I am being hacked

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

machv

Thread Starter
Joined
May 23, 2009
Messages
351
I have recently been havcing some problems. I noticed something was amiss when i tried to update avira9 to avira10 there was an error

c:\users\neilma~1\appdata\local\temp\rarsfx0\presetup.exe

this application has requested the runtime to terminate it in an unusual way.
please contact the application's support team for more information


and i could not install avira10 or reinstall 9 either. oh and while i was asleep one night a foder was created on my desktop called redstart i deleted it. then firefox said some of the java i had installed had security issues so i disabled them. also at night when i'm sleeping i get messages saying that the lowmic utility has stopped working do you want to send a report to microsoft.

and i got an email from gmail stating that my email was accessed in san fran sisco or california i cant remember which and that i need to change my password if it wasnt me that did it.

then i got avg but dont like that one so substituted for avast and nothing so i got rid of that too when i signed up for shaw's internet and they provide free fsecure.

i got shaw secure which is fsecure. and i find that i had nine viruses or threats. it didn't remove 5 of them so i checked them out they were from hirens boot cd, proccess explorer and win key finder plus some others. so i quarantined them.

i was also alerted to the fact that i was getting intrusion attempts five so far. i checked whois and they are mainly from china and one from stokholm all are in the business of either providing wireless or networking services and one is involved with ip surveilance etc... here they are and the scans they did.

TIME REMOTE ADDRESS HITS DESCRIPTION
7:19am 122.224.65.146 2 intrusion attempt : NMAP TCP SCAN
7:19am 218.108.42.98 2 intrusion attempt : NMAP TCP SCAN
3:45am 83.226.255.95 1 intrusion attempt : FIN SCAN
1:27am 218.240.49.162 2 intrusion attempt : NMAP TCP SCAN
1:26am 124.207.99.18 2 intrusion attempt : NMAP TCP SCAN
please can someone help me. let me know if you are wanting hijack, sino, otl or other logs
thanks
 

machv

Thread Starter
Joined
May 23, 2009
Messages
351
this is what i found out about these various ip addresses:

122.224.65.146
http://whois.domaintools.com/122.224.65.146
http://www.dolphinwave.org/spam/CHINANET-ZJ.txt
-----------------------------------------------

218.108.42.98
http://whois.domaintools.com/218.108.42.98
-----------------------------------------------

83.226.255.95
http://whois.domaintools.com/83.226.255.95
-----------------------------------------------

218.240.49.162
http://whois.domaintools.com/218.240.49.162
http://www.neteon.net/home.aspx [this is the ip surveilance site]
-----------------------------------------------

124.207.99.18
http://whois.domaintools.com/124.207.99.18
http://www.robtex.com/as/as17964.html
 

machv

Thread Starter
Joined
May 23, 2009
Messages
351
oh and if i have posted this in the wrong place please let me know thanks.
oh and internet explorer keeps shutting down when i try to use it instead of firefox and some sites i visit quasi regularly now have an insane amount of banner advertisements that they never had before.
 
Joined
Sep 21, 2007
Messages
13,845
For your Avira uninstall problem, try the Revo Uninstaller Free:

http://www.revouninstaller.com/revo_uninstaller_free_download.html

First remove version 9, then install version 10.

I haven't heard about the Redstart folder problem. But hackers usually don't usually reveal themselves so boldly and put a folder onto your desktop.

Firefox did report about a java security problem, I have seen that mentioned somewhere on this forum. So that is normal.

Couldn't find out any info about your lowmic utility. What is it ?

Never had any email sent to me from Gmail, so I am unable to confirm that the email was legit.

Lots of hackers use NMAP to scan for unprotected PCs. Nmap is free software, comes standard with many Linux distributions. It can identify which ports are open, and what the OS is. These types of scans are not a big problem, if you have a firewall. If you get tired of having their scans reaching your pc, then go buy a router, which would hide your pc somewhat.

Go and download HijackThis from here:

http://free.antivirus.com/hijackthis/

Run it and it will produce a log file in Notepad. Copy and Paste the log into your next message and someone will look thru it. Don't ask HijackThis to fix any problems identified.
 

machv

Thread Starter
Joined
May 23, 2009
Messages
351
here's the hijack log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:25 AM, on 4/30/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPBar.dll
O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\Shaw Secure\NRS\iescript\baselitmus.dll
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [cfFncEnabler.exe] cfFncEnabler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files\LastPass\LPBar.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: secuload.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Blaze Media Pro\NMSAccess32.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 7035 bytes
 

machv

Thread Starter
Joined
May 23, 2009
Messages
351
i ended up reinstalling win7 from scratch. win7 keeps the old OS and everything else in a folder called windows.old i did not install nexon but i saw a folder for it had been created after the install, i used to have a nexon internet game before. I also saw a folder that has nircmd among other things in it and i found that nircmd can be used to screw with almost any windows proccess, and that it sometimes is actually malware. Should this folder be there after a clean install? could this be virus or hacker oriented? please get back to me i don't want to have to start again.
 

machv

Thread Starter
Joined
May 23, 2009
Messages
351
i installed shaw secure and office plus some other things. i thought that it came from windows.old and the disks i used are legit back up copies i made from my originals and then the originals went missing. i know this sounds like a crock but i have a legit product key that i use for updates.
 
Joined
Sep 21, 2007
Messages
13,845
The clean way of installing windows is to ask the setup to delete all partitions. You would have to save your important files to a usb stick first. USB sticks are cheap nowadays. That way, you will be sure there is no stuff left over from the pervious hacked Windows.
 

machv

Thread Starter
Joined
May 23, 2009
Messages
351
i know this but win7 ultimate didn't give me that option. does this mean i will have to start again? i will if i have to, and i will format the whole drive this time before i install it
 
Joined
Sep 21, 2007
Messages
13,845
I am using the trial version of Win 7 Enterprise. During setup, when you reach the screen where it shows you all your drives, I think they have an "advanced options" link. When you click it, it will give you options to delete, format etc. To perform a wipe-everything-off install, I use Delete to remove all partitions, so that it ends up showing xxx GB uninitialized.
 

machv

Thread Starter
Joined
May 23, 2009
Messages
351
i formatted the drive before i reinstalled everything again. i hope this **** stops i dont want to have to do this again
 
Joined
Sep 21, 2007
Messages
13,845
Ok. You formatted the drive. The PC should be clean.

Things to do to keep out hackers. 1) Update EVERYTHING. 2) Secure the Network. 3) install security software.

1) Update everything.

Hackers take advantage of security vulnerabilities to gain entry to systems. Most hackers just take advantage of systems that aren't patched, and those vulnerabilities are known. So, install all Windows Updates.

Then go to Adobe.com and install the latest version of Flash. There is a version of Flash for IE, and a seperate version of Flash for Firefox, Opera and other browsers, so if you have more than IE, then you need to update both.

If you have MS Office, configure Windows update to fetch updates for 'other MS products' and it will patch up your Office.

Then go to Secunia and install their PSI program. This program scans all your installed programs and tells you if a newer version/patched version is out. It also provide links to downlaod the lastest version.

2) Secure you network.

Go and buy a router, preferably one with a Stateful Packet Inspection ( SPI ) firewall. Buy it even if you only have 1 PC. This will protect your PC's from scanning and other easy hacking. When you don't have a router, File and Printer Sharing is reachable from the outside internet, and thats not good, epecially when you tell Windows to use the Home network profile. Windows runs quite a few services and protocol, almost all of them are meant for internal use - when you are behind a router.

Change the default admin password of the router. Otherwise hackers will change it for you and lock you out. The default password of all router models is just a Google search away.

Don't go wireless, unless you have to. If the modem is on your desk, then use an ordinary wired router. If you need to go wireless, then go to the setup web page of the router and configure it to use WPA2 encryption. And choose a long alphanumeric passphrase. Since radio waves travel everywhere, your nearby neighbors can pick up the signal and connect to you network if you don't secure it with WPA2.

3) install Security software.

You need antivirus and antispyware. There are some good ones for free like Avast and AVG. I use a paid antivirus called ESET NOD, which is both antivirus and antispyware. Look in Tech Guy's Security forum and there have been many threads by people asking for good security software suggestions.


These 3 things are the basics of security for a home network. Companies spend much more money on security and there are good tools that only those with deep pockets can afford. Very sophiticated firewall/routers costs thousands. And there are security 'appliances' which combine firewall, router, email antivirus and other things that costs a lot. Home routers cost less than $100. Then there are Intrusion Protection Systems. These things monitor the network for intrusions and can stop the network traffic. I'd like to get my hands on a Tipping Point IPS, but then, it costs thousands.
 

machv

Thread Starter
Joined
May 23, 2009
Messages
351
thanks for the info i will follow your advice. I don't have a router at the moment, but i will get one asap. oh wait a minute i do have one i forgot i had one before i went to wireless at the hotel i was staying at now i have cable internet i can hook that one back up. please let me know if this is a good router and how i can set it up the best way? it's a D-link EBR-2310. thanks
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top