View Full Version : Was I Hacked?
TheKiler
06-11-2004, 02:42 AM
I opened up my hard drive and I found this file:
hacked.txt
I opened it and it said
Pwned by your local hacking group.
Each folder was spammed with that file with variations of 01 to 100.
I did notice intense performance drop and dramatic speed decrease in my DSL modem the day before. Was I hacked?
4play
06-11-2004, 02:47 AM
i dont think anyone would bother creating that many files sounds like you caught a virus or a worm written by these people. either way i would look into getting a decent antivirus.
TheKiler
06-11-2004, 02:47 AM
I had NOD32 and Panda both on guard.. That's a bit strange.
tesco
06-11-2004, 02:59 AM
probably spyware...try running spysweeper.
what is the point of running two antiviruses?
4play
06-11-2004, 03:01 AM
not really if its been written by a relavitely unknown group they will design it not to be picked up by anitviruses. just submit it to nod or panda and see what they say.
TheKiler
06-11-2004, 03:03 AM
Submitted.
I have spyware blaster and ran spybot, ad-aware, and spysweeper. THey all found nothing.
TheKiler
06-11-2004, 03:17 AM
NOD32 said your system is clean. Check your your firewall logs.
Firewall log (zone alarm with router)
-program access check: admuncher
-repeat program: myie2
-repeat program: firefox
-blocked program msn messenger
Nothing else.. weird.
SaYiaN
06-11-2004, 04:32 AM
Most likey a trojan!?
Have you downloaded anything recently?
TheKiler
06-11-2004, 05:11 AM
No, I've been doing some research for my school. That was it.
baccyman
06-11-2004, 06:48 PM
if you have any malware or trojans this might help you out there is a free version or you can buy the full prog
http://www.emsisoft.com/en/
Originally posted by TheKiler@11 June 2004 - 05:19
No, I've been doing some research for my school. That was it.
You didn't do anything silly did you?
Like actually take your pc to school and plug it into the network?
TheKiler
06-11-2004, 09:35 PM
No, I havent. I've scanned for the trojans and it found nothing. HELP :helpsmile:
dopey
06-11-2004, 09:59 PM
well, seeing as you are at a loss, try this.
download hijack this here (http://www.spywareinfo.com/~merijn/files/hijackthis.zip).
unzip into it's own folder and scan and save a log.
post the contents here.
good luck.
TheKiler
06-11-2004, 10:10 PM
Logfile of HijackThis v1.97.7
Scan saved at 4:16:29 PM, on 6/11/2004
Platform: Windows XP SP1, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2096)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\protowall\ProtoWall.exe
C:\Program Files\MYIE2\MyIE.exe
C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe
C:\DOCUME~1\STEPHE~1\LOCALS~1\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 216.165.109.81:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=explorer.exe ,svchost.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\protowall\ProtoWall.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v4.windowsupdate.microsoft.com/v5co...b?1086544794265 (http://v4.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1086544794265)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/...8073.5604282407 (http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38073.5604282407)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
dopey
06-11-2004, 11:21 PM
ok. first please unzip hijack this into it's own folder. running it from the zip file is risky, since the backups will be deleted as soon as you clear your temp files.
this item I have a question about:
F2 - REG:system.ini: Shell=explorer.exe ,svchost.exe
did you set that shell up yourself? if not, you can also check it with hijack this.
rescan and check the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
close all browser windows and hit fix checked.
I see you have nod32 still installed, but it isn't listed in your running processes. :o
the corresponding 010 item is also missing.
I suggest you go offline, and uninstall/reinstall your nod32 software.
before doing that, though, using internet explorer, do an online virus scan here: http://housecall.trendmicro.com/housecall/start_corp.asp
TheKiler
06-11-2004, 11:24 PM
Ok.. I get this now:
�
IHDR �, �*�� F? pHYs �� ��� �
xڝSwX�>e�VBl "#��Y� a��@Ņ
V���HUĂ
H(gAZU\8�ܧ}zy���&j 9R<:�OHɽ��H� �g� �yx~t?�o � p.$�P&W "���R .T� � Sd
ly|B"
I>� ة� آ�� � (G$�@ `UR,� @".��Y2G�� vX�@` B, 8� C��� L�0ҿ_pH� ˕͗K3��w!lBa�)�f "#�H�L �8?flŢko">!�� �N_�p�uk[ V h]3 Z
zy8@�P<��
��%b0>3o~@�z q@qanvR�B1n#Dž)4\,�XP"MyRD!ɕ�2� w
ON�l~���Xv @~-�� �g42y @+� ͗ �\�L� D*A� �����a�D@ $<�B��
dopey
06-11-2004, 11:27 PM
did you fix the f2 item?
and is this after a reboot? please elaborate.
do run the virus scan as well.
post a new log.
TheKiler
06-12-2004, 01:45 AM
F2 problem?
I've scanned again and I got this again
�
IHDR �, �*�� F? pHYs � �� �
xڝSwX�>e�VBl "#��Y� a��@Ņ
V���HUĂ
H (gAZU\8�ܧ}zy���&j 9R<:�OHɽ��H� �g� �yx~t?�o � p.$�P&W "� �R .T� � Sd
ly|B"
I>� ة� آ�� � (G$�@ `UR,� @".��Y2G�� vX�@` B, 8� C��� L� 0ҿ_pH� ˕͗K3��w!lBa�)�f "#�H�L �8?flŢko">!�� �N_�p�uk[ V h]3 Z
zy8@�P<��
%b0>3o~@�z q@qanvR�B1n#Dž)4\,�XP"MyRD!ɕ�2� w
ON�l~���Xv @~-� �g42y @+� ͗ �\�L� D *A� �����a�D@ $<�B��
Ive done virus scans with norton, symantec, panda, kaspersky, and nod32 and found absolutly nothing.
dopey
06-12-2004, 02:37 AM
is that what happens when you try to run hijack this? i'm lost here.
TheKiler
06-12-2004, 05:16 AM
Yea.. that's what i get for HiJack this..
dopey
06-12-2004, 05:44 AM
after you place the hijack this program (icon with the dynamite) into it's own folder
have it scan once more
you should get a list of items you posted before
place a check in the box next to these:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
the f2 item was up to you if you didn't make it like that.
then close all browser windows and hit fix checked.
you should then reboot and rescan with hijack this and scan/save another log
copy and paste it here.
don't hit save until after you fixed these items and rebooted.
TheKiler
06-12-2004, 06:31 PM
The problem is that whenever I hit scan I get this
€c��€�g�i��€s��€@ :�
�
N(�( � ��� ƒ Y @� p� œ � � � � � � R98 � � � 0100��� � � ��� � � � ��� � � ��� � ˆ� ��� � � (�� � � ��� � � ��� � D� � � „ ����� ���
�
��
�����!�#"!� �$)4,$'1'��-=-167:::"*?D>8B3796�
� ��
���
��O�����OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO �� x ��! ������� �������� ��������
�� ����������� �}��� ����!1A��Qa�"q�2‘�#B�R$3br‚
�����%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyzƒ„…†‡ˆ‰Š’“”•–—˜™š� ���������� ��������
�� ����������� ��w ������!1��AQ�aq�"2��B‘ #3R�br
dopey
06-12-2004, 07:05 PM
ok, you may have something that's interfering with the program.
In order to detect whether you are infected by HackDefender, please download this utility:
http://bagpuss.swan.ac.uk/comms/RKDetectorv0%5B1%5D.62.zip
let me know how it goes. the fixes for this trojan isn't exactly simple.
good luck.
edit: sorry forgot to post the instructions.
unzip it to your desktop.
In the RKDetector folder you unzipped you will see rkdetector.exe and tcp.dll, hold down your contol key and left click each of these files once so they both end up highlighted at the same time. Next right click one of them and choose copy.
Go to Start>Run and type %windir% and hit enter. The window that open will be the systemroot folder (windows or winnt, depending on the system). Right click an open area in that window and choose paste. You should see rkdetector.exe and tcp.dll appear on the file list there.
Once that is done go to Start>Run and type command and press enter.
In the following commands {s}=press the space bar one time
At the command prompt type the following
cd{s}desktop press enter
rkdetector.exe{s}>{s}rkdetector.txt press enter
The command window will go blank for a minute or so, when the prompt comes back type
exit and press enter.
Find the file on your desktop called rkdetector.txt and look at the last 6 lines, if they all say "Found: 0" then let us know nothing was found. If something was found then paste the entire contents of the file as a reply to this thread.
TheKiler
06-12-2004, 10:45 PM
It says:
Failed to intialize in 16-bit mode. Your computer may have insufficent access.
dopey
06-12-2004, 11:35 PM
ok. are you having trouble with any other programs?
if you are, it may be time to consider starting over. :(
since your first log (the only one that worked) showed your nod32 already disabled in some way, you probably have more things going on than I can see.
before going for the reformat, you might want to try posting your log in a help forum, such as computer cops, spyware info, maybe some new eyes looking at your log can have some idea on where to proceed from here.
i would suggest posting the log you have, along with a portion of the scans with gibberish. i know i'm not the most technically advanced person, and they might know what's causing it.
TheKiler
06-12-2004, 11:51 PM
Something's happened to my security and firewall!
Zonealarm has a constant System Error: Please reboot
I tried uninstalling and reinstalling 3 times!
NOD32 is always disabled!
PANDA always displays an error!
Norton always says registry has been tampered and I can't uninstall it!
Windows has a weird boot screen! It's pirated xp?
Online scanning won't work! It always says active-x is disabled!
Spybot works half way and freezes
Ad-aware wont even start
spyware sweeper is always missing.. I keep installing it but It's alwayas missing!
System restore is constantly off!
Hijack this wont start!
Task manager is disabled? I can't even open it!
Start --> Run won't open up!!
dopey
06-13-2004, 12:38 AM
that's what i was afraid of.
hacker defender is probably what you have. :(
you can try doing what i told you-- posting what you have in a help forum, but the easier/faster way to go would probably be a reformat. otherwise, according to some folks, some traces of this evil program might still be around.
at least this way, you will be sure.
backup programs from trusted sources and hopefully you can stay clean.
btw, your nod32 was disabled from the first hjt scan.
it may be a good idea to change your passwords, etc.
TheKiler
06-13-2004, 12:54 AM
I tried formatting with the command:
Format C:
but it says "Unable to format"
I used partition magic from a super recovery dvd I made and it the hard drive didn't show up.
The hard drive is there and usable! In fact, I'm using it right now. I can't even format... oh god :helpsmile:
infamousalbo101
06-13-2004, 07:53 AM
Killa It look like you just got pwned x_0 knockout
TheKiler
06-13-2004, 01:58 PM
AHh.. What do I have to do??
>>This message was generated by the hax0r<<
WHAT THE?? I DIDNT PUT THAT THERE!
TheKiler
06-20-2004, 04:49 AM
Woah.. I found the solution! I was looking around the hard drive and I found a folder named fix and a folder name broken. I opened up fix and this screen popped out and it said the computer is now fixed. I restarted and everything worked again. THen, I double clicked on broken and I got the same problems again so I clicked fix and again, it was fixed. This is strange......
Originally posted by TheKiler@19 June 2004 - 22:57
Woah.. I found the solution! I was looking around the hard drive and I found a folder named fix and a folder name broken. I opened up fix and this screen popped out and it said the computer is now fixed. I restarted and everything worked again. THen, I double clicked on broken and I got the same problems again so I clicked fix and again, it was fixed. This is strange......
Is that right? What is the Windows World coming to? :rolleyes:
Hey at least they left a fix.
SaYiaN
06-22-2004, 04:41 AM
lmao , some1 been toying w/ u ! ;)
tesco
06-22-2004, 04:49 AM
:lol: :lol: messed. really messed! :lol:
atleast u got it fixed, good job :D
TheKiler
06-22-2004, 04:56 AM
Is this a prank? A new virus??!
dopey
06-22-2004, 05:20 AM
you should also submit the files to kaspersky.
can you now, fix the items mentioned in my first post and then after rebooting, post a fresh log?
something may still be going on.
at least then you will know if your av is back working.
TheKiler
06-24-2004, 02:04 PM
Actually, I formatted the computer and I don't have the files anymore. I hope you guys don't get hacked either.
Powered by vBulletin® Version 4.2.3 Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.