Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hacked or Malware, Something destroyed a drive


  • Please log in to reply
6 replies to this topic

#1 nothingspecial

nothingspecial

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 20 April 2010 - 04:23 PM

Hi Everyone,
Running windows 7 (I have done 11 clean "Custom" installs from the upgrade versaion cd, since 1/1/2010) but I was infected,or hacked while running Vista home premium, 32 bit OEM (SP2 updated). Dell 1525, 32 bit (the local IT retailer(s), Microsoft certified, said I was 64 bit compatible) Core Duo Intel processors. No peripherals except for a wireless mouse.

I believe I have been compromised by my housemate's son's computer. He was visiting about the time the symptoms started. He travels all over the world (has been to China 3 times in the last year) and engages in online gaming, and p2p sharing, among other practices. I started receiving security messages from my McAfee security suite (which was up to date) that his computer was making unsolicited attempts to connect to mine. We all share a wireless home network that was WEP protected. Most of the year, It's just myself and My Housemate using the home network. We have recently changed ISP to Comcast( I am told I have a dynamic IP address), because I was buring through (4 in 3 months) their combination Westell modem/routers. I swited to a WPA2 protection after the 1st modem/router with no sucess at correcting the issue.

I was using a wireless connection but switched to an ethernet cable since January. This issue has been plaging me since Christmas and after working with 4 different IT repair reatailers I'm ready to throw out my computer. I've spent (please do laugh) over $950 trying to rectify this problem, not including the charges for The new Windows & upgrade Software, Kaspersky Software, and the New 250 Gb, 7200 rpm, Hard Drive.

My concern is If I do buy a new computer will the hacking/malware issues persist. Well that fact was confirmed when I started using a work computer on our home network about 2 weeks after experiencing my 1st hard drive failure. It was full of shadow volume copies and had to be debugged by a Dell tech over the phone.

My computer usage patterns: Primarily Streaming Radio from around the US, Streaming Video from sites like NBC.com (I like the Office), and then reading news staring with Google News. I do not open email attachments from peole I don't know, and delete any that get through my spam filter.

My McAfee Security center notifeid me that mt identity was being threatened. After having a McAfee Tech look at my logs, I now know that what happened next was a ping attack. Since I do no online banking the local Sheriff's office will not pursue the case.

Symptoms of the Hacking /Malware:
1) After doing a clean Install I begin to lose Administrative permissions I have Whoami/priv results documented from this last go situation. The only privlege left is "bypass traverse checking".

2) Shadow volume copies will fill my hard drive to the point of rendering it inoperable- meaning I can logon but there is no response from the computer on a mouse click or keystroke command.

3)My Computer runs Hot

4) Device, by the generic name of "Base sysem Device" is missing. This is experienced after connecting to the internet the first time after a clean custom install. the Base system device detail is as follows- PCI\VEN_1180&DEV_0592&SUBSYS_022F1028&REV_12\4&277C618&0&4BF0.

5) The Hacker/Malware takes control Of whatever security software I am using except Kaspersky and that database was corrupted during my last scan and had to be uninstalled due to "unrepairable items". The only software that has beeen able to locate anything has been Sophos Antirootkit, and the items it identified were part of legitamate progams like Roxio Webcam. The last sophos scan had three warnings - Warning Failed to Query live registry key. |HKEY_LOCAL_MACHINES\SOFTWARE\Windows NT\CurrentVersion\Perflib|009. You may not have access rights to the whole registry. Inncorrect Function. The other 2 warnings were in regard to SID numbers like S-1-5-21-1226875902780823219-3951280227-1001. I was not able to save a log of those 2 warnings.

Avast scans revealed this *PROCESS\ebc\iexplore.exe\89c0000\400000. "Threat:JS:ScriptIP-inf [Trj] threat level "High"

It also Said D:\ "this device is not ready". There were also scan logs that contained the information "some files could not be scanned".

6) Super Anti Spyware, and Anti MalwareBytes came up with nothing.

7) I know my computer was compromised because after looking at some strange script in the web developer section under Inernet tools I disable it. Following immediately was a notice in big black letters on a white backgound- "That's It You're Done". My hard drive thne began to make a high pitched sound as if were, running at a very high RPM. Task Manager showed CPU usage at 101 %. I pulled the internet cable out from the computer but the issue persisted until I shut down the system three more times. Following was a strange looking help file that whne I went to click on an item to escape I was greeted with the UAC question "do you want to continue with this operation". Upon checking more details a file by the name of pcdr5cuiw32.exe was evidently to be engaged if I continued. I did not. That occured about 2 months or 6 reinstalls ago.

Please any assistance you might offer will be greatly appreciated.

Thanks again
Nothingspecia

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:00 AM

Posted 22 April 2010 - 11:43 PM

Hello,

Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<==

If you can produce at least some of the logs, then please create the new topic. If you cannot produce any of the logs, then post back here and we will provide you with further instructions.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 nothingspecial

nothingspecial
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 27 April 2010 - 08:16 PM

Hi Orange Blossom, I am unable to reply with a new topic because I can not run any of the tools- defogger, dds, or gmer scans. The reason I can't run the scans is the malware/???? prevents me from doanloading anything. I do have an internet connection.

I have since discovered that my cd-rom drive contains some weird files. This would explain why I can't load Windows 7 without there being some strange looking registry issues (volatile environment/system), losing administrative permissions.

How I discovered this was through the use of Kill Disk. I was trying to see if there were other passwords in use on my computer and the answer to the is yes. It may be a false possitive, but I do know that I'm unable to load any operating system without issues.

One of the files listed in Drive "A' by Kill Disk is "WELCOME.EXE,and himem.exe among others and I'm not even running windows 7 at the momment. I'm assuming Drive 'A' is my CD-ROM, since the contents of the Kill Disk cd are listed. (I know drive "D", is supossed to be the CD-ROM.) I am writing to you from a neutral location (friend's computer at a local coffe shop). I have not run any of Kill disk's function's. I used the software to observe.

I need help either cleaning up my CD-ROM of it's infection, or sugesstions on how to load windows 7 via a usb ISO.

I have plenty of hacker evidence files on a thumbnail drive from my last of my 12 custom clean installs. I can't seem to be able to transfer the screenshots I took from Ubuntu to a cd, or a flash drive.

They are accessing my computer through some type of wireless celluar dial up despite me trying to deactivate the Wi-FI toggle swich. I have since disconnected the 2 leads to the WLAN card .

By the way, that WELCOME.EXE file I mentioned has a miniturized transcoded JPEG file in/on? it. It is installed instead of the correct file when I load the Operating System. They then use the snipping tool and the magnifying glass tool, to clip out the "dot" sized file and then blow it up, turning it in a .exe, or.dll file. I know I have the dot on a thumbnail drive. I've watched it the "dot" disappear before my eyes. I have tried deleting the snipping tool as well as the magnifying glass tool, only to have them reappear the next day.

There is also a "ssh.Keygen" file that's supposed to be hidden from me, that I just found tonight.

I also found this line while debugging "Pidgin"(instant messaging)--" Receive data over the network via RTSP rfc 2326". If sky2 means anything it was asscoiated with "eth0". I'm not even connected to the internet.

I can watch them writing code after clicking on the Pidgin debug option in Ubuntu. They are trying to crack my password and have been successful. the ports they are using are 6667 and 5190.

Please don't email me as They seem to be able to find every pop3 email account I set up. I was warned - "Your Identity is at Risk", back around Christmas when all this 1st started. I have since filed a Fraud alert.

I confirmed with Nokia that 2 of my cell phones have been compromised. The local police will not assist since I have not susteained any "direct" finnacial loss. (As if $950 in labor by 4 different it groups, 3 of which are Microsoft certified, a new hard drive, and inablility to use the interent with email service- I'm unemployed, I NEED the internet to source career track opportunities.)

Are there alternatives to a cd/dvd-rom installation of windows 7? By the way the location of my CD/DVD-rom drivers are all zeros-( i.e.) location 0 channel, 0, lun 0, Same thing with the address for my hard drive drivers

I can get the hard drive wiped externally,(i.e.) removed from the current computer.

Thanks for your help.
It May be a day or two before I can check back
Nothing Special

Hi Orange Blossom, I am unable to reply with a new topic because I can not run any of the tools- defogger, dds, or gmer scans. The reason I can't run the scans is the malware/???? prevents me from doanloading anything. I do have an internet connection.

I have since discovered that my cd-rom drive contains some weird files. This would explain why I can't load Windows 7 without there being some strange looking registry issues (volatile environment/system), losing administrative permissions.

How I discovered this was through the use of Kill Disk. I was trying to see if there were other passwords in use on my computer and the answer to the is yes. It may be a false possitive, but I do know that I'm unable to load any operating system without issues.

One of the files listed in Drive "A' by Kill Disk is "WELCOME.EXE,and himem.exe among others and I'm not even running windows 7 at the momment. I'm assuming Drive 'A' is my CD-ROM, since the contents of the Kill Disk cd are listed. (I know drive "D", is supossed to be the CD-ROM.) I am writing to you from a neutral location (friend's computer at a local coffe shop). I have not run any of Kill disk's function's. I used the software to observe.

I need help either cleaning up my CD-ROM of it's infection, or sugesstions on how to load windows 7 via a usb ISO.

I have plenty of hacker evidence files on a thumbnail drive from my last of my 12 custom clean installs. I can't seem to be able to transfer the screenshots I took from Ubuntu to a cd, or a flash drive.

They are accessing my computer through some type of wireless celluar dial up despite me trying to deactivate the Wi-FI toggle swich. I have since disconnected the 2 leads to the WLAN card .

By the way, that WELCOME.EXE file I mentioned has a miniturized transcoded JPEG file in/on? it. It is installed instead of the correct file when I load the Operating System. They then use the snipping tool and the magnifying glass tool, to clip out the "dot" sized file and then blow it up, turning it in a .exe, or.dll file. I know I have the dot on a thumbnail drive. I've watched it the "dot" disappear before my eyes. I have tried deleting the snipping tool as well as the magnifying glass tool, only to have them reappear the next day.

There is also a "ssh.Keygen" file that's supposed to be hidden from me, that I just found tonight.

I also found this line while debugging "Pidgin"(instant messaging)--" Receive data over the network via RTSP rfc 2326". If sky2 means anything it was asscoiated with "eth0". I'm not even connected to the internet.

I can watch them writing code after clicking on the Pidgin debug option in Ubuntu. They are trying to crack my password and have been successful. the ports they are using are 6667 and 5190.

Please don't email me as They seem to be able to find every pop3 email account I set up. I was warned - "Your Identity is at Risk", back around Christmas when all this 1st started. I have since filed a Fraud alert.

I confirmed with Nokia that 2 of my cell phones have been compromised. The local police will not assist since I have not susteained any "direct" finnacial loss. (As if $950 in labor by 4 different it groups, 3 of which are Microsoft certified, a new hard drive, and inablility to use the interent with email service- I'm unemployed, I NEED the internet to source career track opportunities.)

Are there alternatives to a cd/dvd-rom installation of windows 7? By the way the location of my CD/DVD-rom drivers are all zeros-( i.e.) location 0 channel, 0, lun 0, Same thing with the address for my hard drive drivers

I can get the hard drive wiped externally,(i.e.) removed from the current computer.

Thanks for your help.
It May be a day or two before I can check back
Nothing Special

#4 nothingspecial

nothingspecial
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 09 May 2010 - 05:13 PM

Hi Orange Blossom,

After checking out the contents of my D:Drive I see I have a PR.exe file listed. I did some research and dsicovered it could be cover for the IRC lampsy Trojan (which makes sense given all the "Server" nonsense I've encountered) and also the rapidshare Files Trojan.

I think I also have the Erife worm(virus). Everytime I try to do a clean install of the operating system these insidious files are reinstalled alonfg with the OS.

Is what I'm explaining possible?

I'm still unable to run any of the scans or logs you have suggested.

I don't trust my email address either.

Going nuts-don't know what to do

Nothingspecial

#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:00 AM

Posted 13 May 2010 - 09:46 AM

Pidgin is a multiprotocol instant messaging client with support for Yahoo, MSN, AIM, ICQ, and various others. Ports 6667 and 5190 are commonly listed as being connected to via remote. Please run the following:

netstat -ano in a command prompt and post the results they should be something like this:

C:\Users\cryptodan>netstat -ano

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4780
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 992
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 408
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING 572
TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING 720
TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING 704
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING 5408
TCP 0.0.0.0:5101 0.0.0.0:0 LISTENING 4464
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:6646 0.0.0.0:0 LISTENING 5420
TCP 0.0.0.0:17500 0.0.0.0:0 LISTENING 2512
TCP 127.0.0.1:1099 127.0.0.1:19872 ESTABLISHED 2512
TCP 127.0.0.1:1111 127.0.0.1:1112 ESTABLISHED 4464
TCP 127.0.0.1:1112 127.0.0.1:1111 ESTABLISHED 4464
TCP 127.0.0.1:1165 127.0.0.1:1166 ESTABLISHED 4464
TCP 127.0.0.1:1166 127.0.0.1:1165 ESTABLISHED 4464
TCP 127.0.0.1:1193 0.0.0.0:0 LISTENING 4704
TCP 127.0.0.1:1193 127.0.0.1:1197 ESTABLISHED 4704
TCP 127.0.0.1:1197 127.0.0.1:1193 ESTABLISHED 4704
TCP 127.0.0.1:5180 0.0.0.0:0 LISTENING 168
TCP 127.0.0.1:9799 127.0.0.1:9800 ESTABLISHED 5856
TCP 127.0.0.1:9800 127.0.0.1:9799 ESTABLISHED 5856
TCP 127.0.0.1:9802 127.0.0.1:9803 ESTABLISHED 5856
TCP 127.0.0.1:9803 127.0.0.1:9802 ESTABLISHED 5856
TCP 127.0.0.1:19872 127.0.0.1:1099 ESTABLISHED 2512
TCP 127.0.0.1:39123 0.0.0.0:0 LISTENING 5784
TCP 127.0.0.1:54387 0.0.0.0:0 LISTENING 5684
TCP 192.168.1.3:139 0.0.0.0:0 LISTENING 4
TCP 192.168.1.3:1039 74.125.65.125:5222 ESTABLISHED 2520
TCP 192.168.1.3:1054 192.168.1.10:139 ESTABLISHED 4
TCP 192.168.1.3:1090 174.36.30.70:443 CLOSE_WAIT 2512
TCP 192.168.1.3:1100 174.36.30.90:443 CLOSE_WAIT 2512
TCP 192.168.1.3:1102 208.43.202.23:80 ESTABLISHED 2512
TCP 192.168.1.3:1115 76.13.15.44:5050 ESTABLISHED 2260
TCP 192.168.1.3:1118 68.180.217.17:5050 ESTABLISHED 2260
TCP 192.168.1.3:1120 205.188.8.142:5190 ESTABLISHED 2260
TCP 192.168.1.3:1123 64.12.165.76:5190 ESTABLISHED 2260
TCP 192.168.1.3:1126 64.4.16.103:1863 ESTABLISHED 2260
TCP 192.168.1.3:1127 207.46.124.151:1863 ESTABLISHED 2260
TCP 192.168.1.3:1143 76.13.15.43:5050 ESTABLISHED 4464
TCP 192.168.1.3:1167 68.142.233.174:443 ESTABLISHED 4464
TCP 192.168.1.3:1169 69.147.233.188:6667 ESTABLISHED 1480
TCP 192.168.1.3:1173 205.188.7.217:5190 ESTABLISHED 168
TCP 192.168.1.3:1187 174.36.30.73:443 CLOSE_WAIT 2512
TCP 192.168.1.3:1188 64.12.165.85:5190 ESTABLISHED 168
TCP 192.168.1.3:1191 207.46.125.65:1863 ESTABLISHED 4704
TCP 192.168.1.3:7258 206.220.42.147:25999 ESTABLISHED 5784
TCP 192.168.1.3:8990 72.14.204.102:80 CLOSE_WAIT 2520
TCP [::]:135 [::]:0 LISTENING 992
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:1025 [::]:0 LISTENING 648
TCP [::]:1026 [::]:0 LISTENING 408
TCP [::]:1027 [::]:0 LISTENING 572
TCP [::]:1028 [::]:0 LISTENING 720
TCP [::]:1029 [::]:0 LISTENING 704
TCP [::]:2869 [::]:0 LISTENING 4
TCP [::]:5357 [::]:0 LISTENING 4
UDP 0.0.0.0:123 *:* 1184
UDP 0.0.0.0:500 *:* 572
UDP 0.0.0.0:3702 *:* 1184
UDP 0.0.0.0:3702 *:* 1184
UDP 0.0.0.0:4500 *:* 572
UDP 0.0.0.0:5355 *:* 1352
UDP 0.0.0.0:17500 *:* 2512
UDP 0.0.0.0:25003 *:* 5784
UDP 0.0.0.0:25777 *:* 5784
UDP 0.0.0.0:56585 *:* 5784
UDP 0.0.0.0:56586 *:* 5784
UDP 0.0.0.0:56587 *:* 5784
UDP 0.0.0.0:56588 *:* 5784
UDP 0.0.0.0:56589 *:* 5784
UDP 0.0.0.0:56590 *:* 5784
UDP 0.0.0.0:56591 *:* 5784
UDP 0.0.0.0:56592 *:* 5784
UDP 0.0.0.0:56593 *:* 5784
UDP 0.0.0.0:56594 *:* 5784
UDP 0.0.0.0:56595 *:* 5784
UDP 0.0.0.0:56596 *:* 5784
UDP 0.0.0.0:56597 *:* 5784
UDP 0.0.0.0:56598 *:* 5784
UDP 0.0.0.0:56599 *:* 5784
UDP 0.0.0.0:56600 *:* 5784
UDP 0.0.0.0:56601 *:* 5784
UDP 0.0.0.0:56602 *:* 5784
UDP 0.0.0.0:56603 *:* 5784
UDP 0.0.0.0:56604 *:* 5784
UDP 0.0.0.0:56622 *:* 5784
UDP 0.0.0.0:56623 *:* 5784
UDP 0.0.0.0:60566 *:* 1268
UDP 0.0.0.0:61213 *:* 1184
UDP 0.0.0.0:62043 *:* 1268
UDP 127.0.0.1:1900 *:* 1184
UDP 127.0.0.1:49196 *:* 5684
UDP 127.0.0.1:49978 *:* 4704
UDP 127.0.0.1:52847 *:* 2260
UDP 127.0.0.1:52848 *:* 2260
UDP 127.0.0.1:52851 *:* 2260
UDP 127.0.0.1:52852 *:* 2260
UDP 127.0.0.1:52881 *:* 2260
UDP 127.0.0.1:52882 *:* 2260
UDP 127.0.0.1:52903 *:* 2260
UDP 127.0.0.1:52904 *:* 2260
UDP 127.0.0.1:52905 *:* 2260
UDP 127.0.0.1:52906 *:* 2260
UDP 127.0.0.1:52924 *:* 4704
UDP 127.0.0.1:53696 *:* 5592
UDP 127.0.0.1:54757 *:* 5784
UDP 127.0.0.1:56033 *:* 1836
UDP 127.0.0.1:57503 *:* 3848
UDP 127.0.0.1:58247 *:* 572
UDP 127.0.0.1:58315 *:* 536
UDP 127.0.0.1:59292 *:* 2260
UDP 127.0.0.1:59293 *:* 2260
UDP 127.0.0.1:61218 *:* 1184
UDP 127.0.0.1:61269 *:* 168
UDP 127.0.0.1:61862 *:* 4464
UDP 127.0.0.1:62004 *:* 4064
UDP 127.0.0.1:63635 *:* 4076
UDP 127.0.0.1:63749 *:* 1480
UDP 192.168.1.3:9 *:* 4704
UDP 192.168.1.3:137 *:* 4
UDP 192.168.1.3:138 *:* 4
UDP 192.168.1.3:427 *:* 2976
UDP 192.168.1.3:1900 *:* 1184
UDP 192.168.1.3:6646 *:* 5420
UDP 192.168.1.3:61217 *:* 1184
UDP [::]:123 *:* 1184
UDP [::]:500 *:* 572
UDP [::]:3702 *:* 1184
UDP [::]:3702 *:* 1184
UDP [::]:61214 *:* 1184
UDP [::1]:1900 *:* 1184
UDP [::1]:61215 *:* 1184
UDP [fe80::100:7f:fffe%11]:1900 *:* 1184
UDP [fe80::100:7f:fffe%11]:61216 *:* 1184

Also ssh.keygen can be associated with the use SSH Clients like PuTTY and OpenSSH.

TCP Port 6667 = IRC

TCP Port 5190 is ICQ/AIM

#6 nothingspecial

nothingspecial
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 17 May 2010 - 02:50 PM

Is my topic closed ? I have posted back as directed, unable to run "any" of the anti malware tools suggested. Should I try to reload the OS ( I usually have some administrative privleges immediately following start-up) and then run the tools in "this guide" starting with the defogger?

I'm willing to follow directions and can wait patiently. Since my last post i uninstalled Ubuntu.

Eagerly awaiting direction
Nothingspecial

Edited by nothingspecial, 17 May 2010 - 02:55 PM.


#7 nothingspecial

nothingspecial
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 17 May 2010 - 03:10 PM

I have since tried to load Ubuntu and see this at my boot option page:

VERBOSE DEBUGGING | DEBCONF_DEBUG=5
Debug Boot Sequence | BOOT_DEBUG= 2|3 (that line is supposed to be the piping sign)
Disable Framebuffer | fb = false
Don't Probe For USB | debian_installer/probe/USB =false
Force Static Network Config | net cfg/diasable_dhcp = true
Use Braille tty | br/tty = driver,device/textable
Disable ACPI for PCI Maps | pci = noacpi

I was going to try and run Ubuntu from the disk without installing it to see what issues I might encounter, but stopped right there.

Edited by nothingspecial, 17 May 2010 - 03:11 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users