1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

I am being hacked

Discussion in 'General Security' started by machv, Apr 29, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. machv

    machv Thread Starter

    Joined:
    May 23, 2009
    Messages:
    351
    I have recently been havcing some problems. I noticed something was amiss when i tried to update avira9 to avira10 there was an error

    c:\users\neilma~1\appdata\local\temp\rarsfx0\presetup.exe

    this application has requested the runtime to terminate it in an unusual way.
    please contact the application's support team for more information


    and i could not install avira10 or reinstall 9 either. oh and while i was asleep one night a foder was created on my desktop called redstart i deleted it. then firefox said some of the java i had installed had security issues so i disabled them. also at night when i'm sleeping i get messages saying that the lowmic utility has stopped working do you want to send a report to microsoft.

    and i got an email from gmail stating that my email was accessed in san fran sisco or california i cant remember which and that i need to change my password if it wasnt me that did it.

    then i got avg but dont like that one so substituted for avast and nothing so i got rid of that too when i signed up for shaw's internet and they provide free fsecure.

    i got shaw secure which is fsecure. and i find that i had nine viruses or threats. it didn't remove 5 of them so i checked them out they were from hirens boot cd, proccess explorer and win key finder plus some others. so i quarantined them.

    i was also alerted to the fact that i was getting intrusion attempts five so far. i checked whois and they are mainly from china and one from stokholm all are in the business of either providing wireless or networking services and one is involved with ip surveilance etc... here they are and the scans they did.

    TIME REMOTE ADDRESS HITS DESCRIPTION
    7:19am 122.224.65.146 2 intrusion attempt : NMAP TCP SCAN
    7:19am 218.108.42.98 2 intrusion attempt : NMAP TCP SCAN
    3:45am 83.226.255.95 1 intrusion attempt : FIN SCAN
    1:27am 218.240.49.162 2 intrusion attempt : NMAP TCP SCAN
    1:26am 124.207.99.18 2 intrusion attempt : NMAP TCP SCAN
    please can someone help me. let me know if you are wanting hijack, sino, otl or other logs
    thanks
     
  2. machv

    machv Thread Starter

    Joined:
    May 23, 2009
    Messages:
    351
    this is what i found out about these various ip addresses:

    122.224.65.146
    http://whois.domaintools.com/122.224.65.146
    http://www.dolphinwave.org/spam/CHINANET-ZJ.txt
    -----------------------------------------------

    218.108.42.98
    http://whois.domaintools.com/218.108.42.98
    -----------------------------------------------

    83.226.255.95
    http://whois.domaintools.com/83.226.255.95
    -----------------------------------------------

    218.240.49.162
    http://whois.domaintools.com/218.240.49.162
    http://www.neteon.net/home.aspx [this is the ip surveilance site]
    -----------------------------------------------

    124.207.99.18
    http://whois.domaintools.com/124.207.99.18
    http://www.robtex.com/as/as17964.html
     
  3. machv

    machv Thread Starter

    Joined:
    May 23, 2009
    Messages:
    351
    oh and if i have posted this in the wrong place please let me know thanks.
    oh and internet explorer keeps shutting down when i try to use it instead of firefox and some sites i visit quasi regularly now have an insane amount of banner advertisements that they never had before.
     
  4. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    11,882
    For your Avira uninstall problem, try the Revo Uninstaller Free:

    http://www.revouninstaller.com/revo_uninstaller_free_download.html

    First remove version 9, then install version 10.

    I haven't heard about the Redstart folder problem. But hackers usually don't usually reveal themselves so boldly and put a folder onto your desktop.

    Firefox did report about a java security problem, I have seen that mentioned somewhere on this forum. So that is normal.

    Couldn't find out any info about your lowmic utility. What is it ?

    Never had any email sent to me from Gmail, so I am unable to confirm that the email was legit.

    Lots of hackers use NMAP to scan for unprotected PCs. Nmap is free software, comes standard with many Linux distributions. It can identify which ports are open, and what the OS is. These types of scans are not a big problem, if you have a firewall. If you get tired of having their scans reaching your pc, then go buy a router, which would hide your pc somewhat.

    Go and download HijackThis from here:

    http://free.antivirus.com/hijackthis/

    Run it and it will produce a log file in Notepad. Copy and Paste the log into your next message and someone will look thru it. Don't ask HijackThis to fix any problems identified.
     
  5. machv

    machv Thread Starter

    Joined:
    May 23, 2009
    Messages:
    351
    here's the hijack log.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:45:25 AM, on 4/30/2010
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\rundll32.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
    C:\Program Files\Shaw Secure\Common\FSM32.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\uTorrent\uTorrent.exe
    C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPBar.dll
    O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\Shaw Secure\NRS\iescript\baselitmus.dll
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [cfFncEnabler.exe] cfFncEnabler.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
    O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files\LastPass\LPBar.dll
    O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
    O9 - Extra 'Tools' menuitem: &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O13 - Gopher Prefix:
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: secuload.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
    O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
    O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Blaze Media Pro\NMSAccess32.exe (file missing)
    O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
    O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

    --
    End of file - 7035 bytes
     
  6. machv

    machv Thread Starter

    Joined:
    May 23, 2009
    Messages:
    351
    i ended up reinstalling win7 from scratch. win7 keeps the old OS and everything else in a folder called windows.old i did not install nexon but i saw a folder for it had been created after the install, i used to have a nexon internet game before. I also saw a folder that has nircmd among other things in it and i found that nircmd can be used to screw with almost any windows proccess, and that it sometimes is actually malware. Should this folder be there after a clean install? could this be virus or hacker oriented? please get back to me i don't want to have to start again.
     
  7. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    11,882
    I found Nircmd at this site:

    http://www.nirsoft.net/utils/nircmd2.html

    It shouldn't be on your system after a fresh install of Win 7. Where did you get your Win 7, is it legit ? Or was it thru bittorrent or some P2P program ?

    What did you install after you installed Win 7 ?
     
  8. machv

    machv Thread Starter

    Joined:
    May 23, 2009
    Messages:
    351
    i installed shaw secure and office plus some other things. i thought that it came from windows.old and the disks i used are legit back up copies i made from my originals and then the originals went missing. i know this sounds like a crock but i have a legit product key that i use for updates.
     
  9. machv

    machv Thread Starter

    Joined:
    May 23, 2009
    Messages:
    351
  10. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    11,882
    The clean way of installing windows is to ask the setup to delete all partitions. You would have to save your important files to a usb stick first. USB sticks are cheap nowadays. That way, you will be sure there is no stuff left over from the pervious hacked Windows.
     
  11. machv

    machv Thread Starter

    Joined:
    May 23, 2009
    Messages:
    351
    i know this but win7 ultimate didn't give me that option. does this mean i will have to start again? i will if i have to, and i will format the whole drive this time before i install it
     
  12. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    11,882
    I am using the trial version of Win 7 Enterprise. During setup, when you reach the screen where it shows you all your drives, I think they have an "advanced options" link. When you click it, it will give you options to delete, format etc. To perform a wipe-everything-off install, I use Delete to remove all partitions, so that it ends up showing xxx GB uninitialized.
     
  13. machv

    machv Thread Starter

    Joined:
    May 23, 2009
    Messages:
    351
    i formatted the drive before i reinstalled everything again. i hope this **** stops i dont want to have to do this again
     
  14. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    11,882
    Ok. You formatted the drive. The PC should be clean.

    Things to do to keep out hackers. 1) Update EVERYTHING. 2) Secure the Network. 3) install security software.

    1) Update everything.

    Hackers take advantage of security vulnerabilities to gain entry to systems. Most hackers just take advantage of systems that aren't patched, and those vulnerabilities are known. So, install all Windows Updates.

    Then go to Adobe.com and install the latest version of Flash. There is a version of Flash for IE, and a seperate version of Flash for Firefox, Opera and other browsers, so if you have more than IE, then you need to update both.

    If you have MS Office, configure Windows update to fetch updates for 'other MS products' and it will patch up your Office.

    Then go to Secunia and install their PSI program. This program scans all your installed programs and tells you if a newer version/patched version is out. It also provide links to downlaod the lastest version.

    2) Secure you network.

    Go and buy a router, preferably one with a Stateful Packet Inspection ( SPI ) firewall. Buy it even if you only have 1 PC. This will protect your PC's from scanning and other easy hacking. When you don't have a router, File and Printer Sharing is reachable from the outside internet, and thats not good, epecially when you tell Windows to use the Home network profile. Windows runs quite a few services and protocol, almost all of them are meant for internal use - when you are behind a router.

    Change the default admin password of the router. Otherwise hackers will change it for you and lock you out. The default password of all router models is just a Google search away.

    Don't go wireless, unless you have to. If the modem is on your desk, then use an ordinary wired router. If you need to go wireless, then go to the setup web page of the router and configure it to use WPA2 encryption. And choose a long alphanumeric passphrase. Since radio waves travel everywhere, your nearby neighbors can pick up the signal and connect to you network if you don't secure it with WPA2.

    3) install Security software.

    You need antivirus and antispyware. There are some good ones for free like Avast and AVG. I use a paid antivirus called ESET NOD, which is both antivirus and antispyware. Look in Tech Guy's Security forum and there have been many threads by people asking for good security software suggestions.


    These 3 things are the basics of security for a home network. Companies spend much more money on security and there are good tools that only those with deep pockets can afford. Very sophiticated firewall/routers costs thousands. And there are security 'appliances' which combine firewall, router, email antivirus and other things that costs a lot. Home routers cost less than $100. Then there are Intrusion Protection Systems. These things monitor the network for intrusions and can stop the network traffic. I'd like to get my hands on a Tipping Point IPS, but then, it costs thousands.
     
  15. machv

    machv Thread Starter

    Joined:
    May 23, 2009
    Messages:
    351
    thanks for the info i will follow your advice. I don't have a router at the moment, but i will get one asap. oh wait a minute i do have one i forgot i had one before i went to wireless at the hotel i was staying at now i have cable internet i can hook that one back up. please let me know if this is a good router and how i can set it up the best way? it's a D-link EBR-2310. thanks
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - being hacked
  1. Adz2680
    Replies:
    14
    Views:
    12,029
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/920064

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice