Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Internet Cafés' and CyberCrime BEWARE

  • Please log in to reply
1 reply to this topic

#1 Single4ever


  • Members
  • 1 posts
  • Local time:11:27 AM

Posted 25 July 2011 - 05:41 PM

Since 1994 that I'm in the IT business. I started building computer in the late 1990's and until July 3rd, 2011, never had to deal with a single virus. I moved to a new appartment on July 1st, and as I had to wait until July 15th to get my new ISP grant me access to their network, I had to bring my WD Passport USB drive to an Internet Café here in Montreal. My trip there was supposed to be a quick 10 minutes stop n' download a specific driver from Panasonic's web site (voice editing v1.1 drivers for Vista).

Just to download the driver was a pain as I noticed after plugging in the drive, that I couldn't access any of the folders. I managed to save the said drivers from Panasonic, and went back home. The week got hectic so I postponed the time until the following Saturday to install that said driver. I almost got a HEART ATTACK, especially when browsing the content of my WD USB drive: each folder were showing a total of 3kb each, which got me worried on the spot as each folder should have shown an average of 7 to 10gb each! I ended up on Google and found the best answers on Bleeping Computers (I'm thankful to have found you!!!).

I found out the darn virus (which is an autorun), but all my desktop computer drives are in NTFS (2 of them being e-SATA's out of 5 Disks), so when I plugged the WD Passport, the virus has spread itself on the spot without my knowledge... I called up the Internet Café, as I NEVER NEVER NEVER have plugged this WD USB flash drive anywhere else until that said July 3rd 2011. When I called, I asked to speak to the owner, but although this Internet Café is opened 24 hours/7 days a week, no one could be or would be willing to provide the owner's name (he cannot be reached AT ALL). I am known to be a Go Getter and zero tolerance towards morons, so I told them that they had 2 choices: either help me in removing a trojan virus they've infected me with, or that I'd call CyberCrime Police to shut down their premises for knowingly infecting customers due to bad intentions...

They asked me to calm down, they said they knew about a certain virus that had spread around within THEIR network; to come over, that they had a FIX. Wow, I was impressed, so I drove there on July 10th @ 11:05pm, the clerk (or cashier) said THEY were expecting me and asked me for the "troublesome Flash Drive". The clerk already had an MS-DOS utility on his desktop so he copied and pasted it on my USB drive. I noticed that what appeared in the DOS window was all in CHINESE letters (and I only speak french and english). I am known to play the "dumb blonde" during my investigative day to day work, so I acted as if I didn't know anything and asked the clerk how to use this utility (which is called CURE). I noticed though, that when he plugged in my flash drive, he had no warnings (and the drive had the Recycler virus on it!) and didn't seem to be running any type of Anti-Virus on the Main Computer. Their CURE utility only unlocks the infected folders, but you'd be tempted to say: how nice of them...yeah, this CURE utility contains a command line that spreads the virus more efficiently within each unlocked files/folders that you think might be safe to copy on your own computer.

I called the city police but ended up bouncing here and there and be told that unless I could prove I had been a victim of cybercrime, nothing could be done. Hell, my computer, a USB flash drive, and a 16gb Micro SD had been infected and all were out of order, NOT wanting to get on the internet AT ALL.

So I called the Royal Canadian Mounted Police (RCMP) and they've been the most helpful as I pushed my research further more. I have a friend that was able to virtually run this strain of Autorun/Recycler virus, and the command lines of the MS-DOS virus had keyloggers programmed to send all logs to up to 10 ip addresses in China!!! We then ran the CURE virus (which was provided by the Internet Café - the utility was created in 2008 but must have been modified for their own needs/greed) and it contained another autorun exe to send logs to up to 5 ip addresses within the Montreal Area. I've uncovered the scam, and to my disappointment, unless CyberCrime is on Financial or Sexual Offence, not much can be done for now, until several victims report the same...crime.

What would you have done if it happened to YOU?

Thanks to all for comments and inputs.

(P.S.: I've FDISK'd the whole disk which was only for MS Vista 64 OS and bought a new Windows 7, while being at it!)

BC AdBot (Login to Remove)


#2 myrti



  • Malware Study Hall Admin
  • 33,779 posts
  • Gender:Female
  • Location:At home
  • Local time:06:27 PM

Posted 03 August 2011 - 09:41 AM


to be honest, I always operate with the assumption that the PCs in an Internet Cafe are infected and unprotected. If I know beforehand that I will be using an internet cafe, I set up dummy passwords for the accounts I have to log into which I can easily change back into my normal passwords once I get back on my own internet or an internet connection I trust. Otherwise I try not to login into my accounts or keep track of which I logged into and change their passwords afterwards.

Autorun infections, while very common, can be easily blocked by a) disabling autorun on your PC so that only the flash drive may get infected or B) using a tool suchs as FlashDisinfector which will add an undeletable autorun.inf file and therefore prevent the successful infection of the flash drive.
(There's also option to install a linux OS on your flash drive along side the windows one and to reconnect the flash drive under linux first and check if it has been infected or not.

I am also in the lucky position, that I do not need anyone to help me remove malware (I help others. :wink:), but asking the people that got infected and haven't cleaned the infection for help, does not seem the most successful approach to me. They are unlikely to know what to do to clean the PC, which may be why you ended up with this outdated and dangerous remover. They will have done an online search and linked you to the first one that seemed to have worked. Personally I'd be inclined to assume ignorance before assuming malicious intent.
You are more likely to find help by searching for it yourself, or asking for help here. :)

I can't really comment on the legal situation, I would assume that you would have to prove that it was intentional, which will be very hard, which is close to impossible.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users