Solved: Have I Been Hacked?

[Kirkwa]

Hi all,

I’m new here and to forms in general, I’m hoping someone can help me understand a situation I an having with my system. I have Norton 2003 Internet Security Professional install on my Dell Dimension 8300, running Windows XP Professional, version 2002, Service pack 1. I am also running Spybot–Search and Destroy 1.3, Ad-aware 6.0, and Web root Spy Sweeper 3.0.0.

I run the updates on the above programs religiously, including Win XP. Several times now I have been online, and discovered my Personal firewall settings have been turned off. My first thoughts were, OK, I have been hacked. Each time this has happened, I turned the firewall back on, and run Norton’s live update. I got off line and ran Norton Anti-Virus, which found nothing.

So to my question, am I right in assuming I have been hacked? In addition, how do I verify this, and stop these attacks?

Thanks for any suggestions
Kirkwa

 

[cheese]

Download Hijackthis http://www.s92400163.onlinehome.us/hijackthis.zip

Extract..open...scan...and save log. Copy and paste here. Do NOT check off or fix anything yet.

 

[KrashedKris]

I'm not an expert but I can make a couple of suggestions maybe to get the ball rolling, and then some of the heavy-hitters here can step in hopefully and help you resolve any problems.

It's certainly possible your firewall is being shut down by a virus or trojan infecting your machine, but let's come back to that shortly.

The other possibilities that spring to mind for me as I also use NIS are as follows:-

1) The NIS firewall has developed an internal error and is shutting itself down completely.

2) The NIS firewall has developed an internal error and appears to be shutting down, but however is still running in the background.

3) The NIS firewall set-up needs to be tweaked

To address these issues, can you tell us a bit more about the events leading to your firewall shutting down? Does the firewall load at startup, i.e. globe symbol showing in system tray? (If it doesn't load at startup, can you check your NIS configuration and ensure that you have selected it to load at startup).

If it loads at startup and shuts down later, do you get any error messages or other indications when it shuts down, and how are you aware of the shutdown?

Are there any indications from your firewall logs (right-click on system tray globe icon, select "Log Viewer") of your firewall status, and any alerts re intrusions, remote access attempts, unauthorised connections etc?

Coming back to the possibility of an infection/hack on your system, you are doing the right thing by running full system NAV scans regularly. May be worth running it in safe mode also as this can sometimes pick up viruses not found in normal mode. Also upgrade your AdAware from version 6.0 to the latest "SE" version, also free, update that with the latest SE definitions file and run in safe mode also.

Also, download the free diagnostic/repair application "Hijack This" from here -
http://www.aumha.org/downloads/hijackthis.exe

Create a new folder named "HJT" for it and move the hijackthis.exe file into the new folder. Run the scan and save the logfile of the scan results to notepad and post the results back to this thread, but DO NOT FIX ANYTHING with HijackThis until your log has been examined by a knowledgeable responder, most of the items in the scan are required system or application files.

Also, I'd suggest downloading TrojanHunter (30-day free trial) from here -

http://misec.net/products/TrojanHunter.exe

Install and update definitions manually as per site instructions, and run a full scan for trojans. When connected to the net, use the "Quick Scan" facility to determine if any suspicious ports are being opened. Also, try starting your net connection but initially do not open any browser windows or launch any other known programs that access the net. Then use TrojanHunter's Netstat viewer (Tools - Netstat Viewer - select to update manually or automatically) to see if any connections have been established automatically.

hth

 

[Kirkwa]

Wow! Thanks for the quick response.

Hi KrashedKris & Cheese,

KrashedKris,

Answers to your questions:

1. Yes, the firewall does load at startup, I see the globe symbol in the system tray, I can also check the NIS configuration.

2. I also ran a full virus scan in safe mode and found no infections.

3. The first and second time I became aware my firewall was down, I was re-booting my system. A Norton Internet Security window popped up, telling me my firewall settings had been changed. The third time, I was checking my setting, and found they were turned off.

4. I don't get any error messages from Norton Internet Security when these event happen but I do get intrusions, remote access attempts when I am online. I

I downloaded and ran both the programs you too suggested, below are the results of those scans.

Note: there seems to be a Trojan file in the TrojanHunter Full Scan below.

HLT Scan:

Logfile of HijackThis v1.98.2
Scan saved at 1:20:36 AM, on 9/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security Professional\NISUM.EXE
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\hijackthis.exe
C:\Program Files\WinTV\WinTV2K.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

TrojanHunter Quick Scan:

Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan (autostarted files, running executables)
No trojan files found

TrojanHunter Full Scan:

Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Found trojan file: C:\WINDOWS\hodll.dll (KLog.SvcLog)
1 trojan files found

Kirkwa

 

[dvk01]

From what you have said and because there is nothing showing in a HJT log I would suspect the possibility of a root kit trojan

I would strongly recommend downloading and running a specialised anti trojan
Even though Trojan hunter is good most experts agree that TDS is far superior at detecting rootkits & hidden trojans
the antitrojan that I use for dealing with them is

TDS3 from http://tds.diamondcs.com.au/

download & install the 30 day free trial, update it manually as described here http://tds.diamondcs.com.au/index.php?page=update as the trial version doesn't have auto update enabled

then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

sit back with a cup of coffee and watch what it finds

NOTE:

Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

post back with the tds log after running please, just copy & paste the entries from the scandump.txt

 

[dvk01]

the C:\WINDOWS\hodll.dll file that TH found is probably a keylogger called powerkey key logger

did TH remove it or just warned you and left it there along with the rest of the nasty files associated with it

 

[Kirkwa]

Yes, I believe so, below is the message TrojanHunter gave me.

Renamed file C:\WINDOWS\hodll.dll to C:\WINDOWS\hodll.dll.tcf
Trojan cleaning finished.

Question: Should I delete the renamed file, (C:\WINDOWS\hodll.dll.tcf)?

Here is what I found using TDS-3 Professional:

17:26:22 [Mutex Memory Scan] Finished (no trojan mutexes found).
17:26:22 [Trace Scan] Started...
17:26:32 [Trace Scan] Finished.
17:26:32 [ServiceScan] Scanning for services and drivers ...
17:26:37 [ServiceScan] Scanned 373 services and drivers.
17:26:37 [File Scan] Scanning in A:\ ...
17:26:38 [File Scan] Scanned 0 files: 0 alarms in 1.03125 seconds (Avg 1. files/sec)
17:26:38 [File Scan] Scanning in C:\ ...
18:04:52 [File Scan] Scanned 73547 files: 2 alarms in 2293.531 seconds (Avg 33.07 files/sec)
18:04:52 [File Scan] Scanning in D:\ ...
18:20:25 [File Scan] Scanned 16092 files: 2 alarms in 932.8906 seconds (Avg 18.25 files/sec)
18:20:25 [File Scan] Scanning in E:\ ...
18:20:25 [File Scan] Scanned 0 files: 2 alarms in 0 seconds (Avg -1.#IND files/sec)
18:20:25 [File Scan] Scanning in F:\ ...
18:20:25 [File Scan] Scanned 0 files: 2 alarms in 0 seconds (Avg -1.#IND files/sec)
18:20:25 [Scan] Finished.

Found with full system scan:
RAT.ProRat 1.1 (dll) – c:\windows\hookntqsi.dll
Possible keylogger – c:\windows\win32clt.exe

Deleted both file per TDS-3 instructions

I am somewhat new to the subject of Internet security; I’m doing a lot of reading and trying to apply what I have learned. Given what I have found, (with everyone’s help), it seems I have a long way to go. All the suggestion received to date is much appreciated.

Question: Are there other steps I can take to strengthen my protection against unwanted intrusion?

 

[Tarheel63]

If you are using Internet Explorer, I would switch to an alternative browser such as
Firefox. http://www.mozilla.org/products/firefox/
This will cause you less headache's while browsing as Firefox does not support Active X.

 

[dvk01]

read here http://forums.techguy.org/t208517/s.html for info on how to tighten your security settings and how to help prevent future attacks.

there are links to various security applications that will prevent you ever being hacked again

I particularly recommend PrevX home

 

[Kirkwa]

I went to the mozilla web site and downloaded/installed the firefox web browser. Cool! I also went to the page suggested, "http://forums.techguy.org/t208517/s.html, tighten your security settings and how to help prevent future attacks." Great information!

You guy's have given me a lot to absorb/research. I'm going to take a moment and learn these programs you've suggested.

I really want to thank everyone that sent information to help answers my questions. Everyone’s advice was great and helped so much. I hope in the future, I can return the favor.

Please send any other suggest you feel will help.
Thanks so much, Kirkwa

 

[Tarheel63]

Kirkwa, Here is more info on free security tools.

http://s97862746.onlinehome.us/BasicSecurity/