CAG Hacked - PHPBB Destroyer - Fake Plugin

[quote name='Scrubking']Just because you don't have the ps2patch file doesn't mean you are okay.

Also look for these files in X:\win\system32 and delete them via safe mode: Ipconf.tsp & Ipconfig.exe

Also an easier way to clean your registry after deleting the crss.exe file is to get a registry cleaner like aceutilites or reg organizer. Once the file is deleted they will detect the bad registry entries and delete them for you so you don't have to worry about deleting something that you shouldn't.

Also flush all your browser cache to be on the safe side, and check your plugins to make sure that something isn't in there.[/quote]

I ran a search for Ipconf.tsp and it came up under system32, but said it hadn't been modified since sometime in 2004. The same thing goes for Ipconfig.exe. Should I assume that those files are fine, then? HOWEVER, I did come across something called IPCONFIG.EXE-05D7908C.pf under C:\Windows\Prefetch and this file was modified on 2/28/05. Should I delete that?
 
Until somebody confirms this exploit actually does something with ipconfig.exe I wouldn't fool with it. Just my 2 cents.
 
[quote name='Rig'][quote name='Professor Oreo'][quote name='Rig']I was going to do a System Restore, but the only restore point it has available was for today at noon...WTF?![/quote]

I got an alert when I chose to turn off system restore (following Defender's steps to clear out the plug-in) that said if I chose to turn it off that it would reset and clear all restore points that currently existed on my computer. So I'm figuring if you turned off system retsore then turned it back on, the only restore point you're gonna have is the time at which system restore was turned back on... which for you would be about noon today I'm assuming? :oops:[/quote]

Shit. I don't remember getting that warning, but thanks for telling me. Now, can anybody answer these:

If I reinstall Windows XP with the CD that came with my PC, will it get rid of my problems? Will my Secruity Center come back?[/quote]

If you reformat and then reinstall Windows XP it will get rid of all your problems. I was also infected and that's what I'm going to do. It's the only way to be sure you're completely clean. Just be sure to back up any files you want to keep since reformatting deletes everything.
 
[quote name='Collectordragon'][quote name='Rig'][quote name='Professor Oreo'][quote name='Rig']I was going to do a System Restore, but the only restore point it has available was for today at noon...WTF?![/quote]

I got an alert when I chose to turn off system restore (following Defender's steps to clear out the plug-in) that said if I chose to turn it off that it would reset and clear all restore points that currently existed on my computer. So I'm figuring if you turned off system retsore then turned it back on, the only restore point you're gonna have is the time at which system restore was turned back on... which for you would be about noon today I'm assuming? :oops:[/quote]

Shit. I don't remember getting that warning, but thanks for telling me. Now, can anybody answer these:

If I reinstall Windows XP with the CD that came with my PC, will it get rid of my problems? Will my Secruity Center come back?[/quote]

If you reformat and then reinstall Windows XP it will get rid of all your problems. I was also infected and that's what I'm going to do. It's the only way to be sure you're completely clean. Just be sure to back up any files you want to keep since reformatting deletes everything.[/quote]

Thanks. I've been waiting for an answer to this... Looks like that is what I will have to do. Well, in a couple of days. My XP disc is at home and I'm at college... :?
 
[quote name='Rig']Thanks. I've been waiting for an answer to this... Looks like that is what I will have to do. Well, in a couple of days. My XP disc is at home and I'm at college... :?[/quote]

You're welcome. I recommend anyone that was infected to reformat and reinstall. It's the only way to be sure you're 100% clean. This malware could very well have allowed an attacker to install additional software that you might not be able to detect. In fact I'm using a Mac laptop right now and I don't plan to go back online with the PC that was infected until after I reformat and reinstall Windows.
 
[quote name='Fire']I just did a search for that Ipconfig stuff that Scrubking recommened to be deleted and only found one of each file. ON the Ipconfig.tsp it found only one but it says that the date it was created was on 8/25/2003 and the date modified is 8/29/2002, why is that?

Also could you guys maybe refresh my memory again where the system restore is. isn't it in Star>All Programs>Accessories>System Tools?[/quote]

Umm...could anyone possibly answer my question?
 
[quote name='Collectordragon'][quote name='Rig']Thanks. I've been waiting for an answer to this... Looks like that is what I will have to do. Well, in a couple of days. My XP disc is at home and I'm at college... :?[/quote]

You're welcome. I recommend anyone that was infected to reformat and reinstall. It's the only way to be sure you're 100% clean. This malware could very well have allowed an attacker to install additional software that you might not be able to detect. In fact I'm using a Mac laptop right now and I don't plan to go back online with the PC that was infected until after I reformat and reinstall Windows.[/quote]

Actually, what things should I backup? I mean, there's nothing really on here that didn't already come on here before. I suppose my anime, but I really can't think of much else. Is there anything I would probably have I can't think of that needs backing up?
 
Safe mode question: I'm trying to follow the directions to remove this DAMNED thing (Sygate firewall picked it up right away and it isn't able to transmit ...but I need it off.) I try to startup in safe mode but it won't start. goes to a bunch of disk partition commands and then just freezes. any ideas/suggestions? any other way to get this off my computer?
 
[quote name='Fire'][quote name='Fire']I just did a search for that Ipconfig stuff that Scrubking recommened to be deleted and only found one of each file. ON the Ipconfig.tsp it found only one but it says that the date it was created was on 8/25/2003 and the date modified is 8/29/2002, why is that?

Also could you guys maybe refresh my memory again where the system restore is. isn't it in Star>All Programs>Accessories>System Tools?[/quote]

Umm...could anyone possibly answer my question?[/quote]

ipconfig.exe is a legit windows file. I wouldn't worry about it. Unless somebody finds some real info that this is part of what the exploit hoses up.
 
[quote name='Lootr2Core']also I try to delete the folder in the system32 directory but cannot delete it.[/quote]

you need to be in safemode.
 
[quote name='Socheata']I downloaded it. I tried to run/open it, but it didn't do anything. I shut my comp down, and it wouldn't. So I manually turned it off. Rebooted my comp, and everything seems to be fine. There's only one csrss.exe running in the Processes tab...

After reading Defender's warning, I immediately deleted the plugin_install.exe. I'm just wondering, am I infected? Since it didn't want to shut down for me the first time...but everything seems to be A-OK right now.[/quote]

I would also like to add that when I did a search for the sp2patch file, no results were returned. I'm still wondering if this plugin ever installed on my comp, since I ran/open it... :?
 
[quote name='postaboy'][quote name='Lootr2Core']also I try to delete the folder in the system32 directory but cannot delete it.[/quote]

you need to be in safemode.[/quote]

but I can't seem to get in safemode
 
[quote name='Lootr2Core'][quote name='postaboy'][quote name='Lootr2Core']also I try to delete the folder in the system32 directory but cannot delete it.[/quote]

you need to be in safemode.[/quote]

but I can't seem to get in safemode[/quote]

I know that some PC's don't like it if you hold down the F8 key. Did you try tapping the F8 key? That works on some PC's.
 
I can at times get to the safe mode boot screen, highlight safe mode, and it starts to load (shows many lines of "Disk partionion blah blah and then nothing.
 
I am fairly confident that you can rid yourself of the malware.

I was pretty thorough in watching what it did. I know how to manually track and delete these things. One thing you can look for in a file is when it was changed. You can even search your drive by date modified. I only found those files and in the registry only keys associated with them.

I should have written down all the actual key locations but it was really late...5am EST. I was really tired.

You can obviously reinstall windows to rid yourself of this thing but it isn't absolutely the only way. You most likely have items still in the registry if you are getting errors on startup.

ifconfig.exe you shouldn't mess with. Csrss.exe must be running as user SYSTEM....
 
[quote name='Rig'][quote name='Collectordragon'][quote name='Rig']Thanks. I've been waiting for an answer to this... Looks like that is what I will have to do. Well, in a couple of days. My XP disc is at home and I'm at college... :?[/quote]

You're welcome. I recommend anyone that was infected to reformat and reinstall. It's the only way to be sure you're 100% clean. This malware could very well have allowed an attacker to install additional software that you might not be able to detect. In fact I'm using a Mac laptop right now and I don't plan to go back online with the PC that was infected until after I reformat and reinstall Windows.[/quote]

Actually, what things should I backup? I mean, there's nothing really on here that didn't already come on here before. I suppose my anime, but I really can't think of much else. Is there anything I would probably have I can't think of that needs backing up?[/quote]

You want to backup anything you want to keep like game saves, bookmarks, documents, videos, music, and any progams or program installers you don't already have backup copies for.
 
[quote name='Lootr2Core']Safe mode question: I'm trying to follow the directions to remove this DAMNED thing (Sygate firewall picked it up right away and it isn't able to transmit ...but I need it off.) I try to startup in safe mode but it won't start. goes to a bunch of disk partition commands and then just freezes. any ideas/suggestions? any other way to get this off my computer?[/quote]

You might want to run a checkdisk at bootup. Could be some files that got corrupted & the space needs to be reclaimed causing it to hang up
 
Can someone answer this...

I downloaded the plugin, and tried to open/run it. But nothing ever popped up. When I went to the task manager, I saw something along the lines of login.exe that was in the Processes tab. I ended it, of course. So, did this thing ever installed onto my comp? Since searching for the sp2patch file had no results.
 
Just a helpful note, since nobody's really mentioned it:

csrss.exe is NOT a normal Windows ME process. I know most everyone uses XP, but if you're one of the few still on WinME and you have that file, odds are you picked up this trojan if not another, since there are several that use csrss.exe.
 
[quote name='WhipSmartBanky']Just a helpful note, since nobody's really mentioned it:

csrss.exe is NOT a normal Windows ME process. I know most everyone uses XP, but if you're one of the few still on WinME and you have that file, odds are you picked up this trojan if not another, since there are several that use csrss.exe.[/quote]

People still use Windows:ME? Millinieum Edition my arse! ME is an inside joke at Microsoft. ME secretly stands for 'More Errors' ;)
 
[quote name='Socheata'][quote name='Socheata']I downloaded it. I tried to run/open it, but it didn't do anything. I shut my comp down, and it wouldn't. So I manually turned it off. Rebooted my comp, and everything seems to be fine. There's only one csrss.exe running in the Processes tab...

After reading Defender's warning, I immediately deleted the plugin_install.exe. I'm just wondering, am I infected? Since it didn't want to shut down for me the first time...but everything seems to be A-OK right now.[/quote]

I would also like to add that when I did a search for the sp2patch file, no results were returned. I'm still wondering if this plugin ever installed on my comp, since I ran/open it... :?[/quote]

I am pretty sure sp2patch file is only if you use win XP. If you use Win 2K then find the csrss.exe under the sub directory of system32 directory.
 
[quote name='Collectordragon'][quote name='Rig'][quote name='Collectordragon'][quote name='Rig']Thanks. I've been waiting for an answer to this... Looks like that is what I will have to do. Well, in a couple of days. My XP disc is at home and I'm at college... :?[/quote]

You're welcome. I recommend anyone that was infected to reformat and reinstall. It's the only way to be sure you're 100% clean. This malware could very well have allowed an attacker to install additional software that you might not be able to detect. In fact I'm using a Mac laptop right now and I don't plan to go back online with the PC that was infected until after I reformat and reinstall Windows.[/quote]

Actually, what things should I backup? I mean, there's nothing really on here that didn't already come on here before. I suppose my anime, but I really can't think of much else. Is there anything I would probably have I can't think of that needs backing up?[/quote]

You want to backup anything you want to keep like game saves, bookmarks, documents, videos, music, and any progams or program installers you don't already have backup copies for.[/quote]

Thank you very much. Yeah, I don't think there's really much I need to backup then. Most of the crap on here is pointless anyway. I don't really play PC games, and all of my programs can just be reinstalled...thanks!
 
[quote name='Rig'][quote name='Collectordragon'][quote name='Rig'][quote name='Collectordragon'][quote name='Rig']Thanks. I've been waiting for an answer to this... Looks like that is what I will have to do. Well, in a couple of days. My XP disc is at home and I'm at college... :?[/quote]

You're welcome. I recommend anyone that was infected to reformat and reinstall. It's the only way to be sure you're 100% clean. This malware could very well have allowed an attacker to install additional software that you might not be able to detect. In fact I'm using a Mac laptop right now and I don't plan to go back online with the PC that was infected until after I reformat and reinstall Windows.[/quote]

Actually, what things should I backup? I mean, there's nothing really on here that didn't already come on here before. I suppose my anime, but I really can't think of much else. Is there anything I would probably have I can't think of that needs backing up?[/quote]

You want to backup anything you want to keep like game saves, bookmarks, documents, videos, music, and any progams or program installers you don't already have backup copies for.[/quote]

Thank you very much. Yeah, I don't think there's really much I need to backup then. Most of the crap on here is pointless anyway. I don't really play PC games, and all of my programs can just be reinstalled...thanks![/quote]
No problem. One more thing you might want to backup is any e-mail that is stored on your local machine.
 
[quote name='Indonesia'][quote name='Socheata'][quote name='Socheata']I downloaded it. I tried to run/open it, but it didn't do anything. I shut my comp down, and it wouldn't. So I manually turned it off. Rebooted my comp, and everything seems to be fine. There's only one csrss.exe running in the Processes tab...

After reading Defender's warning, I immediately deleted the plugin_install.exe. I'm just wondering, am I infected? Since it didn't want to shut down for me the first time...but everything seems to be A-OK right now.[/quote]

I would also like to add that when I did a search for the sp2patch file, no results were returned. I'm still wondering if this plugin ever installed on my comp, since I ran/open it... :?[/quote]

I am pretty sure sp2patch file is only if you use win XP. If you use Win 2K then find the csrss.exe under the sub directory of system32 directory.[/quote]

Actually, I do have Windows XP. But never downloaded Service Pack 2 ever since I heard so many bad things about it.
 
Every time I try to post or get data from the site, it tells me that it is in debug but when I refresh the page it comes up fine. Also, when I try to post it tells me that I have to resend the data or something like that.
 
This is what I keep getting:

phpBB : Critical Error

Error updating sessions table

DEBUG MODE

SQL Error : 1034 Incorrect key file for table: 'phpbb_users'. Try to repair it

UPDATE phpbb_users SET user_session_time = 1109729229, user_session_page = -9 WHERE user_id = 14908

Line : 293
File : sessions.php
Click to expand...
 
[quote name='defender']I am fairly confident that you can rid yourself of the malware.

I was pretty thorough in watching what it did. I know how to manually track and delete these things. One thing you can look for in a file is when it was changed. You can even search your drive by date modified. I only found those files and in the registry only keys associated with them.

I should have written down all the actual key locations but it was really late...5am EST. I was really tired.

You can obviously reinstall windows to rid yourself of this thing but it isn't absolutely the only way. You most likely have items still in the registry if you are getting errors on startup.

ifconfig.exe you shouldn't mess with. Csrss.exe must be running as user SYSTEM....[/quote]

I have it now running as a user SYSTEM but what exactly is its purpose?
 
[quote name='zionoverfire']I think it's little kinks left over from the hack, but I'm sure defender knows the full situation.[/quote]

Defender may not have all the hack-related kinks ironed out yet, but he can sell you a DS for $250. :D
 
yeah, i use to get that before the hack(the debug thing) also the refesh seems a bit weak. it takes for ever to refresh properly. like i'll refresh and get the same thing right after i posted. it has like a wierd delay or something.
 
Yeah, i just got sent to a page with some text related to that plugin, after a few secs of lookin on CAG. I recognized the URL to the plugin...It just doesn't want to go without a fight...
 
Warning: main(module.Informer.php): failed to open stream: No such file or directory in /home/www/confixx/html/fehler.inc.php on line 36

Warning: main(): Failed opening 'module.Informer.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /home/www/confixx/html/fehler.inc.php on line 36

Fatal error: Cannot instantiate non-existent class: informerpresentation in /home/www/confixx/html/fehler.inc.php on line 52
 
SITE SEEMS TO REDIRECT AGAIN WITH SIMILAR HACK

YOU NEED TO CLOSE DOWN THE SITE IF IT'S POSSIBLY GOING TO HARM YOUR USERS. SERIOUSLY!!!
 
Warning: main(module.Informer.php): failed to open stream: No such file or directory in /home/www/confixx/html/fehler.inc.php on line 36

Warning: main(): Failed opening 'module.Informer.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /home/www/confixx/html/fehler.inc.php on line 36

Fatal error: Cannot instantiate non-existent class: informerpresentation in /home/www/confixx/html/fehler.inc.php on line 52
 
I'm getting something different:
Warning: main(module.Informer.php): failed to open stream: No such file or directory in /home/www/confixx/html/fehler.inc.php on line 36

Warning: main(): Failed opening 'module.Informer.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /home/www/confixx/html/fehler.inc.php on line 36

Fatal error: Cannot instantiate non-existent class: informerpresentation in /home/www/confixx/html/fehler.inc.php on line 52
Click to expand...

Everytime I click something I have to click the stop button when it shows up, otherwise I get redirected to the above screen.
 
You must log in or register to reply here.
bread's done
Back
Top