They’re back

Albert/Kathy Buckner asked 2 years ago

My name is Kathy and my 86 year old father, Albert, was tricked and taken advantage of by hackers that took control of his computer. Since then it has been wiped clean and windows reinstalled. Nevertheless I am still am suspicious!! I do have questions, however, I would like to give some background first.
This started in March of this year. At that time they managed to reroute and receive all Windows notifications of Administrative Events that occurred on my dad's computer. They eventually loaded "Custom dynamic link libraries for every application" to create a facade and no local access or control. The only way I was able to access the actual computer (rather than a "custom library link") was via a Windows help link. The Windows help had a link to the Summary of Administrative Events where I was able to see thousands of events which at times were being reported at a rate of 8 per SECOND. Being that the Administrative Events were not delivered as intended, when we ran malware and Windows reported "The program mbam.exe version 1.0.0.532 stopped interacting with Windows and was closed" , they simply restarted mbam.exe and changed the contents of the new library folder called malware. The map hierarchy of "My Computer": "My Computer" was in a folder labeled "Computers", within "Component Services" under control of "Console Root" .I took pictures with my phone of some of the error messages and mapping.

My dad actually paid them $399.99 on September 4, 2014, for them to "fix" the problems he was having (an unsolicited incoming call from "Tech. Support"). Subsequently his credit card was compromised.

Now my question: when I ran the route tracker line 5 just shows * * AND subsequently both line 4 and line 5 shows * *. This is the command prompt for the computer:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:UsersAlbert>route

Manipulates network routing tables.

ROUTE [-f] [-p] [-4|-6] command [destination]
[MASK netmask] [gateway] [METRIC metric] [IF interface]

-f Clears the routing tables of all gateway entries. If this is
used in conjunction with one of the commands, the tables are
cleared prior to running the command.

-p When used with the ADD command, makes a route persistent across
boots of the system. By default, routes are not preserved
when the system is restarted. Ignored for all other commands,
which always affect the appropriate persistent routes. This
option is not supported in Windows 95.

-4 Force using IPv4.

-6 Force using IPv6.

command One of these:
PRINT Prints a route
ADD Adds a route
DELETE Deletes a route
CHANGE Modifies an existing route
destination Specifies the host.
MASK Specifies that the next parameter is the 'netmask' value.
netmask Specifies a subnet mask value for this route entry.
If not specified, it defaults to 255.255.255.255.
gateway Specifies gateway.
interface the interface number for the specified route.
METRIC specifies the metric, ie. cost for the destination.

All symbolic names used for destination are looked up in the network database
file NETWORKS. The symbolic names for gateway are looked up in the host name
database file HOSTS.

If the command is PRINT or DELETE. Destination or gateway can be a wildcard,
(wildcard is specified as a star '*'), or the gateway argument may be omitted.

If Dest contains a * or ?, it is treated as a shell pattern, and only
matching destination routes are printed. The '*' matches any string,
and '?' matches any one char. Examples: 157.*.1, 157.*, 127.*, *224*.

Pattern match is only allowed in PRINT command.
Diagnostic Notes:
Invalid MASK generates an error, that is when (DEST & MASK) != DEST.
Example> route ADD 157.0.0.0 MASK 155.0.0.0 157.55.80.1 IF 1
The route addition failed: The specified mask parameter is invalid.
(Destination & Mask) != Destination.

Examples:

> route PRINT
> route PRINT -4
> route PRINT -6
> route PRINT 157* .... Only prints those matching 157*

> route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 3 IF 2
destination^ ^mask ^gateway metric^ ^
Interface^
If IF is not given, it tries to find the best interface for a given
gateway.
> route ADD 3ffe::/32 3ffe::1

> route CHANGE 157.0.0.0 MASK 255.0.0.0 157.55.80.5 METRIC 2 IF 2

CHANGE is used to modify gateway and/or metric only.

> route DELETE 157.0.0.0
> route DELETE 3ffe::/32

C:UsersAlbert>
I know they continue to have control

1 Answers
Shnerdly Staff answered 2 years ago

Thanks for your question albertsdaughter.

The info you posted about the "route" command is simply the instructions on how to use it including the available switches and examples.

It is not uncommon to get *'s on some lines in a trace route query. They don't really tell you anything.

You said you reinstalled Windows? Then you said "I know they continue to have control", how?? If windows was reinstalled, the machine should be clean with few exceptions. There might be something on the boot sector of the drive that reinfects the computer after a reinstall and there is a very slight possibility that the bios for the mainboard is infected.

To see if the attack stops, try changing the external IP address and look in the bios on the computer to see if any type of Universal ID is enabled. If it is, disable it.

Know the answer? Login or sign up for an account to answer this question.
Sign Up