1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Have I Been Hacked?

Discussion in 'Virus & Other Malware Removal' started by Kirkwa, Sep 17, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Kirkwa

    Kirkwa Thread Starter

    Joined:
    Sep 17, 2004
    Messages:
    7
    Hi all,

    I’m new here and to forms in general, I’m hoping someone can help me understand a situation I an having with my system. I have Norton 2003 Internet Security Professional install on my Dell Dimension 8300, running Windows XP Professional, version 2002, Service pack 1. I am also running Spybot–Search and Destroy 1.3, Ad-aware 6.0, and Web root Spy Sweeper 3.0.0.

    I run the updates on the above programs religiously, including Win XP. Several times now I have been online, and discovered my Personal firewall settings have been turned off. My first thoughts were, OK, I have been hacked. Each time this has happened, I turned the firewall back on, and run Norton’s live update. I got off line and ran Norton Anti-Virus, which found nothing.

    So to my question, am I right in assuming I have been hacked? In addition, how do I verify this, and stop these attacks?

    Thanks for any suggestions
    Kirkwa
     
  2. cheese

    cheese

    Joined:
    Jun 22, 2003
    Messages:
    2,563
  3. KrashedKris

    KrashedKris

    Joined:
    Dec 23, 2003
    Messages:
    262
    I'm not an expert but I can make a couple of suggestions maybe to get the ball rolling, and then some of the heavy-hitters here can step in hopefully and help you resolve any problems. :)

    It's certainly possible your firewall is being shut down by a virus or trojan infecting your machine, but let's come back to that shortly.

    The other possibilities that spring to mind for me as I also use NIS are as follows:-

    1) The NIS firewall has developed an internal error and is shutting itself down completely.

    2) The NIS firewall has developed an internal error and appears to be shutting down, but however is still running in the background.

    3) The NIS firewall set-up needs to be tweaked

    To address these issues, can you tell us a bit more about the events leading to your firewall shutting down? Does the firewall load at startup, i.e. globe symbol showing in system tray? (If it doesn't load at startup, can you check your NIS configuration and ensure that you have selected it to load at startup).

    If it loads at startup and shuts down later, do you get any error messages or other indications when it shuts down, and how are you aware of the shutdown?

    Are there any indications from your firewall logs (right-click on system tray globe icon, select "Log Viewer") of your firewall status, and any alerts re intrusions, remote access attempts, unauthorised connections etc?

    Coming back to the possibility of an infection/hack on your system, you are doing the right thing by running full system NAV scans regularly. May be worth running it in safe mode also as this can sometimes pick up viruses not found in normal mode. Also upgrade your AdAware from version 6.0 to the latest "SE" version, also free, update that with the latest SE definitions file and run in safe mode also.

    Also, download the free diagnostic/repair application "Hijack This" from here -
    http://www.aumha.org/downloads/hijackthis.exe

    Create a new folder named "HJT" for it and move the hijackthis.exe file into the new folder. Run the scan and save the logfile of the scan results to notepad and post the results back to this thread, but DO NOT FIX ANYTHING with HijackThis until your log has been examined by a knowledgeable responder, most of the items in the scan are required system or application files.

    Also, I'd suggest downloading TrojanHunter (30-day free trial) from here -

    http://misec.net/products/TrojanHunter.exe

    Install and update definitions manually as per site instructions, and run a full scan for trojans. When connected to the net, use the "Quick Scan" facility to determine if any suspicious ports are being opened. Also, try starting your net connection but initially do not open any browser windows or launch any other known programs that access the net. Then use TrojanHunter's Netstat viewer (Tools - Netstat Viewer - select to update manually or automatically) to see if any connections have been established automatically.

    hth (y)
     
  4. Kirkwa

    Kirkwa Thread Starter

    Joined:
    Sep 17, 2004
    Messages:
    7
    Wow! Thanks for the quick response.

    Hi KrashedKris & Cheese,

    KrashedKris,

    Answers to your questions:

    1. Yes, the firewall does load at startup, I see the globe symbol in the system tray, I can also check the NIS configuration.

    2. I also ran a full virus scan in safe mode and found no infections.

    3. The first and second time I became aware my firewall was down, I was re-booting my system. A Norton Internet Security window popped up, telling me my firewall settings had been changed. The third time, I was checking my setting, and found they were turned off.

    4. I don't get any error messages from Norton Internet Security when these event happen but I do get intrusions, remote access attempts when I am online. I

    I downloaded and ran both the programs you too suggested, below are the results of those scans.

    Note: there seems to be a Trojan file in the TrojanHunter Full Scan below.

    HLT Scan:

    Logfile of HijackThis v1.98.2
    Scan saved at 1:20:36 AM, on 9/18/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security Professional\NISUM.EXE
    C:\WINDOWS\System32\msdtc.exe
    C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\mqsvc.exe
    C:\WINDOWS\System32\mqtgsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\HJT\hijackthis.exe
    C:\Program Files\WinTV\WinTV2K.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

    TrojanHunter Quick Scan:

    Registry scan
    No suspicious entries found
    Inifile scan
    No suspicious entries found
    Port scan
    No suspicious open ports found
    Memory scan
    No trojans found in memory
    File scan (autostarted files, running executables)
    No trojan files found

    TrojanHunter Full Scan:

    Registry scan
    No suspicious entries found
    Inifile scan
    No suspicious entries found
    Port scan
    No suspicious open ports found
    Memory scan
    No trojans found in memory
    File scan
    Found trojan file: C:\WINDOWS\hodll.dll (KLog.SvcLog)
    1 trojan files found

    Kirkwa
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,253
    First Name:
    Derek
    From what you have said and because there is nothing showing in a HJT log I would suspect the possibility of a root kit trojan

    I would strongly recommend downloading and running a specialised anti trojan
    Even though Trojan hunter is good most experts agree that TDS is far superior at detecting rootkits & hidden trojans
    the antitrojan that I use for dealing with them is

    TDS3 from http://tds.diamondcs.com.au/

    download & install the 30 day free trial, update it manually as described here http://tds.diamondcs.com.au/index.php?page=update as the trial version doesn't have auto update enabled

    then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

    sit back with a cup of coffee and watch what it finds

    NOTE:

    Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

    right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

    post back with the tds log after running please, just copy & paste the entries from the scandump.txt
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,253
    First Name:
    Derek
    the C:\WINDOWS\hodll.dll file that TH found is probably a keylogger called powerkey key logger

    did TH remove it or just warned you and left it there along with the rest of the nasty files associated with it
     
  7. Kirkwa

    Kirkwa Thread Starter

    Joined:
    Sep 17, 2004
    Messages:
    7
    Yes, I believe so, below is the message TrojanHunter gave me.

    Renamed file C:\WINDOWS\hodll.dll to C:\WINDOWS\hodll.dll.tcf
    Trojan cleaning finished.

    Question: Should I delete the renamed file, (C:\WINDOWS\hodll.dll.tcf)?

    Here is what I found using TDS-3 Professional:

    17:26:22 [Mutex Memory Scan] Finished (no trojan mutexes found).
    17:26:22 [Trace Scan] Started...
    17:26:32 [Trace Scan] Finished.
    17:26:32 [ServiceScan] Scanning for services and drivers ...
    17:26:37 [ServiceScan] Scanned 373 services and drivers.
    17:26:37 [File Scan] Scanning in A:\ ...
    17:26:38 [File Scan] Scanned 0 files: 0 alarms in 1.03125 seconds (Avg 1. files/sec)
    17:26:38 [File Scan] Scanning in C:\ ...
    18:04:52 [File Scan] Scanned 73547 files: 2 alarms in 2293.531 seconds (Avg 33.07 files/sec)
    18:04:52 [File Scan] Scanning in D:\ ...
    18:20:25 [File Scan] Scanned 16092 files: 2 alarms in 932.8906 seconds (Avg 18.25 files/sec)
    18:20:25 [File Scan] Scanning in E:\ ...
    18:20:25 [File Scan] Scanned 0 files: 2 alarms in 0 seconds (Avg -1.#IND files/sec)
    18:20:25 [File Scan] Scanning in F:\ ...
    18:20:25 [File Scan] Scanned 0 files: 2 alarms in 0 seconds (Avg -1.#IND files/sec)
    18:20:25 [Scan] Finished.

    Found with full system scan:
    RAT.ProRat 1.1 (dll) – c:\windows\hookntqsi.dll
    Possible keylogger – c:\windows\win32clt.exe

    Deleted both file per TDS-3 instructions

    I am somewhat new to the subject of Internet security; I’m doing a lot of reading and trying to apply what I have learned. Given what I have found, (with everyone’s help), it seems I have a long way to go. All the suggestion received to date is much appreciated.

    Question: Are there other steps I can take to strengthen my protection against unwanted intrusion?
     
  8. Tarheel63

    Tarheel63

    Joined:
    Sep 6, 2004
    Messages:
    5
    If you are using Internet Explorer, I would switch to an alternative browser such as
    Firefox. http://www.mozilla.org/products/firefox/
    This will cause you less headache's while browsing as Firefox does not support Active X. :D :D
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,253
    First Name:
    Derek
    read here http://forums.techguy.org/t208517/s.html for info on how to tighten your security settings and how to help prevent future attacks.

    there are links to various security applications that will prevent you ever being hacked again

    I particularly recommend PrevX home
     
  10. Kirkwa

    Kirkwa Thread Starter

    Joined:
    Sep 17, 2004
    Messages:
    7
    I went to the mozilla web site and downloaded/installed the firefox web browser. Cool! I also went to the page suggested, "http://forums.techguy.org/t208517/s.html, tighten your security settings and how to help prevent future attacks." Great information!

    You guy's have given me a lot to absorb/research. I'm going to take a moment and learn these programs you've suggested.

    I really want to thank everyone that sent information to help answers my questions. Everyone’s advice was great and helped so much. I hope in the future, I can return the favor.

    Please send any other suggest you feel will help.
    Thanks so much, Kirkwa
     
  11. Tarheel63

    Tarheel63

    Joined:
    Sep 6, 2004
    Messages:
    5
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/274987

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice