Go Back   Computer Forums > General Computing > Cyber Safety and Computer Security
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 01-23-2014, 12:24 PM   #11
In Runtime
 
emperor76's Avatar
 
Join Date: Mar 2012
Location: United Kingdom
Posts: 346
Default Re: Scam

Quote:
Originally Posted by iPwn View Post
I wrote an entire guide on how to get rid of these:

How To: Clean an infected PC
Brilliant, I've just book marked that so hopefully it should come in handy, I'm going to make sure it's gone, Avast did pick up a couple of infections, but I don't trust buying anything online until I'm sure, I don't know whether or not key loggers and things can be installed like this or not, but I'm currently not accessing my bank or doing anything involving money until I'm sure it's gone, not had chance to do it yet though
__________________

__________________
Corsair Carbide spec 3 * Gigabyte Socket 1151 * Intel I5 7600k 3.8ghz * 16gb Corsair Vengeance DDR4 2133mhz * Corsair CX750 * 2gb Asus Nvidia GeForce GTX 960 Strix * 1TB internal Samsung spinpoint * Windows 10 home
emperor76 is offline   Reply With Quote
Old 01-23-2014, 12:31 PM   #12
Fully Optimized
 
jmacavali's Avatar
 
Join Date: Jun 2009
Posts: 4,867
Default Re: Scam

Quote:
Originally Posted by emperor76 View Post
Brilliant, I've just book marked that so hopefully it should come in handy, I'm going to make sure it's gone, Avast did pick up a couple of infections, but I don't trust buying anything online until I'm sure, I don't know whether or not key loggers and things can be installed like this or not, but I'm currently not accessing my bank or doing anything involving money until I'm sure it's gone, not had chance to do it yet though
Great ideas. Yes they can be installed. I only ever feel completely safe on my relatives computers if I reload them after that kind of virus (or any kind really). You just never know what might have been installed.
__________________

__________________
****************************************
Don't take life too seriously -- no one gets out alive. Plus, who wants to arrive to the hereafter in pristine condition wearing a suit and tie?
I want to slide in sideways, worn out, used up, hair a mess, clothes tattered, & screaming, "Whooo! What a ride!"
****************************************
jmacavali is offline   Reply With Quote
Old 01-24-2014, 06:54 AM   #13
In Runtime
 
emperor76's Avatar
 
Join Date: Mar 2012
Location: United Kingdom
Posts: 346
Default Re: Scam

Quote:
Originally Posted by iPwn View Post
I wrote an entire guide on how to get rid of these:

How To: Clean an infected PC
Just part of the way through the process, there are a couple of steps I didn't need to follow, as the computer wasn't locked (although I did follow the advice for safe mode with networking, which it was letting me do) I am astonished at how many infections Malware bytes found when Avast only found 2, this found 50, there were a small portion I ignored as they were programs and games I have installed, but most I have removed, thanks again for your help, very good guide!
__________________
Corsair Carbide spec 3 * Gigabyte Socket 1151 * Intel I5 7600k 3.8ghz * 16gb Corsair Vengeance DDR4 2133mhz * Corsair CX750 * 2gb Asus Nvidia GeForce GTX 960 Strix * 1TB internal Samsung spinpoint * Windows 10 home
emperor76 is offline   Reply With Quote
Old 01-24-2014, 07:08 AM   #14
In Runtime
 
emperor76's Avatar
 
Join Date: Mar 2012
Location: United Kingdom
Posts: 346
Default Re: Scam

Just found this, I don't like the look of it, would you be suspicious? I did remove one file called end with no file type!
Attached Images
File Type: png virus.png (81.1 KB, 11 views)
__________________
Corsair Carbide spec 3 * Gigabyte Socket 1151 * Intel I5 7600k 3.8ghz * 16gb Corsair Vengeance DDR4 2133mhz * Corsair CX750 * 2gb Asus Nvidia GeForce GTX 960 Strix * 1TB internal Samsung spinpoint * Windows 10 home
emperor76 is offline   Reply With Quote
Old 01-24-2014, 08:55 AM   #15
..m.0,0.m..
Site Team
 
iPwn's Avatar
 
Join Date: May 2010
Location: USA
Posts: 3,870
Default Re: Scam

Quote:
Originally Posted by emperor76 View Post
I did remove one file called end with no file type!
Dead give away.

the "END" file triggers the end of a scan process. Something scanned your drive, and stopped when it hit the END file.

EDIT:
Quote:
Originally Posted by emperor76 View Post
Just found this, I don't like the look of it, would you be suspicious?
Nothing is needed (that is visible) on root C:
Many times, programs will put logs or related there that are used during install, but they should have cleaned them up. Anything on root C (outside of a folder), should trigger some alarms in your head to start at least looking and spot checking.

That BiosAddr=cfdf98d2... that's an IP address. Translating to 207.223.152.210 (IP in Kansas, US)
What you've found is probably the config for a trojan.
__________________
Me: You'd think as the dominant species we wouldn't be so effing stupid.
J: We're just intelligent enough to be completely effing stupid.
iPwn is offline   Reply With Quote
Old 01-24-2014, 11:25 AM   #16
In Runtime
 
emperor76's Avatar
 
Join Date: Mar 2012
Location: United Kingdom
Posts: 346
Default Re: Scam

Quote:
Originally Posted by iPwn View Post
Dead give away.

the "END" file triggers the end of a scan process. Something scanned your drive, and stopped when it hit the END file.

EDIT:


Nothing is needed (that is visible) on root C:
Many times, programs will put logs or related there that are used during install, but they should have cleaned them up. Anything on root C (outside of a folder), should trigger some alarms in your head to start at least looking and spot checking.

That BiosAddr=cfdf98d2... that's an IP address. Translating to 207.223.152.210 (IP in Kansas, US)
What you've found is probably the config for a trojan.
I thought it looked bad, when I seen bios I automatically thought there could be a boot sector virus somewhere a long the line, but that probably just shows my lack of knowledge, I wasn't sure, probably just letting my fear get the better of me. Is deleting that good enough? although to be fair, I've not reached the end of your guide yet, so I don't know if you get to that in due course, I thought my computer had been running a little slow though.
__________________
Corsair Carbide spec 3 * Gigabyte Socket 1151 * Intel I5 7600k 3.8ghz * 16gb Corsair Vengeance DDR4 2133mhz * Corsair CX750 * 2gb Asus Nvidia GeForce GTX 960 Strix * 1TB internal Samsung spinpoint * Windows 10 home
emperor76 is offline   Reply With Quote
Old 01-24-2014, 11:42 AM   #17
..m.0,0.m..
Site Team
 
iPwn's Avatar
 
Join Date: May 2010
Location: USA
Posts: 3,870
Default Re: Scam

The 'BiosAddr' is a variable in their program, named such to look like something else... however, the 'cfdf98d2' is certainly hex, and it translates to a valid IP, given the variable 'Port' right next to it... I'm assuming that's nothing good.

re: Just deleting
No.
The guide does get into that a little... you basically delete anything not related to the Windows system, or a known program, then perform some other functions that help prevent the resurgence of anything removed. Then again with a malware scan.
__________________
Me: You'd think as the dominant species we wouldn't be so effing stupid.
J: We're just intelligent enough to be completely effing stupid.
iPwn is offline   Reply With Quote
Old 01-24-2014, 07:13 PM   #18
In Runtime
 
emperor76's Avatar
 
Join Date: Mar 2012
Location: United Kingdom
Posts: 346
Default Re: Scam

Quote:
Originally Posted by iPwn View Post
The 'BiosAddr' is a variable in their program, named such to look like something else... however, the 'cfdf98d2' is certainly hex, and it translates to a valid IP, given the variable 'Port' right next to it... I'm assuming that's nothing good.

re: Just deleting
No.
The guide does get into that a little... you basically delete anything not related to the Windows system, or a known program, then perform some other functions that help prevent the resurgence of anything removed. Then again with a malware scan.
Okay, I was short on time so I decided I would just reformat my computer, since I only have one hard drive and about 200gb of back up data, I was unable to re format the whole drive as the back up partition has all my data on, so I only reformatted the main one, I've never had this before, every time in the past, a reformat solved everything, but it's back! my girlfriend is on nights soon, so I'll have to sit up all night and follow your guide step by step, excuse me while I eat my computer, Aaaaargh!
Attached Images
File Type: jpg virus.jpg (98.3 KB, 7 views)
__________________
Corsair Carbide spec 3 * Gigabyte Socket 1151 * Intel I5 7600k 3.8ghz * 16gb Corsair Vengeance DDR4 2133mhz * Corsair CX750 * 2gb Asus Nvidia GeForce GTX 960 Strix * 1TB internal Samsung spinpoint * Windows 10 home
emperor76 is offline   Reply With Quote
Old 01-24-2014, 09:10 PM   #19
..m.0,0.m..
Site Team
 
iPwn's Avatar
 
Join Date: May 2010
Location: USA
Posts: 3,870
Default Re: Scam

There are two possibilities here:
  1. You didn't do a true format
  2. The virus found its way into the kernel files

Either way, the only way to truly be sure that it won't come back on the next install is to run a program like DBAN and truly format the drive.

Windows' definition of a format is removing the File Allocation Tables... the directory of where the files are. This doesn't actually remove anything, it only 'turns a blind eye' to its existence, allowing it to be written over.

The problem you're going to have is that you DBAN will only wipe entire drives. If you have data on different partitions, DBAN only sees the drive and will wipe it all.

Now, the question you need to ask is; how important is it to me that I get this off my PC?

I would get an external drive, or large USB... anything you can store that data on for the time being. Boot up DBAN and wipe that drive clean. Re-install Windows (WITHOUT AN INTERNET CONNECTION!!!) and immediately put some AV software on there. Connect to the internet and immediately update Windows/Drivers/etc. Update your AV software and then connect the USB and scan it.

On my desktop, I just went through this entire process, only to get another, much more vicious virus only a few days after the rebuild... so I know how frustrating this is. Sucks that I now have to go through the entire process again, but I'd much rather the NSA be the only people spying on me, not joe schmoe who wrote some code.
__________________
Me: You'd think as the dominant species we wouldn't be so effing stupid.
J: We're just intelligent enough to be completely effing stupid.
iPwn is offline   Reply With Quote
Old 01-25-2014, 03:21 AM   #20
In Runtime
 
emperor76's Avatar
 
Join Date: Mar 2012
Location: United Kingdom
Posts: 346
Default Re: Scam

Quote:
Originally Posted by iPwn View Post
There are two possibilities here:
  1. You didn't do a true format
  2. The virus found its way into the kernel files

Either way, the only way to truly be sure that it won't come back on the next install is to run a program like DBAN and truly format the drive.

Windows' definition of a format is removing the File Allocation Tables... the directory of where the files are. This doesn't actually remove anything, it only 'turns a blind eye' to its existence, allowing it to be written over.

The problem you're going to have is that you DBAN will only wipe entire drives. If you have data on different partitions, DBAN only sees the drive and will wipe it all.

Now, the question you need to ask is; how important is it to me that I get this off my PC?

I would get an external drive, or large USB... anything you can store that data on for the time being. Boot up DBAN and wipe that drive clean. Re-install Windows (WITHOUT AN INTERNET CONNECTION!!!) and immediately put some AV software on there. Connect to the internet and immediately update Windows/Drivers/etc. Update your AV software and then connect the USB and scan it.

On my desktop, I just went through this entire process, only to get another, much more vicious virus only a few days after the rebuild... so I know how frustrating this is. Sucks that I now have to go through the entire process again, but I'd much rather the NSA be the only people spying on me, not joe schmoe who wrote some code.
I didn't do a true format, it was only the windows 7 installation format, is this the same as the XP format? as I remember that taking a while when I chose a full format, yet this does it in seconds. I did delete the main partition and xp partition, but that's about as far as it went. As I understood it, it writes over the data ready to be used again, probably not as good explanation as you gave though. Also, on my back up partition, last time I transferred all the files to the main one, reformatted and transferred it all back, yet this came back in the picture, I was highly confused!

when I first got windows back on, the trojan file on the main partition wasn't there, it appeared at some point after my drivers were installed, I'm guessing the network one, but not sure.

I do have about 25 dvd's and about 40 cd's, I've been considering getting as much as I can on them. I do have a feeling my dvd drive might be on it's way out though, but I'm not certain, could the virus affect the efficiency of this drive?

I was going to get an external drive a couple of months ago, but upgraded to 8gb ram instead, just my luck this would happen and make me regret my decision. I do have ultimate boot C.D is this program likely to be on there, or is it free ware?

I did try to back up the massive back up folder over the network to my laptop, but I'm sure you can understand how long this would take, so I gave up, I do have a 4gb usb stick which I'm considering transfering the data bit by bit to the laptop.

thanks for all your time on this, it is genuinely appreciated. I can't understand people I would like to explain descriptive words I shall not repeat on here that have nothing better to do than mess with peoples computers!
Attached Images
File Type: jpg virus backup.jpg (59.9 KB, 6 views)
__________________

__________________
Corsair Carbide spec 3 * Gigabyte Socket 1151 * Intel I5 7600k 3.8ghz * 16gb Corsair Vengeance DDR4 2133mhz * Corsair CX750 * 2gb Asus Nvidia GeForce GTX 960 Strix * 1TB internal Samsung spinpoint * Windows 10 home
emperor76 is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 11:21 AM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0