Help: Someone has hijacked my computer

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Got numerous problems with my computer, such as something is sucking all
memory and slowing it to a crawl most of the time.  I can hear pretty
continuous hard drive spinning and activity while nothing is  happening on
the computer which should be a symptom of something?

I have AVG running all the time and run av-cls reasonably regularly and when
it runs to completion, it reports nothing.  But it has started behaving
strangely: I am supposed to have it running at the moment. But I pressed 4
and it downloaded the Kaspersky files and then when I told it to run the
program, it just returned me to the start link DOS-box. I then ran Trend and
it is giving me a 16 but substation error message telling me that some
Symantec\S32event1.dll virtual device driver has failed initialisation on
TrendMicro's  lpt803.zip.  ( I ignored it but am not now sure that the
trendmicro program is running properly or whether whatever has stopped the
computer running properly is also stopping the AV program from detecting it.
Meanwhile FireFox stops running every two or three days despite continuous
updating.

But there are some suspicious symptoms, including a BSOD with an error
message I cant remember but which I had never seen before.  And a week or so
ago, while I was closing the computer down, I saw it trying to close
something which said DO NOT SHOW THIS BOX in that force-closing box which
you get when things like NVidia etc wont close down itself!

This morning the crawl slowed so much and numerous programs started crashing
(including some APOINT mouse driver and  RAPI which I thought was something
pretty integral to XP) that I closed it by pressing the power button. When I
opened it up again,  everything started very slowly as usual and  I saw a
mysterious message which flashed on opening up FireFox and with nothing else
running telling me that it was sending three messages, two remaining, done:
All in about a half a second.  That may have been Firefox sending a report
that it had just crashed to Mozilla but why are there three of them in a
situation in which I am suspicious that something  has hijacked my computer

I have run RogueScanFix and tried posting a HiJackThis log (using the newest
version) on bleepingcomputer but there haven't been any responses in over a
week. I also have WhatsRunning running but cant see anything suspicious, or
whatever it is has managed to prevent TM or WR from seeing it.  Am I being
paranoiac or is someone out to get me?

As usual no amount of SFCs, CCleaners, Scandisks, defrags, Adawares, Spybots
can assist.



Re: Someone has hijacked my computer


"news.rcn.com" <news.rnc.com> wrote in message
Quoted text here. Click to load it
when
and
it.
so
crashing
something
I
else
done:
Quoted text here. Click to load it
computer
newest
a
or
Spybots

You might wanna check and see if you've been rooted.
Download Rootkit Revealer here:
http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.mspx

If you've been rooted, and I think you have been, about the only way to
recover is to do a format and clean install.




--
Posted via NewsDemon.com - Premium Uncensored Newsgroup Service
      ------->>>>>>http://www.NewsDem

Re: Never even heard of being rooted! Is it something which can spread from computer to computer?


"> You might wanna check and see if you've been rooted.
Quoted text here. Click to load it


A few further suspicious items arose after I posted this message: Firstly I
noticed WhatsRunning shows a startup item for VF9 which (either does or
doesn't) run an exe file in my system32 directory called VF9485.exe. I was
advised that this is a remaining artifact of some trojan or virus I had a
year ago which has been removed and either I cant see the actual VF9485.exe
file in my system32 directory any more or it is hiding its presence there in
some way

Meanwhile at about the time I stopped that process (I only stopped it in the
startup folder!!), FireFox suddenly disappeared.

Secondly, there is a blue headed box on my screen which I have never seen
before saying Damage Cleanup Engine (DCE) reporting "No Virus Found" which
isnt a part of the no-longer-running Kaspersky is it? Meanwhile TrendMicro's
DOS box has apparently stuck on "executing BKDR_PCCLIENT.WZ pattern. When I
press OK on the supposed DCE box, the TrendMicro DOS box disappears, though
I can see the TrendMicro scan box scanning all local drives. When it gets to
SCANNING C:\*.*, a DOS box opens again and starts scanning. Which looks like
it is supposed to?Anyway it reports nothing it finds suspicious whatsoever
on my computer.

WhatsRunning's IP CONNECTIONS tab shows 405 connections running and about
twenty new ones being created every few minutes, almost every single one of
them being a VoIP service I use called SJPhone. Not sure if the presence of
an IP Connection means that the specified port is available to SJPhone or if
it is actually being used. However when I delete SJPhone from Task Manager,
the reports stop. (The computer doesn't necessarily run any faster)



Re: RootkitRevealer reveals not much


"news.rcn.com" <news.rnc.com> wrote in message
Quoted text here. Click to load it
That didn't really work. Either I am reading it wrongly or the revealer only
revealed three harmless looking entries

Two in HLKM\SECURITY\policy\secrets one called sac* and one called sai*.
they are timestamped 31st August 2001 and I assume if they have been around
that long and are sized 0 bytes, they must be relatively harmless

Also one in profiles in FireFox dated this minute in my Application Data
folder in a directory called 545vdqcn.MyName in a sub-dir called cache which
I suppose I can delete easily enough. (It IS 128 kb and it does delete)



Re: RootkitRevealer reveals not much


"news.rcn.com" <news.rnc.com> wrote in message
Quoted text here. Click to load it
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx


Re: Not sure the link is all that helpful except to keep companies' Tech Support departments fully staffed?

LET EVERYONE COME DOWN ON ME LIKE A TON OF BRICKS FOR THE HERESY I AM
RELATING BELOW


Quoted text here. Click to load it

This doesn't really address the problem of what to do if your system was at
all times fully patched but you think you might have been hacked.
Especially when all indications from RootKitRevealer are that you haven't
been hacked (this is what mine says, isn't it? That
HKLM\SECURITY\Policy\Secrets\SAC* and SAI* aren't much to worry about? I
cant find any reference to them on the web being anything to worry about?)

All this page says is that (assuming everyone has unlimited time to go
through this POSSIBLY futile operation), every few weeks the nervous amongst
us are better safe than sorry to completely destroy all their data and
software and operating system and format their hard drives and reinstall
everything.

It also negated the utility of running backups of data as any backup may be
similarly infected every few weeks by something which has cleverly hidden
itself.

As it happens I do have another newer computer on which this problem is
trying to manifest itself: It has AVG protection, suitably updated
continuously. Yesterday it caught a trojan which it killed off.  Thereafter,
a gigantic number of files which have and exe extension are reporting
Win32/Virut, which is apparently a virus which gets past firewalls and seems
to make corrupted copies (?) of every .exe file on your computer.  AVG
catches about two to three of these a minute and moves what it calls the
infected files to a vault.  I cant even launch av-cls as a backup as when I
do, I get a win32/virut virus message.  I ran a Full System Scan (which
found 193 'infections') followed by an SFC /purgecache and a SFC /scannow
and it tried to tell me that firstly SFC was infected, then that it couldn't
be found.

The next day I ran a full AVG scan again after the daily update and it found
1017 infections all of which it says it healed!  (I assume they are copies
because Windows is still running.  Running it again results in even more
infections, curiously mostly in service pack uninstall files?)

I suppose
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx would
advise that the only option is to wipe the hard drive and reinstall
everything even though I had a fully patched system with fully up to date
anti-virus protection?

There has to be a better way than this? is there any way of running UBCD4WIN
and doing a full up to date virus check on the drive and running SFC
thereafter from UBCD4WIN?

Then only the ultra-ultra-ultra (ultra?) nervous amongst us might worry that
something infected the CD during its build process and kept itself hidden?



Re: Not sure the link is all that helpful except to keep companies' Tech Support departments fully staffed?


"news.rcn.com" <news.rnc.com> wrote in message
Quoted text here. Click to load it

You just don't want to face the truth.

Quoted text here. Click to load it

What does hack mean to you? If you got hacked, then it came past everything
you had in place to stop it or detect it.

Quoted text here. Click to load it

You're the one doing the driving,  don't include  the word US. It's you and
only you facing this problem at this time.

Quoted text here. Click to load it

I hate to be blunt about it. But you are the problem. The one sitting behind
the keyboard and mouse doing the typing at the keyboard and pointing &
clicking with the mouse.

Quoted text here. Click to load it

If you have 1, 017 infections which is a ridiculous amount  to begin with
that it saw, then what about the other 1, 017 it didn't see and is still
there, possibly. How do you know what is and what is not on the machine? Do
you have some kind of crystal ball?

You ever hear of a zero day exploit meaning that it's so new that the
dectection software cannot detect it, because there is no signature for it
to be used by the detection software to dectect it?

With 1, 017 infections *that you know about*, a totally compormised
computer, there is no telling what's on that computer that a hcker could
have put there that is undetected.

Quoted text here. Click to load it

A fully patch machine doesn't mean anything, and neither does that AV, when
there is a bad user behind the keyboard doing the typing, using the mouse
pointing and clicking.

Quoted text here. Click to load it

Yes, there is a better way. It called practicing safehex to begin with to
protect yourself and the computer.

http://www.claymania.com/safe-hex.html

It's called secure the operating system from attack as much as possible.

http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm

Quoted text here. Click to load it

It's just some information. Did you need to fly off the handle on a rocket
ship to the Moon? It's your bed lay in it. It only affects you and no one
else but you as to what you do with your situation -----  unbelievable. :)


Here is another link  *more information* that may send you to the Moon.

<http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html




Site Timeline