Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Was Hacked, Now What?

  • Please log in to reply
1 reply to this topic

#1 ColdFFF


  • Members
  • 9 posts
  • Gender:Male
  • Location:Birmingham, UK
  • Local time:08:14 AM

Posted 16 August 2007 - 05:29 AM

As is the usual, I made the mistake of installing software from an untrusted source, and ended up with a Remote Access Tool being disguised and run on my computer. Fortunately, I noticed the issue quickly, and was able to determine what, how, when and why everything happened.

A basic server/client RAT was places in my windows/system32 directory under the name svchost..exe (yes, two dots in the filename), which was executed at startup. TCPView and Process Explorer confirmed my suspicions about said file, as it had opened several ports for listening, and was infact called server.exe and renamed.

Since I have removed all registry entries related to the file (startup entry, list of authorised firewall apps, stubs etc), deleted the file and unchecked the process in msconfig. I am about to run a full AVG scan, as well as adaware and spybot s/d checks.

But is there anything else I can do to check for further damage? I know the best bet is to go for a complete format and reinstall, but this is particularly time consuming and since Im in the middle of revising for my exam retakes Im willing to risk it (at least until Ive got my exams out the way)

BC AdBot (Login to Remove)


#2 fozzie


    aut viam inveniam aut faciam

  • Members
  • 3,516 posts
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:08:14 AM

Posted 16 August 2007 - 06:01 AM

You can check your firewall whether there are any unknown connections going in and out.
You also can use this website to see whether all is ok

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users