Author Topic: GPU Process Reversal?  (Read 11717 times)

0 Members and 1 Guest are viewing this topic.

July 25, 2012, 02:52:58 pm
Read 11717 times

walterab

  • Jr. Member

  • Offline
  • **

  • 20
I have given up on posting solutions so today I have a problem that needs addressing.  I have re-formatted my 1TB hard drive to attempt to reverse what occurred when a hacker penetrated my firewall and used my nVidia GeForce Graphics Card's memory to mine bit coins.  I have my Windows Vista computer set up to do all of my computing "in the Cloud" and on a wireless network driven by a cable modem.  I have 52+ years experience with digital information systems and turned 81 years of age last month.  Is there anyone that has any experience in re-setting the default environment for normal operation?  My main system memory consists of 8GB (4 DDR modules) and my Graphics card has 256MBs. :-\

July 25, 2012, 03:39:12 pm
Reply #1

dlipman

  • Special Access
  • Full Member

  • Offline
  • *

  • 60
    • Multi-AV Scanning Tool
I truly doubt "...hacker penetrated my firewall and used my nVidia GeForce Graphics Card's memory to mine bit coins".

More likely a driveby download or visiting a vulnerability/exploitation site with the payload being a BitCoin Miner trojan. (assuming that's what you had).

I don't know what you want so I will be general...

Make sure your your SOHO Router is properly secured (does not respond to PINGs, no remote administration and the default password has been changed to a strong password) and WiFi accessed via a strong password using WPA2-AES.

Make sure your Vista PC is up-to-date in ALL software, not just the OS.

Make sure you use anti virus software and practice Safe Hex.

For regular computer usage, use a Limited User Account (LUA) instead of an account with administrative privileges.

Make data backups and image the computer regularly so you don't have to wipe and re-install the OS.



July 27, 2012, 08:43:22 pm
Reply #2

walterab

  • Jr. Member

  • Offline
  • **

  • 20
Erasing the words "truly doubt", let me offer this in my behalf.  I have Windows Vista Home Premium along with 8GBs of DDR System RAM Plus an NVIDIA GeForce 9300 Graphics Card with 256MBs of on-card memory.  But there is more as you can see in the following screen snapshot taken from Control Panel:

I have customized my Control Panel 'Default Programs' to include Apple Safari, iTunes, and QuickTime.  With the hefty Graphics Memory, the Trojan Horse DevilRobber set up shop on my computer and I finally found a way to block it from spreading to other systems.  The fix was sent to Steve Gibson at www.grc.com (patch TCP/IP Port 34522).

The Trojan DevilRobber has the potential to bring down a Nation due to the use of Bit Coins and online gambling.

Check me out on Google using the keywords walt, ivey

July 27, 2012, 09:17:08 pm
Reply #3

dlipman

  • Special Access
  • Full Member

  • Offline
  • *

  • 60
    • Multi-AV Scanning Tool
Your screenshots show the use of MS Windows, not MAC OSX.

The DevilRobber (Backdoor:OSX/DevilRobber) is a MAC OSX trojan backdoor and data stealer and not a virus or worm.  It opens TCP port 34522 for its backdoor operations.  It can not infect a PC on its own and requires assistance.  That assistance is via Social Engineering by it being repackaged with a software installer and was originally distributed via Torrents but could be located on Usenet or warez sites.



July 30, 2012, 03:00:44 am
Reply #4

walterab

  • Jr. Member

  • Offline
  • **

  • 20
Follow along with me on this one.  My computer IS a Microsoft Vista Home Premium that is loaded with features.  If you looked closely at the screen snapshot showing my non-Windows defaults, then you can see that I have Mac Safari, iTunes, and QuickTime defaulted - but you can also see that my secondary O/S is Google Chromium and Cloud Computing.  I think that some culprit mistook my Vista/Mac/Chrome/Cloud system for a Mac because I have the quality of Graphic architecture that Bit Coin Miners seek.  This is what I have stated from the first.  I think that I nailed the miscreant last night when I downloaded, installed, and ran PortQueryV2 - because I have not heard the fan roaring on the NVIDIA GeForce 9300 w/256MB graphic memory.  Thanks for your interest and comments - I value your help.
Walter Ivey

July 30, 2012, 11:01:15 am
Reply #5

dlipman

  • Special Access
  • Full Member

  • Offline
  • *

  • 60
    • Multi-AV Scanning Tool
A Windows PC can't be mistaken for MAC OSX because you have Apple software for Windows.

Post the obfuscated URL or path to download - PortQueryV2.

EDIT:

You stated "I finally found a way to block it from spreading to other systems.  The fix was sent to Steve Gibson".
What was that fix ?

July 30, 2012, 04:41:31 pm
Reply #6

walterab

  • Jr. Member

  • Offline
  • **

  • 20
Thanks again for your reply.  The fix that I sent to www.grc.com concerned "Little Snitch" that is available on Mac OX-2 but missing from Microsoft Windows Vista so my suggestion was suppressing UDP Port 34522 or possibly blocking the port.  Here is the reply that I received back from Gibson Research:

Much as we would truly love to help everyone, we are unfortunately
unable to provide individual one-on-one assistance for questions
arising from the ShieldsUP! site.  It is a completely free service
hosting approximately 25,000 people per day.  The best we've been
able to do is assemble some comprehensive self-help pages where you
will be very likely to find an answer.  Please see the ShieldsUP! FAQ
(Frequently Asked Questions) page
<http://www.grc.com/faq-shieldsup.htm> for all the specifics.

We have updated the "advice" pages
<http://www.grc.com/su-bondage.htm>, and we even obsoleted the need
for the NoShare and LetShare utilities.  We have come up with ways to
achieve their results WITHOUT any additional software!

Unfortunately, we don't have time to review every product out there
but what we have checked out can be found on our ShieldsUP! firewall
pages <http://www.grc.com/su-firewalls.htm>.

If you find that you *do* still need individual help, please take
advantage of our very active and terrific online ShieldsUP! user
group forum <http://www.grc.com/groups/shieldsup>. There you'll find
hundreds of helpful people who are anxious and able to provide the
assistance you require.  The "Discussion" page
<http://www.grc.com/discussions.htm> will explain the use of the
forum and help to get you started.

Lastly, GRC and Steve have Twitter accounts and Blogs that can be
easily subscribed to in order to receive periodic news and
updates.  Please see our <http://grc.com/news.htm> page for all the details.

Thank you for your understanding.

Sincerely,

Greg McIntyre
Gibson Research
Technical Support 

And here is the URL where you can download PortqryV2:  www.microsoft.com/en-us/download/details.aspx?id=17148

I am attaching a text file that I extracted in order to print the syntax.  Let me know if you need anything else?  How about tasking me with a research request so that I can showcase my contributions to Google Chrome?
Walterab