Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something has taken control of everything!


  • Please log in to reply
32 replies to this topic

#1 reggiej95

reggiej95

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southwest
  • Local time:12:24 PM

Posted 18 October 2013 - 11:14 PM

Approximately two weeks ago all of the media on my pc disappeared, within hours all the files were gone and drivers removed. So I immediately used gpart to secure erase the drive I reflashed bios and did clean install of win7. The pc is on lan behind Sonicwall tz210. Within a day it began again, while I still had access I ran every major rootkit detector out there they all came back clean. The pattern just repeats. Now it also has control of both me and my son's phone's (android) it installed vpn's on both. It is just malicious. 

 

What I've learned: it operates while in safe mode, every time I log in event viewer sees from 2 to 6 additional logins immediately after. It attaches my pc to a network.

Pc/Pc as an example. Net commands always lead back to 127.0.0.0

 

It changes tactics and seems almost vindictive. I am at whits end.

Today while trying to replace drivers using a live cd I mounted the drive while working I also had a usb  installed somehow I intercepted 100's of html documents I have no idea what they are. It has virtually crippled the house. 

 

Any ideas would be greatly appreciated. 

 

Thanks 



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:24 AM

Posted 24 October 2013 - 01:45 AM

Hello and sorry that you were not attended to earlier.

 

Have you contacted your Internet Service Provider yet as they must renew your account.

 

Next (big job) If you had Any personal information (banks / Credit cards / Etc) used via this computer, then all of your banking details need to be watched and your bank needs to be informed.

 

You can also contact your local police to inform them that you have a current hacker who may be stealing your details, and at the worst they may be stealing any credit / passport / personal details that you had ever installed.

 

OK, you may think I am overstating things, but at the moment you are being held up by a common criminal

 

These people need to be caught, and you need to take the first step by calling your ISP now

 

Since you tell me that you have no secure contact or computer, am I able to run any scans ??

Can you tell me if you have any Active Antivirus or Antimalware programs that you can scan with and Copy / Paste results back here ??

 

Also can you run this first simple scan ? =>

Download Security Check by Screen317 from HERE
* Save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: If a security program requests permission to access the Internet, allow it to do so.

 

Thank You -



#3 reggiej95

reggiej95
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southwest
  • Local time:12:24 PM

Posted 25 October 2013 - 01:39 PM

Hi

Thank you very much for responding. I did contact local police they offered no help. I filed on the FBI website I also got a new IP. I brought in a new PC within a day it was attacked. It has now escalated to whatever or whoever is doing this has wiped drives all tha remains is a folder named system inside is systeminfo inside that is remote system database administrator which is empty. I can no longer boot from a cd..

I am absolutely baffled it is a nightmare with no apparent ending. Honestly it really seems it's only goal is to make life miserable I'm out of ideas.

#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:24 AM

Posted 25 October 2013 - 04:52 PM

Honestly it really seems it's only goal is to make life miserable I'm out of ideas.

By "it" I would say "someone" as this is simple for a mongrel to upset you

 

Do you mean (IP) Internet Provider or just IP address?

What did your Internet Service Provider actually do ?

FBI etc will do very little (usually ignore) if it is less than about $5K (or it may be $50K) in direct damages.

 

Are you able to plug into any other persons internet to see if there is a reaction at all ??

Are you posting from an outside computer or ?? What happens on another internet connection ? By that I mean do you have a good friend next door or somewhere that you can take your computer ?

 

Sorry for the barrage of questions, but as I am not there I must ask you for all details.....

 

Tracing a hacker and Windows Forensics: Have I been Hacked? are the best 2 Tutorials that are on B.C. site.

If you are not able to use these programs or find any other help, I can only try to elevate this topic, but I will need to find if another will take it on.

 

Please try anything (everything) from above and then post any details back to here - -

 

Thanks -



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:24 PM

Posted 25 October 2013 - 07:57 PM

Is there a common denominator between your android phones and your computer?

How do you connect to your ISP?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 reggiej95

reggiej95
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southwest
  • Local time:12:24 PM

Posted 25 October 2013 - 08:14 PM

I went from using a netgear cable modem to piggy backing on my voip phone gateway which changed all the sets of numbers drastically. (Excuse my lack of knowledge).

I just moved here 4 months ago I know no-one. I brought a new pc in it was junk in hours to date I'm out 5 ssd's 1 hdd and at least 2 mobo's.

What I think I've learned is this they enter immediately after I login as nt authority via an advapi negotiate as per event logs. I've found script if that's the correct word that said stuff about changing the output of virus scans they remove all physical drivers and install virtual miniwan stuff I was using hyrams boot cd for gparted etc then I decided to use a usd thumb drive at same time. I mounted c drive while I was investigating on internet the usb captured tons of script. They had script that reversed all formatting I did to previous state upon exit. Unfortunately I found that too late.I'm posting from cell phone.

Your questions are no problem at all I hope I answered them all. You have no idea how greatful I am that you are asking. I will do everything I can to get you whatever you need to make this stop.

Reggie

#7 reggiej95

reggiej95
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southwest
  • Local time:12:24 PM

Posted 25 October 2013 - 08:21 PM

Forget this at the moment I have nothing with an os on it no working pc in house I am trying to wait for a better plan of action then what I've been doing thus far

Reggie

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:24 PM

Posted 25 October 2013 - 08:29 PM

Then it appears the voip phone gateway is the common denominator.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 reggiej95

reggiej95
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southwest
  • Local time:12:24 PM

Posted 25 October 2013 - 08:31 PM

I haven't connected to isp in 9 days at least. I did find a vpn on my phone approximately 2-3 weeks ago I did a factory restore and neither phone is rooted

#10 reggiej95

reggiej95
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southwest
  • Local time:12:24 PM

Posted 25 October 2013 - 08:32 PM

The issue startef weeks ago voip was about 10 days ago

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:24 PM

Posted 25 October 2013 - 08:46 PM

Gotcha now...it's possible the cable modem has been hacked since we can eliminate the voip phone gateway.

Who is your ISP?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 reggiej95

reggiej95
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southwest
  • Local time:12:24 PM

Posted 25 October 2013 - 09:02 PM

Cox communication

#13 reggiej95

reggiej95
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southwest
  • Local time:12:24 PM

Posted 25 October 2013 - 09:05 PM

Cox communication

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:24 PM

Posted 25 October 2013 - 09:28 PM

I don't know who you spoke to before but it most likely was not someone who knows much about these types of issues. I found this info on the Cox Communications website so they do assist with investigation reports of hacking.
 

Submit the following types of abuse to abuse@cox.net.
Unauthorized accesses from a Cox-owned IP (hacking/cracking)

Abuse Submission Guidelines

The following are the basic submission guidelines to send issues to abuse@cox.net.

Do not attach files to the email. For security reasons, attachments will not be opened. Provide evidence by copying and pasting from your log files or email headers.
Do not send emails larger than 64 KB (kilobytes) in size (approximately 800 lines).
Send emails in plain text format. HTML and Rich Text are difficult to process.
Remove extraneous information (such as non-Cox IP addresses) from the report.
Do not include trace routes, ping results, or WHOIS information.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 reggiej95

reggiej95
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southwest
  • Local time:12:24 PM

Posted 27 October 2013 - 05:36 PM

Ok I contacted them. Received only auto response so far. I did however learn a few things. He is using x.org software for the vm and debian for the actual attsck. I was using a caine boot cd and a blank unformatted hdd and I have about 30 hard pages from all the system logs. I don't understand them but I was sble to figure that much out




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users