PDA

View Full Version : One PC destroyed, another almost



faster
2019-08-20, 02:27
I got hit by the grandmother of all hacks. I can't go into all the gruesome detail, but maybe someone will recognize it and advise me, if I'm lucky. The PC used W7.
First clue was an unauthorized partition, something like "System Security" or something like that. It was given the letter X:/. It came in when I booted my PC, and got the update screen that Windows throws up while it is installing updates. I'd made none, and I knew it was probably foul, but there's NO WAY you can boot up without letting updates finish. That's when I got the partition, I think.
After another day or two, it happened again, over 100 updates, and I discovered that Drive X retained its name but had supplanted C: as the main drive.

Next time I rebooted, the X drive could not load Windows. BYEBYE PC.

More than that, it selectively erased random videos, but erased the entire Musicals folder. Not just on my PC, but also on the memory stick I had bought for the sole purpose of protecting my videos. How it erased them there I can't begin to guess.

I used Recuva and got back a handful of videos, after which I was blocked. Then I switched over to my second standby PC (W10) I had copied many files before I had to really use it much, and the same videos that were erased on the stick and the other PC are also gone.

Now I'm seeing the same signs, and I know my new PC is thoroughly infected, probably with the same hack. I don't dare reboot. It tried to force a reboot, but I had a .txt file which hadn't been saved, and that gave me a chance to cancel. Now I keep a .txt file always unsaved. I disconnect the internet plug every day and turn off the monitor - nothing else. Even with a surge protector, if a storm shuts down the PC, I'm dead meat.

Much else is wrong. It interferes blatantly with downloads, making it impossible to download any security stuff, but when I do, it doesn't work or the file is called "file" instead of "Application" or there are zero bytes in the downloaded file. Stuff like that. Lots of stuff.

This is the only PC expert help site I've been able to use. The others have been corrupted and I can't log in.

Has ANYONE had experience with this? It has destroyed one PC and is on the brink of destroying my other one, after which I'll have NOTHING.

I'd call that serious. The hack seems to be able to know what I am doing and then thwart it, as though they're watching everything I do. It's probably just a program to hack me, but it's extremely sophisticated. Astonishingly deep seated and complex. I don't even dare try to reinstall W10 for fear the "update" screen will block that too. Both PCs were set to boot from the Windows CDs when I realized I was in trouble, but even that isn't enough.

HELP??? Can you refer me to an expert who is at the highest levels of this sort of thing, if this attack isn't known to you?
And if anyone can help me get back into my original PC, I'll nominate them for sainthood. The stuff is all there, just can't access any of it any more.

I just got a popup like happened with the other PC. It says "happiness" is rebooting for your updates. It's 100% foul. I can't reject it. I can postpone it an hour, that's all. Last time this happened, the happiness they delivered was a dead PC.
PLEASE! it is truly urgent. If we have a storm tonight and get a power outage longer than my surge protector lasts, I'm dead meat.

This is a very unusual problem. I don't expect you have experts on hand with this deep sophistication. If you can't help me, okay, but please tell me who might.

How many people can afford to lose two computers?

tashi
2019-08-20, 06:37
Hello faster,

Apparently these computers are not the legacy ones you had previously (https://forums.spybot.info/showthread.php?63844-Hacked-and-gagged-by-haters&highlight=) so I moved your topic to this forum. :)

I will leave a message for Juliet but I don't expect her to be back on-line for a few hours, early morning.

Kind regards,
tashi

Juliet
2019-08-20, 14:30
I don't know whats happened, I can only guess at what.
We can try to work through steps to find out whats going on but I cannot give any kind of guarantees.

Are you able to open task manager, look around and see any suspicious exe's or dll's there?

What happens if you boot into safe mode with networking?

If need be do you have a USB that could be used to download tools to and then transfer to desktop using this drive?, do you think your computer could recognize at this point a USB drive if inserted?

Turn all power off to your modem/router.
Leave it off 5 to 10 minutes.
Turn it back on, after all lights have stopped blinking (when you know it fully loaded again) try to connect back to the internet.
~~~

Let's see if we renew your computers IP address if we can shake anything loose.

Renewing a computer's IP Address

Right-click on the Windows key then select Command Prompt.
In the Command Prompt, enter “ipconfig/release” then press [Enter] to release your computer's current IP Address.
Enter “ipconfig/renew” then press [Enter] to renew your computer's IP Address.

~~~~~
See if you can go to the below site and run the tool.
If you can use a USB, download the next tool and save, then try to run it from desktop/safe mode


Follow the instructions in the thread below. Make sure to download the MBAR version linked in it.

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

run a scan, delete everything it finds, and then copy/paste the content of the mbar-log-DATE-(TIME).txt log that is located in the MBAR folder here after.

~~~~~~~~~~~~~~~~~`
See if you can go to the below site and run the tool.
If you can use a USB, download the next tool and save, then try to run it from desktop/safe mode


Download the right version of RogueKiller (http://www.adlice.com/download/roguekiller/#download) for your Windows version (32 or 64-bit)
Once done, move the executable file to your Desktop, right-click on it and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
Wait for the scan to complete
On completion, the results will be displayed
Check every single entry (threat found), and click on the Remove Selected button
On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
This will open the report in Notepad. Copy/paste its content in your next reply


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
Do the same with the tool listed below and hopefully we can see some results.
~~
http://i.imgur.com/xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan

Please download Farbar Recovery Scan Tool (x32) (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/) or Farbar Recovery Scan Tool (x64) (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/) and save the file to your Desktop.
Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
Right-Click FRST.exe / FRST64.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
Click Yes to the disclaimer.
Ensure the Addition.txt box is checked.
Click the Scan button and let the programme run.
Upon completion, click OK, then OK on the Addition.txt pop up screen.
Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.

faster
2019-08-20, 22:19
When I woke up this morning, the PC had gone to sleep or something. There was a popup saying the PC wasn’t ready, and I could rebooot now or wait an hour. No other options. It’ll be back soon. While the popup was there, I couldn’t use my computer in any way but everything was still loaded, including the txt file I left untitled. I think that’s what thwarted the hack. For now.
It popped up again, titled “Countdown to goodness.” It has had several other titles. All malicious. It has the powers that Microsoft would have when people update their systems. The updates force you into saying “yes” to obvious malware.

1. Task manager opens, but I don’t know how to suspect. I’m new to W10. If allowed, I'd copy the app's findings and send them to you, but it would be a lot of stuff. There probably IS something there.

2. If I try to boot into safe mode, the “update” will likely nail me.

Last night, B4 bed, I lost sound. Troubleshooter says it’s unplugged. It isn’t. But tells me to reboot. I won’t. It went off last night, while watching a politically satiric youtube.

3. Yes, I have a large capacity memory stick. But files on it, too, were deleted when my first PC was killed. Yes, the drive will be recognized.

4. Last night I disconnected from the web by unplugging that phone jack thing. Got back online with no trouble after I let the hack molest me again in an hour.
(I’m holding off on disconnecting the router; might not get back online.)

5. The IP address is probably how this sucker weaseled into my first PC. From there, it could have weaseled into my memory stick AND my new W10 PC, the one I’m using now. I thank you, because I’ve wanted to change my IP a long time. Didn’t know how. Thought I’d have to call my provider and have them do it. I will try your suggestion right away. But it’s already in my system, and the change is the barn door after the horse is gone.
Just finished, done. What is a Teredo Tunneling Pseudo-Interface? It’s been in Device manager on both PCs, a long time, and is suspicious. Can you inform me better about it? Teredo never has a Default Gateway.

6. I’m now downloading the malware, RogueKiller and Farbar. I’ll get back, after I post this, with the results. But since that maggot has blocked every security-type download I’ve tried, I’m not optimistic. It corrupts them or just doesn’t let them in. If it downloads an application correctly, it can't be launched - I'm asked what app I want to use to open it. There are no apps to open executable applications of programs. This hacker is WAY ahead of me on just about everything.

You’ve given me some hope, and I’m deeply grateful - gotta say it now in case THIS pc dies first. You’ve been most kind. If you don’t hear from me, could you write to my yahoo address (fastermx) so I can talk with you again if able?

Meanwhile, can you think of any way I can put the C: drive back in charge of W7 on the original PC? Without losing many gigabytes of data?

Juliet
2019-08-21, 13:12
When I woke up this morning, the PC had gone to sleep or something. There was a popup saying the PC wasn’t ready, and I could rebooot now or wait an hour. No other options. It’ll be back soon. While the popup was there, I couldn’t use my computer in any way but everything was still loaded, including the txt file I left untitled. I think that’s what thwarted the hack. For now.
It popped up again, titled “Countdown to goodness.” It has had several other titles. All malicious. It has the powers that Microsoft would have when people update their systems. The updates force you into saying “yes” to obvious malware.
You posted something I've seen before, "Countdown to goodness" <= which also has other sayings for different machines
This comes from Microsoft windows updates

forced updates regarding the Windows 10 "upgrade".

compatibility issues with Windows 10 version 1709, the release is significantly flawed. Software and Hardware that once worked in previous versions, just suddenly stops working in Windows 10 1709 after an upgrade and sometimes loses functionality or stability
Read over the below links

https://windowsreport.com/windows-10-update-alert-disable/
https://answers.microsoft.com/en-us/windows/forum/all/countdown-to-goodnesswtf/2ab766e6-ce90-42da-b5c5-9dbbb0862f73

https://www.bleepingcomputer.com/news/security/windows-10-fall-creators-update-now-fully-rolled-out-worldwide/
https://answers.microsoft.com/en-us/windows/forum/all/countdown-to-goodness/2581f48d-2fc3-4648-b974-1a2a6c03c4db?auth=1

Juliet
2019-08-21, 13:20
How to reverse a Windows 10 upgrade, may not be possible but please read
https://www.pcworld.com/article/3074020/how-to-go-back-to-windows-7-or-8-after-an-unwanted-windows-10-upgrade.html

Juliet
2019-08-29, 02:55
bump...

Juliet
2019-09-12, 12:19
Due to lack of feedback this topic is closed.