Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Has My PC Been Compromised?


  • This topic is locked This topic is locked
3 replies to this topic

#1 CelestialAura

CelestialAura

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:01:21 AM

Posted 05 December 2008 - 12:29 PM

Hoping someone can provide some assistance here.... need system analyzed. Have compiled logs & data for troubleshooting...

Windows XP Home v 2002, SP 3
Intel Celeron 2.4 GHz
2.39 GHz , 256 MB RAM
Hard wired to : Arris Modem #TM502G---->Buffalo High Power AirStation A&G: (NAT enabled & PNP disabled, Intrusion detector enabled, etc... MAC filtered, not broadcasting SSID, etc...) ---->Motorola VT1005 (set statically)---->PC (Broadcom 440x 10/100 Integrated Controller w/TCP/IP set statically, and NetBios disabled)
Agnitum Outpost Firewall Pro ver. 4.0.971.7030 (584): (Stealthed as much as I could without sacrificing connectivity)
Avast! v. 4.8 Home Addition Build Dec. '08 (4.8.1296) : (Stealthed)
ProtoWall : (need to update lists, there are a few certain sites I have to disable ProtoWall to visit...)

Wondering if all my PC issues aren't due to my system being compromised. Have been running extensive scans. Are you familiar with analyzing any of the following logs: DrWeb, FPort, HijackThis, RootkitRevealer, StartDreck, SpyBot S&D?

Strange thing that occured though, right after I started noticing these issues, I received an email from my web host provider, stating that one of my websites had been compromised and my web page had changed, here is what they said:

"Recently, we noticed that your username and password for your ftp account hosting has been used by someone to alter your main index.html (or index.htm, index.php) file for your website. Their purpose in doing so was to re-direct your traffic to a host of spam related websites. We have determined that they obtained your username/password from software installed on your client machine - likely some malware that can capture typed information. We have restored your original index file so that your site is back to normal. In order to prevent this issue from happening again, we have deleted your affected ftp accounts. You will need to recreate new ones. You should NOT use the same username and password as before. Use a strong password that does not match your account password. We also recommend updating your virus scanner software and running a full system scan. If you have any further questions or concerns please contact our support department. We will be in touch again shortly."

Funny, the first time in a LONG time, I had just recently used FTP to upload/manage web pages.

Couple strange occurrences took place around this time. I had DOS screen open, and had toggled to another application... when I toggled back to DOS screen, this was typed on screen (don't remember specifically, but close to this:) limewire.com . Now, even if I had been typing in the other application, and it somehow had gotten entered into the DOS screen accidentally, no where did I ever type limewire.com, and if it was accidentally keyed, couldn't have been perfect in spelling, etc.. as this was. This really spooked me, as I was currently researching different things to determine what was going on with my system, so it was like someone there watching me search my issues, files, etc... and gave me a "clue/hint". FREAKY!

Also, amongst all of this, lots of start up, system dragging issues, etc....

So I went ahead and ran Personal AntiSpy, which indicates there are no keyloggers on my system.

DrWeb scan indicated some issues. I've resolved them all: To resolve the 2 trojans found in System Restore files, I created a new restore point & deleted all previous restore points. The ipscan entry has been deleted. The FPort.20 's have been deleted as well, as the real file/application names for FPort are FPort 2.0 .

FPort had at times been revealing around 10++ open local ports, around 2000-4000 range. Not sure if this is normal, and was not able to recreate for log. Haven't really seen them at all lately now, though. 2 nights ago, when I went to my Buffalo Router Page, the page kept loading & reloading, wouldn't load properly. I've never had an issue accessing before. So I made some adjustments with Firewall settings, and all is ok and accessible now, and I have been on there and made sure all of my settings were correct, stealthed, etc...

I have Hijackthis logs for 12-2-08 & 12-4-08. 12-2-08 is before any system revisions in attempting to resolve issues. 12-4-08 is current. (Didn't compare to see if they contained the same info or not...) Also including a Hijackthis ADS Spy log scan results as well.

Can anyone shed some light or help me out? I really appreciate any assistance that can be provided! I have a lot more in depth logs & documentation I could provide... such as :
manage attachments

* DrWeb Scan 12-02-08.csv (614 Bytes)
* fport open ports 12-4-08.txt (1.8 KB)
* hijackthis 12-02-08.txt (5.9 KB)
* hijackthis log 12-4-08.txt (6.2 KB)
* hijackthis ads spy log 12-4-08.txt (174 Bytes)
* Outpost Firewall Open Port List 12-4-08.html (670 Bytes)
* Services Settings 12-4-08.html (1.1 KB)
* RootkitReveal 12-4-08.txt (12.1 KB) RootkitReveal
* ODQHCCWT PopUp 12-4-08.html (869 Bytes)


:thumbsup:

~Blessings~

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:21 AM

Posted 05 December 2008 - 07:03 PM

You have done most everything that we can recommend in this particular forum. HJT logs should not be posted here
We have a revised procedure for HJT that you should read first:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
Then post the log in the proper forum here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Edited by garmanma, 05 December 2008 - 07:03 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:01:21 AM

Posted 07 December 2008 - 10:18 PM

Thank you Mark :thumbsup:

~Blessings~

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:21 AM

Posted 08 December 2008 - 12:22 AM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users