Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Look At This Machine. It's........dead. Grrrrrrrrrreat


  • Please log in to reply
3 replies to this topic

#1 Tech A1

Tech A1

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 28 December 2005 - 08:20 AM

I use the word "hacked" like the times online auctioner uses the term "mint."
Far and few between.

Ok, I know - I shouldn't have probably be on that crummy site with all of the 'file sharing' and open source type aquisitions. I must admit, they got me, and they got me good this time.

I was running wXPpro 500mhz pII, 384 mb, cable modem, digital camera, and old glazed donught on top of the machine. I downloaded the culprit .exe which I don't remember right off hand the name. I scanned the file after downloading to ensure it was not a nasty virus. SAV came up with zilch. Ran the program, and obviously you know the rest if I'm here right now. My CPU immidiatly showed signs of a massive bog down, and I tried to look at the processes(ctrl-alt-del) to determine what exactly I had just installed on my machine. (I KNOW ALREADY! HOW LONG ARE YOU GOING TO KEEP THROWING THAT IN MY FACE!?!?!?) :thumbsup: :flowers:

Anyway to make a long story short, all the sudden SAV's system tray icon dissappeard, and it started picking up all sorts of .exe files attempting to run from %system%/system32/ directory, Reg entries that shouldn't be in there, a program called spy-shredder or somthing like that. (junk) etc...etc... I ran Ad-Aware, just to get a feel for how big of a problem I was dealing with. Now, the last time I ran Ad-Aware was about 1 month ago, when I tried to update the program today, the prog told me that my definitions were 1,201 days outdated.

So then my buddy comes over and demands that $55.00 I owe him, you know. With nothing else running, and SAV was done either quarantined or deleted any files, I opened up IE and typed paypal's address in. http://www.paypal.com/

Thats when this page came up. The first thing I noticed besides the obvious changes to the web page was the spelling mistake of the word "organize." How, they made the address bar appear to be at the correct address of "https://www.paypal.com/" I HAVE NO CLUE. It's definitely a neat and scary trick.

After I calmed down from all the shock and curiosity, I was bouncing through my prog files directory and noticed a folder entitled "fastpush." Inside I found several different subdirectories with an assortment of VNC flavors, installed and stealth, with a bunch of reg entries that had already been used. (i checked the registry for the strings)

And the last thing I noticed....... The O/S will not get passed the menu screen on boot now, so to o put it simply-it won't restart.
Luckily I have another old pentium2 that didn't get hit throught the network, but that data needs to be ghosted or something if the drive needs to be blown away.

Any suggestions would be great, I'd like to not have to yank the drive and scan it in a different machine, but I guess if I have to, I have to.

Thanks,
Adam

Edited by Tech A1, 28 December 2005 - 08:23 AM.


BC AdBot (Login to Remove)

 


#2 acklan

acklan

    Bleepin' cat's meow


  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:11:51 PM

Posted 28 December 2005 - 09:26 AM

Go to BootDisk.com and download the aproperate boot disk and run scanreg from the command line. If you can get it to boot up we will help clean your system, but first lets see if we can get you up and running.

Edited by acklan, 28 December 2005 - 09:27 AM.

"2007 & 2008 Windows Shell/User Award"

#3 Tech A1

Tech A1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 28 December 2005 - 01:39 PM

I pulled the hard drive out and scanned it form another machine, it looks like I got some of the crud off. Oh, I failed to mention that for some reason my nic card was also messed with, as the device manager shows it as having issues. Every time I try and update or re-install the driver the system restarts itself.(like immediatley) It's bizzare. Have any more ideas?

#4 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:11:51 PM

Posted 29 December 2005 - 12:08 PM

I suggest you post a HijackThis log for examination.

Read How to post a HijackThis Log.
Please read, and follow, all directions carefully.

Then, run a log, and post it in the HijackThis forum, at this link. Do not, fix anything, yet.
A member, of the HJT Team, will help you out.
It may take a while to get a response, because the HJT Team are very busy. Please, be patient, these people are volunteers. They will help you out, as soon as possible.

NOTE:
Once you have made the post, please, DO NOT make another post in the HJT forum, until it has been responded to by a member of the HJT Team. The first thing they look for, when looking for logs to reply to, is 0 replies. If you make another post, there will be 1 reply. The team member, glancing over the replies, might assume someone is already helping you out, and will not respond. So, just make your post, and let it sit there, until a team member responds. This way you will be taken care of, in the most timely manner.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users