD Red 2TB WD Red 4TB WD Red 4TB WD Red 
PowerCaseAudioOther
750W Seasonic Gold Fractal Node 804 5.1 Definitive Def Tech PERC 5i RAID card w/ BBU (LSI Firmware) 
  hide details  
Reply
Maximum Dwarf
(15 items)
 
Density!
(12 items)
 
 
CPUMotherboardGraphicsRAM
i5-3570k ASUS MAXIMUS IV GENE HD7970 Gen 1 Ripjaws Z 2x8GB 2133MHz 
Hard DriveHard DriveOptical DriveCooling
1TB RE4 2x3TB WD Red LG 10x BD-R Corsair H80i w/push pull 
OSMonitorKeyboardPower
Win 7 Ultimate 3x 1920x1080 LG IPS displays. Razer Mass Effect 3 Blackwidow Ultimate Cooler Master Silent Pro M850 
CaseMouseMouse Pad
Silverstone TJ08B-E R.A.T. 7 An ergonomic one 
CPUMotherboardRAMHard Drive
i7 3770k Gigabyte Sniper M3 1155 mATX CORSAIR Vengeance 8GB (2 x 4GB) 1600MHz 1TB WD RE4 
Hard DriveHard DriveHard DriveHard Drive
2TB WD Red 2TB WD Red 4TB WD Red 4TB WD Red 
PowerCaseAudioOther
750W Seasonic Gold Fractal Node 804 5.1 Definitive Def Tech PERC 5i RAID card w/ BBU (LSI Firmware) 
  hide details  
Reply
post #42 of 75
Quote:
Originally Posted by CTRLurself [Knyte Custom] View Post
@OP: coming from a guy who's spent the last 6 years of his life removing infections from computers I can say this with utter confidence. The people posting that "it's probably ____ worm, run this tool from a hacking forum and you'll be fine" are complete and total nards. Disconnect from the internet, don't run those programs, you can have any of thousands of back doors that I've seen over the years.

Fire up an ubuntu disk, disconnect your MODEM from the wall so it is totally off, delete the infected FILES manually in Ubuntu. Boot a windows install disk, do a repair on your computer (sfc /scannow) to replace any files you just deleted that are system files, log in to your router, remove all port forwarding, change the name of your router, change your wireless password, change the password to log into your router. Boot safe mode, run MBAM scan, run TDSSKiller, run MSE, remove all infections they found. Get a real AV software (Kaspersky Internet Security, NOD32), make sure Window's firewall is installed and active if you're too cheap to get a real AV program. Shut down that computer.

Go to the next computer, power it on, do the exact same steps to repair it, then shut it down.

Go to EVERY other computer on your network, repeat these same steps.

Plug your modem back in, it get's a new IP address, problem solved.

YOU WON'T BEAT THIS WHILE CONNECTED TO THE INTERNET.
QFT

Put those "critical documents" onto google docs and tell whoever needs them to take a laptop to panera bread tomorrow and work on them that way. The longer you keep the computers on the internet, the longer they stay infected.
    
CPUMotherboardGraphicsRAM
Intel 2500k Gigabyte Z68X-UD3H-B3 XFX HD5870 16GB G.Skill RipjawsX 
Hard DriveOptical DriveCoolingOS
60GB OCZ Vertex 3 + 2x TB Seagate LG DVD+RW Stock Intel Windows 7 64bit / OSX Mountain Lion 
MonitorKeyboardPowerCase
Dell ST2210 + 17" IBM Das Ultimate S Antec TruePower 650W Antec P183 
MouseMouse PadAudioAudio
Logitech MX Revolution X-Trac Ripper Objective 2 + ODAC Combo Sennheiser HD650 + Klipsch 2.1 Promedia 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Intel 2500k Gigabyte Z68X-UD3H-B3 XFX HD5870 16GB G.Skill RipjawsX 
Hard DriveOptical DriveCoolingOS
60GB OCZ Vertex 3 + 2x TB Seagate LG DVD+RW Stock Intel Windows 7 64bit / OSX Mountain Lion 
MonitorKeyboardPowerCase
Dell ST2210 + 17" IBM Das Ultimate S Antec TruePower 650W Antec P183 
MouseMouse PadAudioAudio
Logitech MX Revolution X-Trac Ripper Objective 2 + ODAC Combo Sennheiser HD650 + Klipsch 2.1 Promedia 
  hide details  
Reply
post #43 of 75
That sounds like a pretty nasty malware you got. I agree with the slash-n-burn strategy recommended by others. Sometimes it's better to cut your losses and avoid getting a whole network infected because you wanted to try and keep the 'net connection up during a reinstall.
4690K System
(12 items)
 
HTPC
(9 items)
 
HP dv6 laptop
(13 items)
 
CPUMotherboardGraphicsRAM
Core i5 4690K ASRock Z97 Extreme4 XFX Radeon 7950 32 GB DDR3-2133 
Hard DriveOptical DriveCoolingOS
Samsung 850 EVO SSD Samsung DVD/CD-writer Corsair Hydro H60 Windows 7 
MonitorMonitorPowerCase
ASUS PA248Q Dell U2412M XFX 850W Black Edition XXX Fractal Design Arc Midi 2 
CPUMotherboardGraphicsRAM
Pentium Dual Core E6700 MSI G41M-P33 Combo ATI HD4350 Kingston ValueRAM DDR3-1333 
RAMHard DriveOSMonitor
Kingston ValueRAM DDR3-1333 WD Caviar Blue Windows 7 64-bit Sony 32" TV set 
Case
Apex TX-381 
CPUGraphicsRAMHard Drive
Core i5 430M GT230M (1 Gb dedicated) 8 GB DDR3-1066 640 GB 
OSMonitor
Windows 7 Home Premium (64-bit) 15.6" 
  hide details  
Reply
4690K System
(12 items)
 
HTPC
(9 items)
 
HP dv6 laptop
(13 items)
 
CPUMotherboardGraphicsRAM
Core i5 4690K ASRock Z97 Extreme4 XFX Radeon 7950 32 GB DDR3-2133 
Hard DriveOptical DriveCoolingOS
Samsung 850 EVO SSD Samsung DVD/CD-writer Corsair Hydro H60 Windows 7 
MonitorMonitorPowerCase
ASUS PA248Q Dell U2412M XFX 850W Black Edition XXX Fractal Design Arc Midi 2 
CPUMotherboardGraphicsRAM
Pentium Dual Core E6700 MSI G41M-P33 Combo ATI HD4350 Kingston ValueRAM DDR3-1333 
RAMHard DriveOSMonitor
Kingston ValueRAM DDR3-1333 WD Caviar Blue Windows 7 64-bit Sony 32" TV set 
Case
Apex TX-381 
CPUGraphicsRAMHard Drive
Core i5 430M GT230M (1 Gb dedicated) 8 GB DDR3-1066 640 GB 
OSMonitor
Windows 7 Home Premium (64-bit) 15.6" 
  hide details  
Reply
post #44 of 75
Quote:
Originally Posted by Omega329 View Post
Wrong, he needs to reformat or remove the worm, or the worm will just reinstall the RAT.
The worm does the spreading.
No a worm replicates itself over the network. Its a stand alone program. A RAT is a remote administration tool. Its not a evil program it has its purpose. It doesn't infect programs but just create a back door on the system. But is there any proof its a RAt? rootkits anyone?
post #45 of 75
Sorry to hear about this srsdude. Hope you get it all squared away. I'm guessing that it was good that I didn't download that file you posted as an attachment on this post (#493). Maybe a mod needs to remove that post just in case.
Juggernaut
(10 items)
 
  
MotherboardGraphicsRAMCooling
asus rog maximus hero ix EVGA 1080 SC 8GB Corsair Vengeance LED - Reds Coolermaster Hyper 212 Evo 
OSMonitorKeyboardPower
Windows 10 64 Dell 2716DB Logitech G410 Corsair 750 TX 
CaseMouse
Coolermaster HAF XB EVO Logitech G502 
  hide details  
Reply
Juggernaut
(10 items)
 
  
MotherboardGraphicsRAMCooling
asus rog maximus hero ix EVGA 1080 SC 8GB Corsair Vengeance LED - Reds Coolermaster Hyper 212 Evo 
OSMonitorKeyboardPower
Windows 10 64 Dell 2716DB Logitech G410 Corsair 750 TX 
CaseMouse
Coolermaster HAF XB EVO Logitech G502 
  hide details  
Reply
post #46 of 75
Quote:
Originally Posted by CTRLurself [Knyte Custom] View Post
@OP: coming from a guy who's spent the last 6 years of his life removing infections from computers I can say this with utter confidence. The people posting that "it's probably ____ worm, run this tool from a hacking forum and you'll be fine" are complete and total nards. Disconnect from the internet, don't run those programs, you can have any of thousands of back doors that I've seen over the years.

Fire up an ubuntu disk, disconnect your MODEM from the wall so it is totally off, delete the infected FILES manually in Ubuntu. Boot a windows install disk, do a repair on your computer (sfc /scannow) to replace any files you just deleted that are system files, log in to your router, remove all port forwarding, change the name of your router, change your wireless password, change the password to log into your router. Boot safe mode, run MBAM scan, run TDSSKiller, run MSE, remove all infections they found. Get a real AV software (Kaspersky Internet Security, NOD32), make sure Window's firewall is installed and active if you're too cheap to get a real AV program. Shut down that computer.

Go to the next computer, power it on, do the exact same steps to repair it, then shut it down.

Go to EVERY other computer on your network, repeat these same steps.

Plug your modem back in, it get's a new IP address, problem solved.

YOU WON'T BEAT THIS WHILE CONNECTED TO THE INTERNET.
Nothing wrong with Hackforums. Don't let its name fool you please. go sign up and see for yourself. Read its rules aswell
post #47 of 75
Thread Starter 
Quote:
Originally Posted by bfe_vern View Post
Sorry to hear about this srsdude. Hope you get it all squared away. I'm guessing that it was good that I didn't download that file you posted as an attachment on this post (#493). Maybe a mod needs to remove that post just in case.
The file is most likely OK

Try googling its name and finding it on simtropolis if you want to be on the safe side. but that's for the sim city thread.


Quote:
Originally Posted by caraboose View Post
-rep.

Quote:
Originally Posted by CTRLurself [Knyte Custom] View Post
@OP: coming from a guy who's spent the last 6 years of his life removing infections from computers I can say this with utter confidence. The people posting that "it's probably ____ worm, run this tool from a hacking forum and you'll be fine" are complete and total nards. Disconnect from the internet, don't run those programs, you can have any of thousands of back doors that I've seen over the years.

Fire up an ubuntu disk, disconnect your MODEM from the wall so it is totally off, delete the infected FILES manually in Ubuntu. Boot a windows install disk, do a repair on your computer (sfc /scannow) to replace any files you just deleted that are system files, log in to your router, remove all port forwarding, change the name of your router, change your wireless password, change the password to log into your router. Boot safe mode, run MBAM scan, run TDSSKiller, run MSE, remove all infections they found. Get a real AV software (Kaspersky Internet Security, NOD32), make sure Window's firewall is installed and active if you're too cheap to get a real AV program. Shut down that computer.

Go to the next computer, power it on, do the exact same steps to repair it, then shut it down.

Go to EVERY other computer on your network, repeat these same steps.

Plug your modem back in, it get's a new IP address, problem solved.

YOU WON'T BEAT THIS WHILE CONNECTED TO THE INTERNET.
The question is, how do I find the infected files?

I was thinking about going to Ubuntu, putting several absolutely critical files on a removable drive or the ubuntu HDD, and then wiping every single program off the system and starting over.
post #48 of 75
I mean Cmon reformat? Its not a file virus. It needs to startup somehow. Just boot into safe mode with network and start cleaning your pc.
First run Ccleaner
Then run superanti spyware
Then malware bytes
Then combofix
Then tdskiller
Spybot search and destroy

Fix your browser wit super anti spyware
Then update and scan with your av
post #49 of 75
Quote:
Originally Posted by srsdude View Post
The file is most likely OK

Try googling its name and finding it on simtropolis if you want to be on the safe side. but that's for the sim city thread.



-rep.



The question is, how do I find the infected files?

I was thinking about going to Ubuntu, putting several absolutely critical files on a removable drive or the ubuntu HDD, and then wiping every single program off the system and starting over.
Like I said earlier. Run hijac this and gimme the log and I can assist you in id it and removing it. Otherwise your just going to increase the payload.
post #50 of 75
Thread Starter 
Quote:
Originally Posted by caraboose View Post
Hey, it would work!
Plus, you're still on the internet, not listening to what we're saying, so why not put a bit of humour into an otherwise dull thread?
I AM listening to what you guys are saying
I just can't act immediately and I will be probably doing this tomorrow. It's very very late and I'm going to sleep soon, otherwise I won't think straight and do more harm than good.
I'll turn off the internet, and then call the ISP tomorrow and ask them to change my IP. Then I'll reset all router settings, wipe my system, change passwords, all that good stuff.

Now time for an update

I blocked all ports, the attacks seemed to stop.
I am now posting from my unaffected laptop, and it seems that the virus is not like a RAT, but rather a dumb clicker that will copy paste random stuff, because it's behavior is not human-like, which I thought of at first. It opens up random documents and occasionally right or left click. But I know that it's there.

Safe mode seems to be affected by the virus also.



Quote:
Originally Posted by Spooony View Post
I mean Cmon reformat? Its not a file virus. It needs to startup somehow. Just boot into safe mode with network and start cleaning your pc.
First run Ccleaner
Then run superanti spyware
Then malware bytes
Then combofix
Then tdskiller
Spybot search and destroy

Fix your browser wit super anti spyware
Then update and scan with your av
After I install all that stuff, even assuming it's not crap, I'll have an old Windows install that could still be infected. I'm better off going to Ubuntu, going a 30+pass erase, and then installing Windows fresh

Going to run Hijack This soon.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › [resolved] Computer hijacked.