Jump to content

Hacked


Mn
 Share

Recommended Posts

Here is my story. . .  bare with me im bad with stories. . .

Im a med student outside the stats and today during my 3rd year in med school i found my self with the first trojan that i cannot remove from my computer.  I was amazed since ive been around the internet since late 1990's and i always had a passion for the "hacker-world-ideal" thust i read alot and i considered my self to be an user above average.

Today i insterted 3 USB keys in my laptop to share with fellow students a couple of books, on my last USB i found my self confused because the logo on the USB pen drive changed and it looked similar to a regular folder. . .  But that changed in a matter of seconds and i said to my self "meh. . .  its just another virustrojan" that i can get rid off. 

So far ive tried everything under my sleeve (hex-edit,search,delete registries, search for recent activity) and the only thing i found out is the file name of  whats currently running on my PC and a possible name or nickname.  I got pissed off and before anyone could leave class and before my pc got online i went and change my credicardemailstudent-pwd to a different one using a different pc.  <<viva le paranoia>>

What have i been able to tell that this program did to my pc:

1- denied access to the USB pen drive in witch it came, thust i couldnt even format it

2- inserted it self on to registry to startup automatically

3- removed search, run, control panel, user accounts, task manager features

4- deleted all the administrator account privileges. . .  thust i cant do crap. . .  not even under safe mode

I would appreciate it if anyone could help me with a solution to regain back admin powers and also if anyone is interested in any file on my computer related to that trojan i would gladly do all in my power to help you obtain the file.

Link to comment
Share on other sites

Its time to backup and do the reinstall dance. Your system has been compromised and you can no longer trust the installed OS, end of story. And next time, disable autorun and get some decent AV running.

Queue Sparda with "Ubuntu!"...

Link to comment
Share on other sites

Before wiping it out, I would load a live cd or windows recovery disc and try to locate what it is that was doing this. Better to be able to defend against it in the future before wiping out everything. also, you can make changes to the disk through the recovery cd, maybe putting you back to a previous day before this happened. This is usually the first thign I do for people when they bring me their pc and they have a virus, is I try to get it to a restore point PRIOR to when this pappened since they are almost always in tact. Also, you can install users from the console and take ownership back to the pc and deny any startup programs, etc, deleting them before a reboot or quarantining them. Run System File checker and let it overwrite any system files it finds to be out of whack as well. Then like Vako said, backup your files, scan them, and reinstall the entire OS to be safe.

If your brave enough to edit the USB drive to see what happened, I would turn off autorun and autoplay before plugigng it in and then try scanning it. Then just right click the drive and do a format if need be.

Looks like someone you were trying to help was purposly trying to mess with you. I would hope that if they did it as a joke, they would provide you with the fix. Sounds like it was a nasty one though and they meant to do this as they would have to make sure to turn it off when using their own USB drives.

Link to comment
Share on other sites

Lesson learned I think: don't insert unknown media without turning auto-everything off.

QFE!

Still, does not protect the drive when inserting into someone elses pc.(not that there really is a fix for that one, unless you have a portable virus scanner that launches upon insert and the drive is some how read only)

Link to comment
Share on other sites

Mmmm... formatre-install ... was my last choice. Just wanted 2 things:

#1- See if anyone was interested in obtaining a copy of the trojan to better analize it in their home

#2- See if anyone knew a good way for me re-claiming my administrator rights

But hey you cant have it all in life can ya? =)

Cheerz!

~Mn

Link to comment
Share on other sites

what u need to do is format.

Though just some other things so that u can backup, when loggin in as an Admin, are u using the windows Administrator Account under safe-mode, or are u just using ur own account that would have been demoted by the virus?

If Administrator works, then find the file that doesnt belong, get the file name, and google it, there will be a few anti-virus sites which will tell u all the files / reg keys that need to be deleted, do so.

Make a new Account, move ur shit and delete the old account, unless u can be stuffed editing all the permisions on the old account.

Link to comment
Share on other sites

http://www.howtogeek.com/howto/windows/dis...and-usb-drives/

http://www.mydigitallife.info/2006/09/11/d...ives-launchpad/

And be sure to turn off autoplay and autorun. If you use a U3 drive, use the SHIFT block to keep the launchpad from running upon insert.

Link to comment
Share on other sites

Boot in safe mode and start cleaning from there.

I would also go and buy a deccent Spyware / Virus scanning application (personal preference is NOD32 ahem I am a reseller  :lol:)

Boot off a Windows XP CD, you should be able to do 1 of 2 things

1. Press Shift (or Ctrl) + F11 to bring a command prompt up (I don't remember the exact key stroke, but google the terms and the method of doing it) this may or may not work given the state of the current OS

2. Do a quick reinstall, this should put the base OS back into place so you can boot into safe mode without having to wipe your disk.

I wish you the very best in your attempt to recover, however a wipe is the best option, sorry  :-(

Link to comment
Share on other sites

What have i been able to tell that this program did to my pc:

1- denied access to the USB pen drive in witch it came, thust i couldnt even format it

2- inserted it self on to registry to startup automatically

3- removed search, run, control panel, user accounts, task manager features

4- deleted all the administrator account privileges. . .  thust i cant do crap. . .  not even under safe mode

1- Boot to a linux live cd like knoppix and format the drive

2- Try HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun, also check for rootkits

3- try gpedit.msc, or after disabling it at startup you may regain your rights as well

--or try this .vbs we used in high school to enable it:

Set WshShell = WScript.CreateObject("WScript.Shell")
With WScript.CreateObject("WScript.Shell")

On Error Resume Next

.RegDelete "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools"
.RegDelete "HKCUSoftwarePoliciesMicrosoftWindowsSystemDisableCMD"
.RegDelete "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr"
.RegDelete "HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystemDisableTaskMgr"
.RegDelete "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemNoDispCPL"
.RegDelete "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRestrictCPL"

End With

Mybox = MsgBox(jobfunc &amp; enab &amp; vbCR &amp; "Ultimate Pwnage Complete :-p", 4096, t)

^^Coded by Javabudd^^

4- try pulling the computer to "system" See this thred: http://forums.hak5.org/index.php/topic,2504.0.html

Link to comment
Share on other sites

What have i been able to tell that this program did to my pc:

1- denied access to the USB pen drive in witch it came, thust i couldnt even format it

2- inserted it self on to registry to startup automatically

3- removed search, run, control panel, user accounts, task manager features

4- deleted all the administrator account privileges. . .  thust i cant do crap. . .  not even under safe mode

1- Boot to a linux live cd like knoppix and format the drive

2- Try HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun, also check for rootkits

3- try gpedit.msc, or after disabling it at startup you may regain your rights as well

--or try this .vbs we used in high school to enable it:

Set WshShell = WScript.CreateObject("WScript.Shell")
With WScript.CreateObject("WScript.Shell")

On Error Resume Next

.RegDelete "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools"
.RegDelete "HKCUSoftwarePoliciesMicrosoftWindowsSystemDisableCMD"
.RegDelete "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr"
.RegDelete "HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystemDisableTaskMgr"
.RegDelete "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemNoDispCPL"
.RegDelete "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRestrictCPL"

End With

Mybox = MsgBox(jobfunc &amp; enab &amp; vbCR &amp; "Ultimate Pwnage Complete :-p", 4096, t)

^^Coded by Javabudd^^

4- try pulling the computer to "system" See this thred: http://forums.hak5.org/index.php/topic,2504.0.html

^ Temp Fix ^

All that to avoid booting Ubuntu (some thing that every one should participate in at least twice daily)? What effort.

Reminded me of the dltv tip for there most recent episodes "How to access cookies on Vista". Admittedly they usually do over complicate things but it would be much easier if you just used Firefox in the first place.

Link to comment
Share on other sites

Thats overly complicated, just use a ubuntu disc to pull the data from the system then format the disc and reinstall windows. You can try and fix it, but in this case, if your install of windows was a car it would be a write off. Yes, you might be able to make it go again, but the wheels will come off when you next go over a speed bump. Ubuntu can read/write NTFS now, so while I personally don't use it as an installed OS it makes for an invaluable data recovery tool when dealing with a trashed windows install. Its far faster to nuke it and start again than it is to spend time pissing about with recovery attempts that will never work properly anyway.

(a tip would be to partition your disk so that you have 20GB for windows and programs and the rest of the disc for data. That way the OS is considered a replaceable part rather than something integral.) 

Link to comment
Share on other sites

i have dealt with some really nasty ones a long time ago, a user kept complaining about their system restore wont enable it's self and they kept getting lots of dll errors  so when i took a look at it, I forgot the name of the trojan, but it was keylogger and also used for phishing

the person used NOD32 but it didn't protect them from it.  (and a full scan with it would only find 1 infected file which it would remove, but it would come back  and the running process of it would also  come back) I eventually got rid of it using a live cd  (which was able to see the infected files that were invisible to windows and nod32 )  but windows was in such bad shape  that i couldn't get it working right. so i  just took screenshots of the desktop, start menu and  some folders  (backed up all of the music and documents)

then i reinstalled windows  and  tried my best to make everything look exactly like it did before (just with out the problems)

well at least i got paid $50 for  fixing their problem  since  the person had a lot of software used in their home business that is annoying to setup.

(never mix limewire or any other p2p with a pc for business use and when ever you download any music or anything else p2p, right click on the file then scan it before you run it.  many trojans will usually get past the auto protection but not a regular scan)

Link to comment
Share on other sites

(never mix limewire or any other p2p with a pc for business use and when ever you download any music or anything else p2p, right click on the file then scan it before you run it.  many trojans will usually get past the auto protection but not a regular scan)

musics rather safe of being virus free (mp3's im talking about). Its rather hard to wrapp a trojen into a mp3, and have it execute correctly, P2P is only gonna kill u when ur downloading the likes of games.

Disclamer, Deveant in know way supports piracy nor the use of P2P applications for kiddie porn (u dirty people), though deveant does like talking about him self as 3rd person and goes off on lil rants every now and then when he has had a lil to much to drink, like... now.

Link to comment
Share on other sites

Also:

How to Remove f4ker.vbs/Malaysian Hacker from your system or flash drive

How to remove pooh.vbs from your system or flash drive (Original Post on PC Express Online or my forums)

Update:

For P2P Protection... Doi! Sounds Like Helga G. Pataki!

PeerGuardian 2.0

Funny UST Scandal Virus*

FOLDER.HTT, DESKTOP.INI, THUMBS.DB: Viruses?

Note: *means this link contains non-english topic if you're Philippino Language in the Philippines

Link to comment
Share on other sites

  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...