What does it mean when 750GB of random movies suddenly appear on your computer?

Just wondering if anybody has had his happen to them as well!

Heaps of dvd ripped movies appeared on my computer, ranging everything from Apocalypse Now to Zombieland, but they're all in an invalid format. Interestingly, the total combined size of all the files are 750gb, even though I only have around 300 gb total on my computer.

The files on XP were under
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Tools\plugins\mediahash\downloads

What is this weirdness? Any hints?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

the_hutch

Houston...we have a problem!!!

nosoup4u

Quick Google search suggests virus/malware...

Potential FcsSas.exe impersonating Virus - Page 2 - Virus, Trojan, Spyware, and Malware Removal Logs

http://forum.avast.com/index.php?topic=112185.20

DDWingate

thanks, that was a good read. Fortunately I was able to delete them, unlike that poor guy.

I don't know if the creation date for the files are accurate, but it said it was created around 7 pm, may 14, 2013, which happens to be the same time I was running a full scan on on all my drives with malwarebytes

the ironing!!!

kriscamaro68

A quick bing search reveals you are running an 11 year old OS and need to upgrade to atleast Windows 7.

demonfurbie

according to a yahoo search its time to burn the house down

petedude

kriscamaro68 wrote: »

A quick bing search reveals you are running an 11 year old OS and need to upgrade to atleast Windows 7.

A quick DuckDuckGo search reveals Windows to be the root of all evils; therefore you should wipe your drive and install Linux instead.

CodeBlox

DDWingate wrote: »

thanks, that was a good read. Fortunately I was able to delete them, unlike that poor guy.

I don't know if the creation date for the files are accurate, but it said it was created around 7 pm, may 14, 2013, which happens to be the same time I was running a full scan on on all my drives with malwarebytes

the ironing!!!

You mean to tell me that after that, you're just going leave it at "Deleting" the items? I'd be re-imaging and re-installing my apps.

YFZblu

CodeBlox wrote: »

You mean to tell me that after that, you're just going leave it at "Deleting" the items? I'd be re-imaging and re-installing my apps.

Seriously, this. Immediately. And find out what exploited you so you can update whatever got you pwned.

N2IT

+1 Burn it down. Reimage that badboy.

Zartanasaurus

I'd be getting a new hard drive and throwing my old one into a furnace.

MentholMoose

Zartanasaurus wrote: »

I'd be getting a new hard drive and throwing my old one into a furnace.

Not sure if you're serious but that is a bit extreme, and too expensive for me since I use SSDs. A couple random/zero passes with a wipe program (hard disk) or a secure erase (SSD) should completely eliminate any malware. If you were worried about malware somehow surviving that, I think you'd need to replace the PC, or at least all components with writable firmware (motherboard, graphics card, NIC, even the CD/DVD-ROM drive).

Malware in BIOS stirs concern at Black Hat meet

ptilsen

If the specific malware was identified and you can remove it, I wouldn't reinstall OS. If you can't identify and remove, I would definitely reinstall. I certainly wouldn't dispose of the drive.

the_hutch

Directions on how to "burn it down", lol:

1. Use a live version of linux (most common distros will work) and boot to disk (this will automatically mount your hard-drive)
2. Open up terminal session and enter the following command:
sudo fdisk -l
3. This will list your mounted volumes. Identify your local hard-disk by name...most likely "dev/sda#"
4. Enter the following command to shred:
sudo shred -v /dev/sda#
5. This will randomize all of the bits on the drive with 3 passes.
6. Use disk utility to format, partition, etc... Or you could just image which should handle the formatting for you

Hope this "burn it down" guide has been helpful. Works a whole lot better than the "deleted the files" approach.

the_hutch

Exploited hard-drive TO THE GROUND!!!

MentholMoose

ptilsen wrote: »

If the specific malware was identified and you can remove it, I wouldn't reinstall OS. If you can't identify and remove, I would definitely reinstall. I certainly wouldn't dispose of the drive.

I used to take the same approach as you. I maintained a BartPE disk with the latest Stinger and other tools to do offline cleanups. But malware kept advancing and requiring more and more specialized cleanup tools, and taking longer and longer to clean up, so a few years ago I changed my mind.

Besides the long time required to clean an infection, often longer than reimaging, the big problem today is that identifying and removing malware does not guarantee in the slightest that it won't come back. There are many techniques malware can use to reinfect a PC even after AV software gives it a clean bill of health. SANS recently did a series of articles based on a presentation that may be eye-opening:

Wipe the drive! Stealthy Malware Persistence Mechanism - Part 1
Wipe the drive! Stealthy Malware Persistence - Part 2
Wipe the drive! Stealthy Malware Persistence - Part 3
Wipe the drive! Stealthy Malware Persistence - Part 4

Antivirus software has simply failed to keep up with the advancements in malware sophistication of the last few years. Currently, AV is pretty much only good for preventing known malware from infecting a PC. If it even manages to detect an actual infection, it is too late and time to reimage or restore from backup, if security is a concern.

YFZblu

^ This. A clean bill of health given by AV is nice, but this means one is assuming AV has signatures and detection methods for every type of malware which obviously isn't the case. It's a pain, but I would nuke from orbit after a legit malware hit. Also, the links above are a great read. +rep.

ptilsen

I don't really disagree with you or your approach. My approach is only viable if you can be reasonably sure you have eliminated malware. Even then, you probably have to be willing to accept some risk that you haven't. Persistence mechanisms in general are not new to me (although a couple of those are; very cool stuff by the way), but in my opinion most infections aren't actually that sophisticated, and most can even be defeated by fairly mundane tools. The issues are what risk are you willing to take and how much effort are you willing to take? I think in many situations it isn't worth the risk or the effort to even try to identify and remove malware. But, I think in many others nuking everything and starting over is an overreaction.

MentholMoose

ptilsen wrote: »

Persistence mechanisms in general are not new to me (although a couple of those are; very cool stuff by the way), but in my opinion most infections aren't actually that sophisticated, and most can even be defeated by fairly mundane tools.

Good point. If AV can detect the infection, the malware is probably unsophisticated (e.g. it didn't disable AV, or adequately evade it) enough to clean up successfully.

Zartanasaurus

MentholMoose wrote: »

Not sure if you're serious but that is a bit extreme, and too expensive for me since I use SSDs. A couple random/zero passes with a wipe program (hard disk) or a secure erase (SSD) should completely eliminate any malware. If you were worried about malware somehow surviving that, I think you'd need to replace the PC, or at least all components with writable firmware (motherboard, graphics card, NIC, even the CD/DVD-ROM drive).

Malware in BIOS stirs concern at Black Hat meet

I was joking about the furnace, but not about getting a new HDD. Now you've made me even more paranoid.

YFZblu

MentholMoose wrote: »

Good point. If AV can detect the infection, the malware is probably unsophisticated (e.g. it didn't disable AV, or adequately evade it) enough to clean up successfully.

Assuming that's the only piece of malware that was downloaded. I have seen instances in my environment at work in which the downloader was detected via On-demand scan, and nothing else. We know the downloader's purpose is to download more malicious code; code which has not yet been picked up by AV. I'm not saying it's impossible to clean up a machine, but nuking should be the preferred method IMO considering the amount of time and effort involved in the forensics/eradication process.

wes allen

I agree with the fdisk and start over, preferably with something other then XP, plan. I tend to nuke my personal boxes a couple times a year as a matter of course, and my laptop, maybe 4 or so times a year.

And, as many have said, A/V is far from being a the top of the list of useful things you can do to protect yourself.

olaHalo

What format where the movies in?

DDWingate

Thanks for your advice guys!

Problem solved. I took my hard drive, and I THREW IT ON THE GROUND

just joking, although it is an old bugger - its an IDE from years ago. I think I have rid myself of the malware - after numerous scans, the computer seems to be performing better than ever. I think the problem may have had something to do with some serious malware that was causing constant upload rates of about 3-100 kb/s (which I learned about with netmeter).

After a series of full scans on all my drives with malwarebytes, it blocked a potentially malicious website... coincidentally at the exact same time it was scanning over the fake movie files, which you can see on the picture! "Iron Man 3 italian [DVDRip]". Didn't think it's come out on DVD yet!

What format where the movies in?

.avi

our culprit.JPG

sratakhin

I would also recommend you scanning your computer with Kaspersky TDSSKiller. I have used it a lot to get rid of some nasty rootkits.

tpatt100

I haven't had an issue with malware in quite a while but in the past even when I thought I corrected an issue my computer was never quite the same, either it's paranoia or it was actually more sluggish. I would notice the random HD activity light kick on when I wasn't doing anything, I was constantly checking task manager for some unknown process, etc. Not worth it. Then I had malware that just would never die and keep coming back after a reboot.

gunbunnysoulja

Just curious, do you or does anyone else use torrents on that computer? Even for legally copyrighted material, there is still the potential for spillage where users files will download to your computer, even if they aren't sharing them and you aren't downloading them specifically.

MAC_Addy

Were they good movies?

kurosaki00

pron?
all the ti......err
yes you need to scan your pc or something.

olaHalo

DDWingate wrote: »

.avi

Oh
I thought I read that they were in an invalid format
bizarre none the less

jibbajabba

DDWingate wrote: »

the ironing!!!

Hate that too - especially shirts