What does it mean when 750GB of random movies suddenly appear on your computer?

DDWingate · May 2013

Just wondering if anybody has had his happen to them as well!

Heaps of dvd ripped movies appeared on my computer, ranging everything from Apocalypse Now to Zombieland, but they're all in an invalid format. Interestingly, the total combined size of all the files are 750gb, even though I only have around 300 gb total on my computer.

The files on XP were under
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Tools\plugins\mediahash\downloads

What is this weirdness? Any hints?

the_hutch · May 2013

Houston...we have a problem!!!

nosoup4u · May 2013

Quick Google search suggests virus/malware...

Potential FcsSas.exe impersonating Virus - Page 2 - Virus, Trojan, Spyware, and Malware Removal Logs

http://forum.avast.com/index.php?topic=112185.20

DDWingate · May 2013

thanks, that was a good read. Fortunately I was able to delete them, unlike that poor guy.

I don't know if the creation date for the files are accurate, but it said it was created around 7 pm, may 14, 2013, which happens to be the same time I was running a full scan on on all my drives with malwarebytes

the ironing!!!

kriscamaro68 · May 2013

A quick bing search reveals you are running an 11 year old OS and need to upgrade to atleast Windows 7.

demonfurbie · May 2013

according to a yahoo search its time to burn the house down

petedude · May 2013

kriscamaro68 wrote: »

A quick bing search reveals you are running an 11 year old OS and need to upgrade to atleast Windows 7.

A quick DuckDuckGo search reveals Windows to be the root of all evils; therefore you should wipe your drive and install Linux instead.

CodeBlox · May 2013

DDWingate wrote: »

thanks, that was a good read. Fortunately I was able to delete them, unlike that poor guy.

I don't know if the creation date for the files are accurate, but it said it was created around 7 pm, may 14, 2013, which happens to be the same time I was running a full scan on on all my drives with malwarebytes

the ironing!!!

You mean to tell me that after that, you're just going leave it at "Deleting" the items? I'd be re-imaging and re-installing my apps.

YFZblu · May 2013

CodeBlox wrote: »

You mean to tell me that after that, you're just going leave it at "Deleting" the items? I'd be re-imaging and re-installing my apps.

Seriously, this. Immediately. And find out what exploited you so you can update whatever got you pwned.

N2IT · May 2013

+1 Burn it down. Reimage that badboy.

Zartanasaurus · May 2013

I'd be getting a new hard drive and throwing my old one into a furnace.

MentholMoose · May 2013

Zartanasaurus wrote: »

I'd be getting a new hard drive and throwing my old one into a furnace.

Not sure if you're serious but that is a bit extreme, and too expensive for me since I use SSDs. A couple random/zero passes with a wipe program (hard disk) or a secure erase (SSD) should completely eliminate any malware. If you were worried about malware somehow surviving that, I think you'd need to replace the PC, or at least all components with writable firmware (motherboard, graphics card, NIC, even the CD/DVD-ROM drive).

Malware in BIOS stirs concern at Black Hat meet

ptilsen · May 2013

If the specific malware was identified and you can remove it, I wouldn't reinstall OS. If you can't identify and remove, I would definitely reinstall. I certainly wouldn't dispose of the drive.

the_hutch · May 2013

Directions on how to "burn it down", lol:

1. Use a live version of linux (most common distros will work) and boot to disk (this will automatically mount your hard-drive)
2. Open up terminal session and enter the following command:
sudo fdisk -l
3. This will list your mounted volumes. Identify your local hard-disk by name...most likely "dev/sda#"
4. Enter the following command to shred:
sudo shred -v /dev/sda#
5. This will randomize all of the bits on the drive with 3 passes.
6. Use disk utility to format, partition, etc... Or you could just image which should handle the formatting for you

Hope this "burn it down" guide has been helpful. Works a whole lot better than the "deleted the files" approach.

the_hutch · May 2013

Exploited hard-drive TO THE GROUND!!!

MentholMoose · May 2013

ptilsen wrote: »

If the specific malware was identified and you can remove it, I wouldn't reinstall OS. If you can't identify and remove, I would definitely reinstall. I certainly wouldn't dispose of the drive.

I used to take the same approach as you. I maintained a BartPE disk with the latest Stinger and other tools to do offline cleanups. But malware kept advancing and requiring more and more specialized cleanup tools, and taking longer and longer to clean up, so a few years ago I changed my mind.

Besides the long time required to clean an infection, often longer than reimaging, the big problem today is that identifying and removing malware does not guarantee in the slightest that it won't come back. There are many techniques malware can use to reinfect a PC even after AV software gives it a clean bill of health. SANS recently did a series of articles based on a presentation that may be eye-opening:

Wipe the drive! Stealthy Malware Persistence Mechanism - Part 1
Wipe the drive! Stealthy Malware Persistence - Part 2
Wipe the drive! Stealthy Malware Persistence - Part 3
Wipe the drive! Stealthy Malware Persistence - Part 4

Antivirus software has simply failed to keep up with the advancements in malware sophistication of the last few years. Currently, AV is pretty much only good for preventing known malware from infecting a PC. If it even manages to detect an actual infection, it is too late and time to reimage or restore from backup, if security is a concern.

YFZblu · May 2013

^ This. A clean bill of health given by AV is nice, but this means one is assuming AV has signatures and detection methods for every type of malware which obviously isn't the case. It's a pain, but I would nuke from orbit after a legit malware hit. Also, the links above are a great read. +rep.

ptilsen · May 2013

I don't really disagree with you or your approach. My approach is only viable if you can be reasonably sure you have eliminated malware. Even then, you probably have to be willing to accept some risk that you haven't. Persistence mechanisms in general are not new to me (although a couple of those are; very cool stuff by the way), but in my opinion most infections aren't actually that sophisticated, and most can even be defeated by fairly mundane tools. The issues are what risk are you willing to take and how much effort are you willing to take? I think in many situations it isn't worth the risk or the effort to even try to identify and remove malware. But, I think in many others nuking everything and starting over is an overreaction.

MentholMoose · May 2013

ptilsen wrote: »

Persistence mechanisms in general are not new to me (although a couple of those are; very cool stuff by the way), but in my opinion most infections aren't actually that sophisticated, and most can even be defeated by fairly mundane tools.

Good point. If AV can detect the infection, the malware is probably unsophisticated (e.g. it didn't disable AV, or adequately evade it) enough to clean up successfully.

Zartanasaurus · May 2013

MentholMoose wrote: »

Not sure if you're serious but that is a bit extreme, and too expensive for me since I use SSDs. A couple random/zero passes with a wipe program (hard disk) or a secure erase (SSD) should completely eliminate any malware. If you were worried about malware somehow surviving that, I think you'd need to replace the PC, or at least all components with writable firmware (motherboard, graphics card, NIC, even the CD/DVD-ROM drive).

Malware in BIOS stirs concern at Black Hat meet

I was joking about the furnace, but not about getting a new HDD. Now you've made me even more paranoid.

YFZblu · May 2013

MentholMoose wrote: »

Good point. If AV can detect the infection, the malware is probably unsophisticated (e.g. it didn't disable AV, or adequately evade it) enough to clean up successfully.

Assuming that's the only piece of malware that was downloaded. I have seen instances in my environment at work in which the downloader was detected via On-demand scan, and nothing else. We know the downloader's purpose is to download more malicious code; code which has not yet been picked up by AV. I'm not saying it's impossible to clean up a machine, but nuking should be the preferred method IMO considering the amount of time and effort involved in the forensics/eradication process.

wes allen · May 2013

I agree with the fdisk and start over, preferably with something other then XP, plan. I tend to nuke my personal boxes a couple times a year as a matter of course, and my laptop, maybe 4 or so times a year.

And, as many have said, A/V is far from being a the top of the list of useful things you can do to protect yourself.

olaHalo · May 2013

What format where the movies in?

phoeneous · May 2013

petedude wrote: »

A quick DuckDuckGo search reveals Windows to be the root of all evils; therefore you should wipe your drive and install Linux instead.

Said the mcse

DDWingate · May 2013

Thanks for your advice guys!

Problem solved. I took my hard drive, and I THREW IT ON THE GROUND

just joking, although it is an old bugger - its an IDE from years ago. I think I have rid myself of the malware - after numerous scans, the computer seems to be performing better than ever. I think the problem may have had something to do with some serious malware that was causing constant upload rates of about 3-100 kb/s (which I learned about with netmeter).

After a series of full scans on all my drives with malwarebytes, it blocked a potentially malicious website... coincidentally at the exact same time it was scanning over the fake movie files, which you can see on the picture! "Iron Man 3 italian [DVDRip]". Didn't think it's come out on DVD yet!

What format where the movies in?

.avi

sratakhin · May 2013

I would also recommend you scanning your computer with Kaspersky TDSSKiller. I have used it a lot to get rid of some nasty rootkits.

tpatt100 · May 2013

I haven't had an issue with malware in quite a while but in the past even when I thought I corrected an issue my computer was never quite the same, either it's paranoia or it was actually more sluggish. I would notice the random HD activity light kick on when I wasn't doing anything, I was constantly checking task manager for some unknown process, etc. Not worth it. Then I had malware that just would never die and keep coming back after a reboot.

gunbunnysoulja · May 2013

Just curious, do you or does anyone else use torrents on that computer? Even for legally copyrighted material, there is still the potential for spillage where users files will download to your computer, even if they aren't sharing them and you aren't downloading them specifically.