CAG Hacked - PHPBB Destroyer - Fake Plugin

The redirect looked funny, so the first thing I did when I came across the redirect page was a Google search - which confirmed this thing was no good.

I got a trojan last year that was a bitch to remove, so I'm always suspicious about these things now.
 
Well fuck. I may have messed something up when deleting this. My "Security Center" in XP gives me this message:

The Security Center is currently unavailable because the "Security Center" has not started or was stopped. Please close this window, restart the computer (or start the "Security Center" service), and then open the Security Center again.

Well, son of a bitch. What the hell do I do now? I restarted my PC, but that same message is there. By the way, this is found by going to:

Start > Control Panel > Security Center

Does anybody (hopefully Defender) know what I need to do?
 
[quote name='defender'] I make no claims that this will help you or that you won't screw your computer up.[/quote]

uh oh
 
How do you remove it from the registry? I keep getting an error when I reboot my computer. I found the file and deleted it but I thinks there's more on my computer.
 
[quote name='vanlandw']i hate hackers[/quote]

The correct term is script kiddie. phpbb exploits are WIDELY known about and have been for a very long time now. (phpbb is not secure, at all)

and "scripts" exist for the purpose of sploiting it. which is what happened.

these script kiddies posess very limited actual knowledge, and therefor "hacker" is giving them way too much credit as the script was readily available for download created by someone else.
 
I had clicked my CAG link on Fav. Places and then got up to take a dump. When I came back there was this curious white screen with plain text saying "Because of trafficking issues we have installed this patch." (or something similar) I didn't remember what link I had clicked before I left, but I figured it was suspicious.

Came back to CAG a few minutes later and saw all the "CAG FORUMS HAVE BEEN HACKED DO NOT LOG IN/ENTER" .. so I took a screenshot of it. :)

I have always wondered what kind of people sit around and make viruses and malware. It seems so pointless to me. Don't you have anything better to do with your time? Or do they get some kind of power trip off of it?
 
[quote name='Rig']Well shaq-fu. I may have messed something up when deleting this. My "Security Center" in XP gives me this message:

The Security Center is currently unavailable because the "Security Center" has not started or was stopped. Please close this window, restart the computer (or start the "Security Center" service), and then open the Security Center again.

Well, son of a bitch. What the hell do I do now? I restarted my PC, but that same message is there. By the way, this is found by going to:

Start > Control Panel > Security Center

Does anybody (hopefully Defender) know what I need to do?[/quote]
 
[quote name='PittsburghAfterDark']And people wonder why I'm on a Mac and browse with Safari.[/quote]

The plugin would have shown up no matter what OS/browser you were using.. I would use a Mac, but only if I had a second machine...
 
[quote name='Rig'][quote name='Rig']Well shaq-fu. I may have messed something up when deleting this. My "Security Center" in XP gives me this message:

The Security Center is currently unavailable because the "Security Center" has not started or was stopped. Please close this window, restart the computer (or start the "Security Center" service), and then open the Security Center again.

Well, son of a bitch. What the hell do I do now? I restarted my PC, but that same message is there. By the way, this is found by going to:

Start > Control Panel > Security Center

Does anybody (hopefully Defender) know what I need to do?[/quote][/quote]

don't have a clue. i'm afraid you may have deleted the non clone version of the file.

[quote name='defender']NOTE: Please be very careful here.
10. Do a search in regedit for the key,value, and date for CSRSS.EXE (note:this is a clone of a real windows component) Delete anything found with that key where the directory is from the folder in step 7. [/quote]
 
[quote name='gaelan'][quote name='Rig'][quote name='Rig']Well shaq-fu. I may have messed something up when deleting this. My "Security Center" in XP gives me this message:

The Security Center is currently unavailable because the "Security Center" has not started or was stopped. Please close this window, restart the computer (or start the "Security Center" service), and then open the Security Center again.

Well, son of a bitch. What the hell do I do now? I restarted my PC, but that same message is there. By the way, this is found by going to:

Start > Control Panel > Security Center

Does anybody (hopefully Defender) know what I need to do?[/quote][/quote]

don't have a clue. i'm afraid you may have deleted the non clone version of the file.

[quote name='defender']NOTE: Please be very careful here.
10. Do a search in regedit for the key,value, and date for CSRSS.EXE (note:this is a clone of a real windows component) Delete anything found with that key where the directory is from the folder in step 7. [/quote][/quote]

That's what I was thinking, but everything else seems to be running correctly. :? Anyone??
 
Allright, so I'm a moron. I downloaded this crap and scanned it with virusscan which came up fine, so i ran it. I followed the instructions, but i still get errors looking for files when the computer boots up. Now I followed all the instructions except for one thing. When doing the registry scan for the crss, a whole bunch of things popped up, and i only deleted the one that was really obvious, as I didn't want to delete other ones that might screw stuff up (most were listings for perfectly good files: firefox, bejeweled, etc... do i delete all of these?
 
I d/l it like a dumbass and went to set it up, and it brought up the black box in run. I hit enter then it asked some thing and I just closed it out and deleted it in the recycle bin. I then did a system restore and did a search for sp2patch.exe, It didn't find anything and in the process it only shows one crs. So am I ok or not? I'm really worried right now and I hope everything is ok.
 
Boy, like a dumba$$ I downloaded it and opened it. Noticed it didn't do anything, so I checked task manager to see if something was running. And there behold csrss.exe was running under my user name, so I knew something was up. Went back to CAG and all the threads read "CAG Hacked... " Couldn't turn my comp off initially, but eventually turned it off. Woke up and read how to get rid of the fake patch and everything is fine now. Major thanks to defender for putting together the step by step removal tips.
 
OK, Defender,
I posted wrong a minute ago. It was in step 11: "11. Do a search for sp2patch.exe in regedit as well. DELETE any entries found."
I get a big list of stuff.... Do I delete ALL of these entries? some look ok... or are they affected or something?

Reason being that I'm still getting errors looking for files when Windows boots up normally.

Any suggestions would be greatly appreciated
 
[quote name='beerguy961'][quote name='PittsburghAfterDark']And people wonder why I'm on a Mac and browse with Safari.[/quote]

The plugin would have shown up no matter what OS/browser you were using.. I would use a Mac, but only if I had a second machine...[/quote]

I'm using FireFox on RHEL4, and the plug-in never showed up.
 
I'm very lucky I didn't visit the site last night. I'm usually a downloading freak, it's good I missed this one.
 
I noticed that it started showing the messege right after 1am EST, I decided not to download, i googled the file, but couldn't find anything. So, I then gave up on my posts for the night and decided that I would wait till the morning to find out if it was legit.
 
I didn't download the installer from the CAG hacked page. It seemed so "iffy" to me that this wouldn't have been announced earlier. However, I was curious and googled the link and ended up at the hacker's page (something about being angry at phpbb and wanting to bring them down, which the script doesn't even do). I must have clicked on something as a file did get transferred via my Opera browser. Despite the fact that I never opened it, I did get two csrss.exe files in Task Manager and found a new folder ("JqxHnbrh") in my System32 folder. I did an F8 reboot and deleted the files from the cmd line. Never had trouble restarting and nothing seemed adversely affected.

Something to think about if it ever happens again, Defender's tips looked very similar (font and background) to the hacker's page, and I was suspicious that it was just further mischief. I have Windows 2000, not XP, so I couldn't follow his advice anyway, but I was leery of deleting the Service Pack and deleting system files merely because it was signed "Defender." It wasn't until the main page was restored that I had confidence that it was real.
 
Any idea on what I should do? I think I got it all off, but I posted my problem above. Should I just use the manufacturer's Windows XP disc and reinstall Windows all over again?
 
Well, it also seems something may be wrong with my cookies. Each time I close IE, when I get back here to CAG, I have to manually log in each time, even though I check the box to stay logged in. :?
 
Just because you don't have the ps2patch file doesn't mean you are okay.

Also look for these files in X:\win\system32 and delete them via safe mode: Ipconf.tsp & Ipconfig.exe

Also an easier way to clean your registry after deleting the crss.exe file is to get a registry cleaner like aceutilites or reg organizer. Once the file is deleted they will detect the bad registry entries and delete them for you so you don't have to worry about deleting something that you shouldn't.

Also flush all your browser cache to be on the safe side, and check your plugins to make sure that something isn't in there.
 
Damn, I'm really pissed after seeing all the CAGers that got infected by this crap. There's gotta be at least 10 for every 1 that posts about it on this thread, too. :cry:

Hopefully the :censored: hacker discovers that karma is a bitch.
 
[quote name='Scrubking']

Also look for these files in X:\win\system32 and delete them via safe mode: Ipconf.tsp & Ipconfig.exe

Also an easier way to clean your registry after deleting the crss.exe file is to get a registry cleaner like aceutilites or reg organizer. Once the file is deleted they will detect the bad registry entries and delete them for you so you don't have to worry about deleting something that you shouldn't.

Also flush all your browser cache to be on the safe side, and check your plugins to make sure that something isn't in there.[/quote]

Does my having the "Ipconf" files mean I have to go through the whole procedure listed on the first page of this thread?
 
[quote name='humidore'][quote name='Scrubking']

Also look for these files in X:\win\system32 and delete them via safe mode: Ipconf.tsp & Ipconfig.exe

Also an easier way to clean your registry after deleting the crss.exe file is to get a registry cleaner like aceutilites or reg organizer. Once the file is deleted they will detect the bad registry entries and delete them for you so you don't have to worry about deleting something that you shouldn't.

Also flush all your browser cache to be on the safe side, and check your plugins to make sure that something isn't in there.[/quote]

Does my having the "Ipconf" files mean I have to go through the whole procedure listed on the first page of this thread?[/quote]

You don't have to repeat everything. Just go into safe mode and delete those files. And pray that you had a firewall to stop it from sending your info all over the net.

Also make sure to delete the file you downloaded. You might forget and one day click on it again to see what it is.
 
Once again, I'd like to apologize to the CAG community for this pain in the ass hassle.

I really thought I was prepared for this and had made the proper corrections last weekend. Little did I know that the changes I made never saved.

:oops:
 
[quote name='Scrubking']

You don't have to repeat everything. Just go into safe mode and delete those files. And pray that you had a firewall to stop it from sending your info all over the net.[/quote]

I'll start the praying now, thanks! Only firewall i have is the Windows one, so God knows right, heh....

Don't worry bout it Cheapy, ain't a thang but a chicken wing.
 
[quote name='wubb']I'm pretty sure ipconfig.exe is part of Windows. I don't think if you have that it means you were infected. (Are you absolutely sure on that Scrubking? And do you have a site with info, etc?) ipconfig.exe is mentioned on MS's site as part of Windows 2000:

http://support.microsoft.com/kb/223413/EN-US/[/quote]

Well that was the only stuff that started acting up. I had no sp2patch file whatsoever. Anyway I haven't had a problem so if they are real win files then they must not be that important so you can just reinstall em or whatever. I would reinstall fresh versions anyway just to be on the safe side.
 
No harm to my computer as I didn't download and install the plug-in. It really seemed fishy to me from the beginning.

IIRC, it started . . .

Due to the high volume of traffic we've been RECIEVING...

*cough*spellcheck*cough :roll:

Glad you were able to get the forums up and running again, Cheapy! :applause:
 
[quote name='Scrubking'][quote name='humidore'][quote name='Scrubking']

Also look for these files in X:\win\system32 and delete them via safe mode: Ipconf.tsp & Ipconfig.exe

Also an easier way to clean your registry after deleting the crss.exe file is to get a registry cleaner like aceutilites or reg organizer. Once the file is deleted they will detect the bad registry entries and delete them for you so you don't have to worry about deleting something that you shouldn't.

Also flush all your browser cache to be on the safe side, and check your plugins to make sure that something isn't in there.[/quote]

Does my having the "Ipconf" files mean I have to go through the whole procedure listed on the first page of this thread?[/quote]

You don't have to repeat everything. Just go into safe mode and delete those files. And pray that you had a firewall to stop it from sending your info all over the net.

Also make sure to delete the file you downloaded. You might forget and one day click on it again to see what it is.[/quote]

When I searched for these, I had four returned when I searched for Ipconf.tsp and 3 returned searches when I searched for Ipconfig.exe I am not sure if any of these should be deleted. How do you tell which are good, and which aren't?

Also, would it solve all of my problems just to reinstall Windows completely? I really don't have much of anything I really need on here right now...
 
[quote name='Rig'][quote name='Scrubking'][quote name='humidore'][quote name='Scrubking']

Also look for these files in X:\win\system32 and delete them via safe mode: Ipconf.tsp & Ipconfig.exe

Also an easier way to clean your registry after deleting the crss.exe file is to get a registry cleaner like aceutilites or reg organizer. Once the file is deleted they will detect the bad registry entries and delete them for you so you don't have to worry about deleting something that you shouldn't.

Also flush all your browser cache to be on the safe side, and check your plugins to make sure that something isn't in there.[/quote]

Does my having the "Ipconf" files mean I have to go through the whole procedure listed on the first page of this thread?[/quote]

You don't have to repeat everything. Just go into safe mode and delete those files. And pray that you had a firewall to stop it from sending your info all over the net.

Also make sure to delete the file you downloaded. You might forget and one day click on it again to see what it is.[/quote]

When I searched for these, I had four returned when I searched for Ipconf.tsp and 3 returned searches when I searched for Ipconfig.exe I am not sure if any of these should be deleted. How do you tell which are good, and which aren't?

Also, would it solve all of my problems just to reinstall Windows completely? I really don't have much of anything I really need on here right now...[/quote]

That's what I'm saying - it probably installed its own version of those files, but I'm not a hacker so I don't know.

I would say to check the date on those files - I would suspect the most recently used or accessed ones are the bad ones.

I believe that if you delete them you can do a repair install that will reinstall those files again without formatting and installing from scratch.
 
[quote name='Scrubking'][quote name='Rig'][quote name='Scrubking'][quote name='humidore'][quote name='Scrubking']

Also look for these files in X:\win\system32 and delete them via safe mode: Ipconf.tsp & Ipconfig.exe

Also an easier way to clean your registry after deleting the crss.exe file is to get a registry cleaner like aceutilites or reg organizer. Once the file is deleted they will detect the bad registry entries and delete them for you so you don't have to worry about deleting something that you shouldn't.

Also flush all your browser cache to be on the safe side, and check your plugins to make sure that something isn't in there.[/quote]

Does my having the "Ipconf" files mean I have to go through the whole procedure listed on the first page of this thread?[/quote]

You don't have to repeat everything. Just go into safe mode and delete those files. And pray that you had a firewall to stop it from sending your info all over the net.

Also make sure to delete the file you downloaded. You might forget and one day click on it again to see what it is.[/quote]

When I searched for these, I had four returned when I searched for Ipconf.tsp and 3 returned searches when I searched for Ipconfig.exe I am not sure if any of these should be deleted. How do you tell which are good, and which aren't?

Also, would it solve all of my problems just to reinstall Windows completely? I really don't have much of anything I really need on here right now...[/quote]

That's what I'm saying - it probably installed its own version of those files, but I'm not a hacker so I don't know.

I would say to check the date on those files - I would suspect the most recently used or accessed ones are the bad ones.

I believe that if you delete them you can do a repair install that will reinstall those files again without formatting and installing from scratch.[/quote]

Well, I looked at their dates, and they were all from a while ago (like August 2004) so I don't think any of them are bad.
 
Well I only had one copy of each of those files, so I just did a system restore to the morning before I saw the plugin. The thing is, I didn't run it (Windows stopped me before that, and I decided not to run it), but I noticed I was getting pop ups and had Ad stuff in my "Processes" tab of Task Manager. Spybot picked up a lot of stuff, but then said it couldn't remove a lot of it. Adaware didn't pick up the same stuff I think, but I removed what it did pick up anyway.

So now, after my system restore, I will re-install McAfee (i took it off cause it was slowing my comp down so much) and go from there.
 
I was going to do a System Restore, but the only restore point it has available was for today at noon...WTF?!
 
[quote name='Rig']I was going to do a System Restore, but the only restore point it has available was for today at noon...WTF?![/quote]

I got an alert when I chose to turn off system restore (following Defender's steps to clear out the plug-in) that said if I chose to turn it off that it would reset and clear all restore points that currently existed on my computer. So I'm figuring if you turned off system retsore then turned it back on, the only restore point you're gonna have is the time at which system restore was turned back on... which for you would be about noon today I'm assuming? :oops:
 
[quote name='Professor Oreo'][quote name='Rig']I was going to do a System Restore, but the only restore point it has available was for today at noon...WTF?![/quote]

I got an alert when I chose to turn off system restore (following Defender's steps to clear out the plug-in) that said if I chose to turn it off that it would reset and clear all restore points that currently existed on my computer. So I'm figuring if you turned off system retsore then turned it back on, the only restore point you're gonna have is the time at which system restore was turned back on... which for you would be about noon today I'm assuming? :oops:[/quote]

Shit. I don't remember getting that warning, but thanks for telling me. Now, can anybody answer these:

If I reinstall Windows XP with the CD that came with my PC, will it get rid of my problems? Will my Secruity Center come back?
 
I downloaded it by accident yesterday. You know sometimes you just click the mouse for no apparent reason, well I clicked it right as the screen switched over to the hacked screen and clicked it right on the plug in link :? .

Alright, I did pretty much exactly as Defender and others have said. I think I'm set now and have cleaned it all out but I just want to make sure. All I have left now is one csrss.exe in my system folder and only one running in taskmanager. The date it says that it was created was on 8/25/2003 and then the date it says that it was modified was on 8/29/2002. It sounds kind of fishy buy I think I did basically everything Cheapy, Defender, and others have said to do. Is this the alright csrss.exe file?
 
I believe the correct file should be in the system32 folder as apposed to being in a subfolder of system32.
 
I just did a search for that Ipconfig stuff that Scrubking recommened to be deleted and only found one of each file. ON the Ipconfig.tsp it found only one but it says that the date it was created was on 8/25/2003 and the date modified is 8/29/2002, why is that?

Also could you guys maybe refresh my memory again where the system restore is. isn't it in Star>All Programs>Accessories>System Tools?
 
[quote name='Scrubking']I believe the correct file should be in the system32 folder as apposed to being in a subfolder of system32.[/quote]

Well I don't see anymore csrss or folders in the system32 folder. I see just one csrss.exe but it is not in any specific subfolder just in the system32 one.
 
You must log in or register to reply here.
bread's done
Back
Top