Computer Question HELP!

If you do go DEFCON 1 and "nuke the site from orbit" make absolutely sure you re-format the hard drive beforehand and not just reinstall the OS. Also, when you go to restore your data be sure to scan it first before restoring it to your system. This is because it could also contain viruses, spybots, malware, etc. Finally, reinitialize your router because it could have unwanted ports open because of what happened to you. It's is indeed the only way to be sure...

Reinitializing the router won't get it if it is compromised.
At the very least the router software needs to be removed and reloaded.
Even then sometimes, such as with some Linksys routers, the viral software remains.

- Download, install & run MalawareBytes.
- Clean as indicated following a full scan.
- Scan again until no threats are detected

< [link to downloads.malwarebytes.org] >

Actually this is a better anti malware adware and evil cookie program:

[link to www.superantispyware.com] Totally free

All the spyware and malware in the world is only as good as it's latest update...or threats it is aware of and searching for.

There are SOOOOO many things in the wild that people have no clue about.

Nuke it from orbit....and the router.
Call it done.

Thank you! I was wondering why they said you had to be under the direction of a professional. And I thank the professional who told us why !

Hat's off to you, my friend!

I would be VERY CAREFUL with Super Anti-Spyware!!!

When you start to use it, everything is just fine. Then it comes time for an update, so you click the link... BINGO!!!

You end up downloading a .exe!!!!!!!!!!

With all the situations I've been in, I would NEVER do it.

(Only a word to the wise, though.)

I can tell you that my computers were receiving a broadcast spike. When I would boot up a computer and clicked on the Task Manager, my Linksys BEFXS41 was sending a "where are you?" broadcast.

I decided to re-install the firmware and the spikes disappeared.

In this latest incidence, I only did a reset to factory defaults. So far, no need to go any further.

that may be how they nailed a friend of mine.....

he gets locked out of his pc and the phone rings at the same time. The guy says he's from Microsoft and can unlock the pc for $200. He wanted his credit card number to fix it. Instead he called me and I reloaded the factory image, thus wiping the drive. But yeah he probably used remote access to take control of his pc.

I have 2 of those 41 series routers saved from client sites with with hijacked DNS info.
Even wiped....they still come back with the hijacked DNS.

Obviously they have figured out how to save the config in the NVRAM portion of the router.

I went one better than that. My Dell Inspiron M537 came with a 500 GB HD. I went out and bought a 1 TB HD. (I kept my original HD for future study and will eventually put it in a HD casing for backups.)

I then downloaded the free version of Active@ and NTFS software. With that loaded up, I created five partitions with two main partitions for operating software and three utility. This also helps because the entire disk is partitioned and RATs can create partitions for themselve (which one did intially).

Active@ and NTFS software allows you to create a "Disk Image" which is a copy of the partition that acts as your main HD. You can create as many disk images as you want to ensure that if the RAT come back in along the way, you can go back to the last known good copy.

The bottom line here is that you have to be able to tell whether and when the RAT got back in again. And that is what I'm focusing on right now.

Last Edited by The Deplorable RockHall on 01/28/2013 11:25 PM

In my research, I have found that there is even a name for this scam (can't think of it now).

But in my case, I DID get a call from one of these hackers, but I feel ABSOLUTELY CERTAIN he was NOT the intruder!

I believe that he was in another business altogether. A former hacker he might have been, but after speaking with me he realized I wasn't a novice and he spoke in a very congenial voice. He told me that he was picking up messages that were emanating from my computer, to which I responded that I didn't think that this was impossible and I wanted to hear what he had to say.

He told me that he could fix my computer, but "that it would cost me!"

I told him that I was sure I could fix my own computer so I didn't have to pay anyone.

In reply, he said in a commanding but caring tone... "Well, you better not use the Internet until you fix it!"

I didn't believe him, but within a few days, I went into one of my bank accounts, and at the very moment I got logged in, my computer was hijacked.

It's a long story that will be in my E-book, but the bottom line is that there wasn't any money in the account at the time.

Basically speaking, I believe him now.

Personally, I went FULL RETARD and bought a Cisco PIX.
I know their stuff well, have lots of software and it made sense for me. I have tweaked the hell out of it as well.

For basic consumer level stuff, I have had good luck with D-LINK routers. I have yet to see one compromised.
There are some others too...but that is the best bang for the buck IMO.


For SMB environments ....
[link to www.newegg.com]

Just stay away from the under $200 units....they are rebranded Linksys units and not true Cisco products.

Actually what really matters is getting the business or customer up and running again clean.
Forensics can be done at a later time.

Thanks a lot! And I will take your suggestion.

There is a war going on out there AND IT'S AGAINST US!

OH YEAH....war going on for sure out there.
There are SOOOOOOO many things that are in the wild that people have no clue about.
The best approach is to regulate every bit of traffic going to and from your PC. Allow NOTHING that you don't know what it is and what it is doing.

(Which is another reason to hate Windows 8 ...but that's another bitch session for another time)

Last Edited by Useless Cookie Eater on 01/29/2013 12:00 AM

One thing about this that is really getting to me is that Microsoft addressed this issue on its own website DATING BACK TO 2002 (Like... that's eleven years ago????)

According to Microsoft it states that... "This article is from the September 2002 issue of Security Administrator."

(You have to scroll up a bit on this link for the 2002 date. I got it to pop up on the Remote Access issue... But this historical record says that this thing isn't new.)

One other thing I would like to point out on the 2002 date is that, according to Wikipedia, XP came out in April of 2001. The article is dated five months later.

XP was the first MS operating system that had Remote Access.

How come this is all news today?

Here's the link...


[link to technet.microsoft.com]

1) Because people are trying to run businesses or use their PC's and are not technical network specialists.

2) If something ain't broke....don't fix it.
The remote access takeover works well for them.
They can take ownership of entire networks with it.
Why would they stop doing it?

Basically, that was my point...

One of the articles that I've put in my notes is a fix that Microsoft put in its arsenal and the explanation goes like this...

If you would like to help fix a friend's computer and that friend ACCIDENTLY un-checked the checkbox in the remote section of system properties to allow remote access, you can download this fix which will automatically re-check that entry so you will be able to provide remote assistance to your friend.

Well...

I was in the process of kicking out my intruder and there is one thing that I had forgotten about, but did remember a little later on...

So I clicked the Win and Break keys, got to system properties, clicked on remote... And guess what got magically checked????

Nothing else but "Allow other users to connect to this computer!!!"

Now how the hell did that thing get checked????

Did I do that in my sleep somehow?


(Yeah right!)

Last Edited by The Deplorable RockHall on 01/29/2013 12:22 AM

Yeah.
That's one of the first things to check.
They have some script kiddie garbage that they insert on the PC's and it modifies the registry to set that to ON....among many other things.
Telephony, RPC and Terminal services get modified as well.

This is why it's just much easier to limit what traffic is allowed to talk on your PC.
That way, even compromised, they can';t actually use their exploits. Stops 'em dead.



Last Edited by Useless Cookie Eater on 01/29/2013 12:30 AM

Thank you!

I'm going to have to look into that. (Any tips on how to do that would be much appreciated!)

Basically, my E-Book can't focus on the negative aspect such as 'you're doomed... you can't fix this!'

But the problem appears daunting.

For instance, during the second bout with this guy, I decided to replace his artwork with a registry backup from a time before he moved in (this was Nov 11, 2012 & he got there on Dec 5th - he left a .bat file that deleted all his work files on that date).

So anyway, just replacing the registry stopped him cold, but these miscreants never seem to give up. I used PC-Tuneup to back up and restore my registry without a problem. Then one day, guess what, PC-Tuneup would show pop-ups that say I had to be logged in as Administrator in order to replace certain keys! Hmmm...

Well, doing a little testing, I came to the conclusion that this RAT's keys were laced with a user-level higher than my Administrator level! (I could replace anything else, except his delusional behavior.)

So I woke up this morning convinced that I have to load up a Linux operating system on my spare 400 GB partition so that I will be able to replace the RAT's handiwork without having to find a Linux boot CD.

This was my plan all along because XP will be shelved in 2014, and if anything, I don't want to pay for antivirus software for three machines anymore.

BTW, thanks for all your help and info. I really do appreciate it!

If all else fails use AVAST ANTI-VIRUS and then do a BOOT TIME scan.
This will get anything your PC has before it has a chance to activate in memory/HDD.

[link to www.avast.com]

get the "Free home" edition

Now, I a thoroughly confused! I am laughing because I said I am not a computer wiz. I did go to Microsoft and disable gadgets which stopped some of the oddness. I still have a box popping up occasionally on the bottom right of my screen but it's so damn fast I can't tell you what it is.

No problem there...

If your having trouble understanding some of this jargon, you have to get someone you know to help you. Or you're stuck with bringing the machine to a pro to fix it.

The bottom line in my opinion is that you should find out about getting a 'copy' of your newly cleaned machine. That copy is called a "Disk Image." You will also need a "boot disk" to reboot your machine.

This operation will help you in the future so your fixit costs will be less.

What I'm doing with my computer is establishing two different operating systems on it. The main one will be my Windows XP and the secondary one will be a Linux system.

Most of my software is windows based so I need a windows system to run my software. But for personal use, I can boot up in Linux. If my windows becomes contaminated, I can immediately boot up in Linux and replace the system with my clean disk image (takes a few hours to do that).

Thanks again.

This is a REMOTE ACCESS TROJAN (RAT). Your computer is still compromised! Somebody is accessing your computer & has the same FULL ACCESS that you do when you sit down at your computer. That little box thing that comes & goes so quickly to the bottom of your screen is the hacker connecting to your computer. Call a computer repair shop, and do it SOON!

OP....one last thing.

Stop wasting time toying with this guy while he gets into everything on your PC's and network.

1) Backup your data
2) Format the C: drive including e boot record (FORMAT C: /mbr)
3) Re-install Win XP

4) Add a hardware based firewall....or at the VERY least a software based one on your PC that monitors packet traffic and you can allow or disallow ANYTHING you don't want talking on your PC or network.


Again....stop toying with the trojan, bot or whatever it is.


FORMAT FORMAT FORMAT!


You dig???

Yes, Useless Cookie Eater, I dig, TOO!... And thank you for all of your advice. But it may be a short time before I make any big changes,let alone format the drive.

For one, I am a forcibly retired system analyst on a Tandem Network System that was originally designed in 1976. So I have at least some idea as to what I'm doing.

Being in my mid-60`s in this wonderful economy of ours here in the U.S., I found there were simply no worthwhile jobs I can get even though I live near a big city. Anyhow,

I am a registered affiliate to over 30 companies and I've come to the conclusion that throwing advertising money away isn't going to get me any richer (but possibly poorer). So the experts I've been talking to have all said that I need to have a personal blog that people can connect to. My biggest problem is that I couldn't find something that I felt people would bother looking at.

When this RAT reared his ugly head last July and after going through a multitude of methodologies to find out what was going on with my machine, I realized that I had to buy brand new hard drive, double my existing 500 GB size and start with my XP disk.

Well, since I'm one of those guys who are always looking for a deal, I went to my local Microcenter and found myself a handsome Dell Inspiron MT537. Initially, it was advertised that it was a Vista machine with an XP disk. Well, it wasn't that exactly...

It's a machine with a Vista tag that was loaded up with XP, and there was an XP disk in the box. But the license number wasn't on the license tag (though I somehow managed to format my HD without a correct license key).

Anyway, the big news was I felt that I finally found a good subject to base my blog on, and I'll tell you what it is. I call it ENTERPRISE LEVEL ORGANIZED CRIMEWARE

Anyway, I found a subject to write about, but I wasn't quite an expert on it (but I'm becoming one minute by minute).

So, I have about 3 TB's of data backed up on about 7 hard drives of everything I've ever done since 1992. So that's not a problem.

Also, I have a very clean Disk Image of this operating system which I created right after the first incident with Roxio Creator Pro 2010. So I'm doing ok in that department. As far as the XP disk is concerned, the one I have was issued by Dell, so if I need it, I'll probably be able to get it working.

But what I really want to do is to be able to tell others what the best way is to prevent these hijackings, and also, to be able to recover in the least amount of time (and hawk some of the best software they can buy for the money.

But right now, I have to find out more about what you have been so kind enough to tell me (for which I am thankful for).

Please pay attention to this section... You can go to a url by typing gliq.info (I'm being a bit cautious about this). You will note a link in the upper right hand corner of the page, and when you click it you will see who is doing all this typing! If you want, you can tell me that you got the message. This way I can edit out the link.

Again, my thanks...

RockHall

Last Edited by The Deplorable RockHall on 01/29/2013 10:51 PM

Useless Cookie Eater...

Lucky for me that I misread your last message, and for some reason thought you were addressing me. But that's good!

This is all part of a rough draft for the things that I want to write about. BTW, I took the CCENT course and passed the written part, but never took the practical exam (I felt I didn't have enough time on the simulator and really didn't want to be an NT Admin, anyhow.