Jump to content

Free Palestine Hacker

Recommended Posts

I was just attacked by a hacker. All of a sudden a window popped up on my desktop with the title "Now chating with >> !~Hacker~!, he talked me through that a little bit. Asked me if I spoke Arabic, asked if I was American, and proceeded to say he hated Americans. 

Throughout that, he would occasionally control my mouse, though I could control it still as well. He stopped talking through his chat box, and a picture covered my screen with images of a Free Palestine, peace sign fingers, and a big image of a pile of skulls with the UK, USA, and Israel flag on 3 of them with a sword going through the Israeli flag. 

Nothing I did would get that window to go away, and it took over my primary monitor's screen. After fiddling with the task manager a bit (CTRL+SHIFT+ESC), I tried to get his window up to see if he had said anything. After that, the image changed to a .gif with sound, or possibly even a video of a black and white eye look around frantically and moaning and groaning noises going on (Scare image, basically). 

I've run malwarebyes in safe mode + Networking and it came back with some potentially unwanted files/registry values, etc. I deleted those, restarted my computer but the Free Palestine image immediately came up. 

Am I screwed? Do I need to do a clean install of windows?

Here's the MalwareBytes log.

Malwarebytes Anti-Malware

Database version: v2013.10.31.02

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Magabury :: MAGABURY-PC [administrator]

10/31/2013 2:07:42 AM
mbam-log-2013-10-31 (02-07-42).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 225678
Time elapsed: 4 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 4
HKCR\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
HKCU\Software\1ClickDownload (PUP.Optional.1ClickDownload.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\SWEETIM (PUP.Optional.SweetIM.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\SWEETIM (PUP.Optional.SweetIM.A) -> Quarantined and deleted successfully.

Registry Values Detected: 3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|41a00b3eecaa2a31bb3addf7ea591​dde (Backdoor.Agent.TRJ) -> Data: "C:\Users\Magabury\AppData\Roaming\Computer.exe" .. -> Quarantined and deleted successfully.
HKCU\Software\SweetIM|simapp_id (PUP.Optional.SweetIM.A) -> Data: 11111111 -> Quarantined and deleted successfully.
HKLM\Software\SweetIM|simapp_id (PUP.Optional.SweetIM.A) -> Data: 11111111 -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 6
C:\ProgramData\Tarma Installer (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504} (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Cache (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\Users\Magabury\AppData\Roaming\OpenCandy (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Magabury\AppData\Roaming\OpenCandy\72C894CDDD4745A581A3192FC9ABD4BC (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Magabury\AppData\Roaming\OpenCandy\OpenCandy_72C894CDDD4745A581A3192FC9​ABD4BC (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.

Files Detected: 12
C:\Users\Magabury\AppData\Roaming\OpenCandy\72C894CDDD4745A581A3192FC9ABD4BC\Ope​nCandySliderASPCA_20120302.msi (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.
C:\Users\Magabury\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\41a00b3eecaa2a31bb3addf7ea591dde.exe (Trojan.MSIL.GenX) -> Quarantined and deleted successfully.
C:\Users\Magabury\AppData\Roaming\Computer.exe (Backdoor.Agent.TRJ) -> Quarantined and deleted successfully.
C:\Users\Magabury\AppData\Roaming\Computer.exe.tmp (Backdoor.Agent.TRJ) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.dat (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.exe (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.ico (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setup.dll (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\Users\Magabury\AppData\Roaming\OpenCandy\72C894CDDD4745A581A3192FC9ABD4BC\248​7.ico (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Magabury\AppData\Roaming\OpenCandy\72C894CDDD4745A581A3192FC9ABD4BC\EBB​77268-338F-4C6A-8590-AD88FED26F4A (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Magabury\AppData\Roaming\OpenCandy\72C894CDDD4745A581A3192FC9ABD4BC\OCB​rowserHelper_1.0.3.85.dll (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Magabury\AppData\Roaming\OpenCandy\72C894CDDD4745A581A3192FC9ABD4BC\WeC​are_ASPCA_Standard_p27v1.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.


Link to post
Share on other sites

Update: I have taken back my desktop. I am not exactly sure what exactly caused it, but I managed to get rid of the Free Palestine picture that would block my entire desktop and cover anything that opened (Even if "Always On Top" was enabled on the window, though task manager opened with Ctrl+Shift+Esc was able to stay above the image).


The Black and White eye was apparently a problem by the name "TheEye.exe", which was found in my Curse Client (Addon download for MMO's and other games such as World of Warcraft, Minecraft, etc.).


The first thing that comes to mind on getting control of my desktop back was ending the Explorer.exe process because the task manager (As mentioned above) was able to sit above the image. After this, I restarted the process, and I now have my desktop, without the image. 



MalwareBytes, and SUPERAntiSpyware are both coming up clean. I am going to restart my computer again to see if the image comes back. I used CCleaner to remove Curse Client, and TheEye.exe. 

Link to post
Share on other sites

Okay, after restarting my computer, it seems as though this problem is gone. The image no longer shows up, and my computer seems to be running normal. 


Any suggestions on what I should do? 


Should I do a clean install of Windows, to be safe? Wait, and see if it comes back, then do the clean install? 

Link to post
Share on other sites

  • Root Admin

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.