afteraffects of a worm

Discussion in 'Computer Security' started by peace101, Jul 7, 2009.

  1. peace101

    peace101 Guest

    im very smart with computers. been fighting that conficter worm since
    aug/sep of 2008. after this worm which i sorta still have, ive learned that
    i know nothing about computers. i though maybe fbi or similar was watching.
    one thing i cant figure out is how it affects my cd/dvd drives. i bought new
    restore disk and every disk i put in, it says invalid disk till the 3rd time
    i open/close the door. when it asked for disk2 of restore(note new and never
    used). same result. wrong disk till i open drive twice. at same time, if i
    burn a disk and put it in my cd player in my vehicle, it also says invalid
    disk twice for the first time i use it.

    the only explanation i can come up with is this:
    the worm hides and runs from the first master boot record of the 2 in sector
    0.
    that gives the worm full access no matter what OS is on. that explains the
    invalid signatures if i low level format with more than one drive installed
    it shuts down the program that tries to wipe the drive. but if i remove all
    drives cept 1 and even low level format drive a that it creates just in case,
    it will finish the format.
    it then stores and locks memory for its use using virtual technoligy. if i
    scan memory, it says its bad, but its not.
    it seems to monitor a lot of ports and watched it change info instantly.
    if the hacker logs on for example using anonymous logon, i see the IP
    address change instantly.

    as time goes on and i learn more about this worm, it seems that im missing
    something cause i cant get rid of it. and if i do get rid of the worm, it
    scares me that since march, i get 1 or 2 thousand blocked incoming random IPs
    on random ports. so my computers will get infected anyways.

    i have 1 computer that i need to know if i need to throw away the
    motherboard, cause even in dos mode using windows, it lags big time. i have
    a quad, dual and 2 computers with speeds over 2ghz and it acts as though its
    a 10meg machine. and i do notice that my cd/dvd drives works only when they
    chose.

    can anyone help me with this situation. there are more, but to much to put
    all together. also no one seems to be helping me with the worm situation...
     
    peace101, Jul 7, 2009
    #1
    1. Advertisements

  2. peace101

    1PW Guest

    Hello:

    You have offered no positive proof that you have a worm or any other
    malware. However, since you failed to offer detailed information
    about your hardware and OS all I can offer is that you run the following:

    GMER: <http://www.gmer.net/#files>
    MBAM: <http://www.malwarebytes.org/mbam.php>
    SAS: <http://www.superantispyware.com/superantispywarefreevspro.html>

    *and* a known good, and highly reputable antivirus with a full scan.

    Please update this thread with much more detail and progress.

    Pete
     
    1PW, Jul 7, 2009
    #2
    1. Advertisements

  3. Please state your full Windows version (e.g., WinXP SP3; Vista x64 SP2) when
    posting to this newsgroup.

    PS: Please avoid chatspeak here.
     
    PA Bear [MS MVP], Jul 7, 2009
    #3
  4. peace101

    ObiWan [MVP] Guest

    heh... and in particular when one starts a post with a
    "im very smart with computers." now, I think of myself
    that I know something about computers not that "I'm
    smart" since I think that when you start considering
    stuff "usual" it's time to do a deep-check since there
    is something which definitely isn't working <g>

    (Murphy is ALWAYS there :D)
     
    ObiWan [MVP], Jul 7, 2009
    #4
  5. peace101

    ~BD~ Guest

    An interesting post. I suggest you post same in the Usenet group
    'alt.computer.security' too.

    Perhaps you should try asking at www.aumha.net - there are some *very*
    clever people there. You will need to register though.

    Another place to ask is at www.annexcafe.com - specifically the
    User2User computer help group. Again you will have to register

    I've been where you seem to be. Other folk seem to think it cannot
    happen - but I trashed my machine eventually and bought a new one!

    Good luck!
     
    ~BD~, Jul 7, 2009
    #5
  6. Anyone who's "been fighting that conficter [sic] worm since aug/sep of 2008"
    is not the brightest bulb in the box.
     
    PA Bear [MS MVP], Jul 7, 2009
    #6
  7. peace101

    peace101 Guest

    it seems to not matter which operating system. even after a low level
    format, same thing. but i both use vista and xp, and have vista on this
    computer pertaining to the restore disk.
    the computer used is a HP dual core pavillion media center.



     
    peace101, Jul 8, 2009
    #7
  8. peace101

    peace101 Guest

    ok smartelic pa bear. when i say i been fighting this worm since aug/sep
    2008, the version i have is not the same as those listed. this one is
    undetectable, breaks through any security and any electronics. i went
    through 2 routers and 3 hubs. and watched the hacker go to Tech sites trying
    to work around any settings. and he always succeeds. this version the
    hacker was always connected.
    he seems to use a virtual technology to make a computer outside my operating
    system. whenever i found a flaw in his worm, he always fixed it and each
    time i tried to figure it out and block it, then he changes security settings
    and i get access denied. he takes over part of my memory and always logs on
    in memory location 3e7 as remote anonymous login. later i found out he uses
    root certificates and makes his own allowing him to gain access to any
    computer. and if i block power users and deny all remote or anonymous
    connections, he uses cookies to tell his worm what to do to allow him access
    which later i found out his worm stores on every drive in the first master
    boot record in sector zero as fat12 or fat16

    good news is that i waited for him to make a mistake so i can find out who
    he is, and that day came march 31st. i used a packet sniffer to see what he
    does, and he uses codes between him and the worm, and after a neibor got a
    call with my name oncaller id, an our later, i got a text with the same
    signature. he claims he has the same worm, and paniced thinking i said his
    name.

    and i got another person through dns settings that linked back to another
    person who also has the worm and is in a lawsuit for cybercrime.

    fbi getting involved, and hoping i find out how its possible for every drive
    to not work till 3rd time. i can only assume that he changed cmos or bios
    settings using firmware and bind method and intercepts the drive info. it
    does this to every cd drive i add. and also on my other computers...


    anyways take care MR murphys law.... lol



     
    peace101, Jul 8, 2009
    #8
  9. I'm sure the FBI will be knocking at your door very soon to investigate
    this.
     
    PA Bear [MS MVP], Jul 8, 2009
    #9
  10. peace101

    Milo Guest

    Hi peace101,

    Better call the nearest FBI office ask to be transferred to the Cybercrime
    unit.

     
    Milo, Jul 8, 2009
    #10
  11. It even affected the cd player in the car! Now the car won't start until
    the third time...
     
    FromTheRafters, Jul 8, 2009
    #11
  12. peace101

    ObiWan [MVP] Guest

    uhm.... if so they'll probably send there the same
    unit which took care of Dr. Hannibal Lecter <eg>
     
    ObiWan [MVP], Jul 9, 2009
    #12
  13. Ooo, kinky!
     
    PA Bear [MS MVP], Jul 9, 2009
    #13
  14. peace101

    antihacker101

    Joined:
    Aug 22, 2010
    Messages:
    1
    Likes Received:
    0
    you want proof, i had to cut out over 30k letters so it would fit

    this is peace101,
    the real worm originaly was a backdoor that was created by the HACKER of BILL PARKS that works at the department of transpertation(according to a news investigator). this whole apr fools/conficter/botnet are parts of a psycholgical defense from him to cover his tracks that was the TRAFFIC

    he was using my maching to spread and use our machines to increase traffic to influence the outcome of a law called ROOTLAW.


    the ips i get that started in feb 2009 and still running today which im going to paste is from the main and real worm and is untouched. its highest priority is to be undetetected. the worm uses loopback to intercept all ports. your browsers for example are infected through port 1900. each port is a command. updates from the hacker is spread after programmed through me using port 443 or 445 i remember.

    nov17 was the day the hacker finished making its first major change that uploaded to you on port 443 or 445(one of them). thats when a patch was first blamed on the safemood reboot loop forcing a format.

    the 2nd i rememb er was around feb where parts of the intercepts were removed, but a lot of you got blue screens from NULL or volsomething.


    before i paste the log of the ip samples, i want to tell you how its really spreading.

    the first part of the worm uses our phones and towers to inject radio packets that are used somehow to spread the worm.

    the 2nd part was the emails with strange subjects that was assumed to be spam but were linked to a list i found in a temp folder with numbers assigned. this is what was used to give the backdoor/worm commands and kept it in sequence with new phases of spreading.

    the 3rd part is where every type of textwindow such as this one is used to inject hidden memory string points that you can see using spy++.
    this is the reason that some of your emails and messages had missing or twisted lettes.




    here is a recent list of the ips im talking about from the real worm. note the dates are from not updating after the last reset. i cleared the log around 2 hours ago. this is fresh



    Log Details

    1891 Log Entries: Priority Time Message
    [INFO] Sun Feb 08 05:34:30 2004 Allowed configuration authentication by IP address 192.168.0.197
    [INFO] Sun Feb 08 05:27:56 2004 Blocked incoming TCP connection request from 221.192.199.46:12200 to 98.134.157.238:8085
    [INFO] Sun Feb 08 05:27:25 2004 Blocked incoming TCP connection request from 221.192.199.48:12200 to 98.134.157.238:8085
    [INFO] Sun Feb 08 05:25:29 2004 Blocked incoming UDP packet from 118.128.252.18:31999 to 98.134.157.238:4384
    [WARN] Sun Feb 08 05:24:42 2004 A network computer (Compaq) was assigned the IP address of 192.168.0.199.
    [INFO] Sun Feb 08 05:24:37 2004 Wireless system with MAC address 0024B20E514A associated
    [INFO] Sun Feb 08 05:23:45 2004 Blocked incoming TCP connection request from 221.192.199.46:12200 to 98.134.157.238:8085
    [INFO] Sun Feb 08 05:23:14 2004 Blocked incoming TCP connection request from 221.192.199.48:12200 to 98.134.157.238:8085
    [INFO] Sun Feb 08 05:22:54 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:2301
    [INFO] Sun Feb 08 05:22:54 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:2479
    [INFO] Sun Feb 08 05:22:54 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:9090
    [INFO] Sun Feb 08 05:22:28 2004 Blocked incoming TCP connection request from 98.134.144.199:38144 to 98.134.157.238:135
    [INFO] Sun Feb 08 05:19:09 2004 Blocked incoming TCP connection request from 221.192.199.48:12200 to 98.134.157.238:8085
    [INFO] Sun Feb 08 05:18:28 2004 Blocked incoming TCP connection request from 98.134.144.199:53494 to 98.134.157.238:445
    [INFO] Sun Feb 08 05:18:28 2004 Blocked incoming TCP connection request from 98.134.144.199:53495 to 98.134.157.238:135
    [INFO] Sun Feb 08 05:14:47 2004 Blocked incoming TCP connection request from 221.192.199.48:12200 to 98.134.157.238:8085
    [INFO] Sun Feb 08 05:12:57 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:73
    [INFO] Sun Feb 08 05:12:56 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:2301
    [INFO] Sun Feb 08 05:12:56 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:2479
    [INFO] Sun Feb 08 05:12:55 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:9090
    [INFO] Sun Feb 08 05:12:55 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:9415
    [INFO] Sun Feb 08 05:11:51 2004 Blocked incoming TCP connection request from 124.13.198.241:24682 to 98.134.157.238:445
    [INFO] Sun Feb 08 05:11:43 2004 Above message repeated 2 times
    [INFO] Sun Feb 08 05:10:42 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:73
    [INFO] Sun Feb 08 05:10:42 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:2301
    [INFO] Sun Feb 08 05:10:42 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:2479
    [INFO] Sun Feb 08 05:10:42 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:9090
    [INFO] Sun Feb 08 05:10:42 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:9415
    [INFO] Sun Feb 08 05:07:42 2004 Blocked incoming TCP connection request from 64.235.59.130:12200 to 98.134.157.238:27977
    [INFO] Sun Feb 08 05:03:57 2004 Blocked outgoing TCP packet from 192.168.0.197:49471 to 75.126.242.47:80 with unexpected acknowledgement 3289141230 (expected 3289144134 to 3289145587)
    [INFO] Sun Feb 08 05:03:57 2004 Above message repeated 2 times
    [INFO] Sun Feb 08 05:02:47 2004 Blocked incoming TCP connection request from 221.192.199.46:12200 to 98.134.157.238:8085
    [INFO] Sun Feb 08 05:02:04 2004 Blocked outgoing TCP packet from 192.168.0.197:49456 to 75.126.242.47:80 with unexpected acknowledgement 1520896028 (expected 1520896895 to 1520896896)
    [INFO] Sun Feb 08 05:02:04 2004 Above message repeated 1 times
    [INFO] Sun Feb 08 04:57:59 2004 Blocked incoming UDP packet from 189.73.124.90:50516 to 98.134.157.238:4384
    [INFO] Sun Feb 08 04:57:40 2004 Blocked incoming TCP connection request from 189.73.124.90:50832 to 98.134.157.238:4384
    [INFO] Sun Feb 08 04:57:38 2004 Above message repeated 1 times
    [INFO] Sun Feb 08 04:57:23 2004 Blocked incoming UDP packet from 189.73.124.90:50516 to 98.134.157.238:4384
    [INFO] Sun Feb 08 04:57:00 2004 Blocked incoming UDP packet from 58.223.246.2:5060 to 98.134.157.238:5060
    [INFO] Sun Feb 08 04:56:57 2004 Blocked incoming UDP packet from 189.73.124.90:50516 to 98.134.157.238:4384
    [INFO] Sun Feb 08 04:56:00 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:73
    [INFO] Sun Feb 08 04:56:00 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:2301
    [INFO] Sun Feb 08 04:55:56 2004 Blocked incoming UDP packet from 189.73.124.90:50516 to 98.134.157.238:4384
    [INFO] Sun Feb 08 04:55:22 2004 Blocked incoming TCP connection request from 221.195.73.68:12200 to 98.134.157.238:1080
    [INFO] Sun Feb 08 04:55:22 2004 Blocked incoming TCP connection request from 221.195.73.68:12200 to 98.134.157.238:8090
    [INFO] Sun Feb 08 04:55:22 2004 Blocked incoming TCP connection request from 221.195.73.68:12200 to 98.134.157.238:9000
    [INFO] Sun Feb 08 04:55:21 2004 Blocked incoming TCP connection request from 221.195.73.68:12200 to 98.134.157.238:9090
    [INFO] Sun Feb 08 04:55:21 2004 Blocked incoming UDP packet from 189.73.124.90:50516 to 98.134.157.238:4384
    [INFO] Sun Feb 08 04:55:20 2004 Blocked incoming TCP connection request from 221.195.73.68:12200 to 98.134.157.238:8085
    [INFO] Sun Feb 08 04:54:59 2004 Blocked incoming UDP packet from 189.73.124.90:50516 to 98.134.157.238:4384
    [INFO] Sun Feb 08 04:51:50 2004 Above message repeated 3 times
    [INFO] Sun Feb 08 04:50:13 2004 Blocked incoming TCP connection request from 221.192.199.46:12200 to 98.134.157.238:8085
    [INFO] Sun Feb 08 04:49:47 2004 Blocked incoming TCP connection request from 221.192.199.48:12200 to 98.134.157.238:8085
    [INFO] Sun Feb 08 04:49:32 2004 Blocked incoming TCP connection request from 221.195.73.68:12200 to 98.134.157.238:8090
    [INFO] Sun Feb 08 04:47:24 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:73
    [INFO] Sun Feb 08 04:47:24 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:2479
    [INFO] Sun Feb 08 04:47:24 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:9415
    [INFO] Sun Feb 08 04:45:57 2004 Blocked incoming TCP connection request from 221.192.199.46:12200 to 98.134.157.238:8085
    [INFO] Sun Feb 08 04:45:10 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:73
    [INFO] Sun Feb 08 04:45:10 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:2301
    [INFO] Sun Feb 08 04:45:09 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:2479
     
    antihacker101, Aug 22, 2010
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.