Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A few security related questions


  • Please log in to reply
7 replies to this topic

#1 infx13

infx13

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 04 September 2009 - 08:02 PM

Edited in: Despite my name I am not 13 years old lol

A bit complicated as well as possible general PC paranoia, so please bear with me:

Basically I was drunk awhile back and tooling around in a chat room that is frequented by the developers of certain popular open source fractal programs. Though I'm not a programmer myself I enjoy being around for the insight some of the conversations provide. I've spent time in the room before and security was the least of my concerns (plus I was drunk).

Anyways, the conversation drifted, and I found myself shooting the bleep with another member about PC specs and what not (I've spoken with him before without any strange occurences). After admiring his rig, and asking for some tips on possibly getting an overclock without needing to install a new fan, the member asked if I wanted to see a cam of his rig. Being the extremely amateur PC enthusiast that I am, I was psyched to see his "room full of PC parts" as he put it. This was mistake #1, I didn't really know the person, but was bored and am considering building my own PC when I have the money next year.

So I click on the link, thinking its just some streaming video, and completely without thinking, installed the plugin required to view the stream. Mistake #2, it was an ActiveX control. I've never heard anything good about these, even though I'm sure some do serve a legit purpose sometimes. Basically I guess I did a direct IP connection to his computer (yikes). Short of describing some possibly paranoid ideas, this is where it ends. He showed me some of the different setups he was working on, told me how he works in PC and Property Security (installing home security camera systems, fixing PC's etc) and I went to sleep. The next night, I joined the chatroom and him and another user were talking about how he lost some work last night from accidentally turning off his power strip, they both laughed then greeted me. Its abit odd, as my power strip was off when I arrived home and had to flip the switch to turn it back on (I doubt its possible for him to do it remotely, but my cleaning lady might have) Coincidence maybe....

The next day after this, (having already decided I should keep my internet unplugged unless I'm actively using it) a couple commonly used programs weren't working properly. I did a system restore, and they worked fine again, but I had to reinstall a few updates from microsoft that protected against remote control and re-download my nVidia drivers, which took about 30 minutes to dl/install.

Ever since this event my internet seems to be a bit slower and is acting a bit funny. I also seem to get spyware and popups easier than before just from browsing the internet. Sometimes when I browsing the internet, I will click on a link and the text on the next page will be huge (as If i did ctrl+mouse scroll to zoom in even though I did not)

I'm paranoid that my PC's security may have been compromised by this fellow, he sure does posses the knowledge to hack someones computer into oblivion though obviously I have no desire to smear someones good name on the internet by shouting "j00 haxxed me!" (and also maybe piss him off regardless of whether or not he messed with my computer)

OS: Vista x64
Antivirus/Cleaning Software: Avg-Free & Defender running in tandem, Avast!, Ccleaner
All turn up negative or find just general low risk threats.

So here are my questions:

1. How likely do you think that my PC has been compromised based on the info/story given?

2. Will posting a Hijack-This log possibly help to detect any damage incurred by this guy or any other possible security issues acquired from shady websites, torrents etc?

2a. What are some other good free programs for scanning and getting rid of spyware, trojans and especially rootkits? (AVG free doesnt scan for rootkits)

3. How can I find out beyond a shadow of a doubt, that someone has true remote control over my system?

4. If I find out that someone does infact have remote control of my PC through advise given for question 3, should I even bother trying to fix any breaches or should I just do a factory restore? This guy who may have hacked my PC probably did so thinking I wouldn't suspect anything was done.

5. My computer came with a partition with the factory restore information on it, I can't find the disks I made when I first got the PC so I would have to make them again. Should I use those or just request a new set of disks be sent from the company I bought my computer from? (Although I'm not sure if they can do that as my warranty is up) IE: If someone hacked my computer, do you think they messed with the partition too?

6. Would I need to request a new IP address from my ISP if steps 4 and 5 are taken to assure complete security?

I will readily admit that I'm abit of a paranoid person, and some of my paranoia may cause me to be creating a problem out of thin air. Basically I just want to find out if my PC has rootkits, backdoors etc on it or anything else that gives someone remote control over my system. I don't mind general advertising related spyware (hell sometimes I've found out about new and/or neat products from internet advertising I may not have known about otherwise) but I absolutely deplore the idea of my computer being used for sending spam, storing hacker tools or any other disgusting things such as that. I rarely run my credit cards on my PC but it pisses me off thinking that someone could be using my PC for bad things.

Either way, Its about time I do a manual check of this PC, I've had it for about a year and have done little other than run my antivirus/ccleaner occasionally.

Thank you in advance for anyone who takes to time to read this convoluted story :thumbsup: and help to get me started in checking for any security problems.

Edited by infx13, 04 September 2009 - 08:03 PM.


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,785 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:16 AM

Posted 04 September 2009 - 09:55 PM

Hello infx13 and :flowers: to BleepingComputer.

First I'll address some of your questions, then we'll go through some steps to check for hacks, malware, or remote access programs. My answers will be numbered to match your questions.

1. My gut instinct is telling me that the likelihood of your being hacked in this situation is somewhat low. While it's true that you put yourself in a pretty shady situation, I don't see any obvious signs of a hack from your relation of events. But we'll run some scans and find out for sure, 'kay? :thumbsup:

2. If we find evidence of a serious malware infection it may be necessary for you to post a log in our HJT forum. Let's not get ahead of ourselves though.

2a. Two excellent antispyware programs that have free versions are Malwarebytes Anti-Malware and SUPERAntiSpyware. We'll be using both of these, in addition to some other tools, to check your computer later on. As far as Rootkit detection goes, there are some freeware rootkit detection tools out there. However, these tools are manually driven, and for the most part do not automatically remove items. This is because there are many false positives in an antirootkit scan; if the tool auto removed everything it found you would quickly find yourself with a very expensive doorstop. It requires a trained eye to be able to interpret the log from the scan, and thus determine if something needs removing. Additionally, since you are running a 64 bit OS, you happen to be immune from most, if not all, rootkits in the wild right now.

3. While there will always be the possibility that a remote access program, hack, or malware program could evade/mislead scanners, with a combination of a good antivirus, a good firewall, and good antimalware utilities, you can be reasonably sure your system is clean.

4. In this scenario. . . easiest thing to do would just be to format and reinstall or do a factory restore.

5. Unless we find evidence of a serious infection on your machine I would consider it safe to use disks generated from the recovery partition on your computer. It's not likely that someone simply accessing your computer remotely would screw with this.

6. I'd just invest in a router with encryption instead.

now. . . before we begin with the scans.

Antivirus/Cleaning Software: Avg-Free & Defender running in tandem, Avast!

This could be the cause of your performance issues right here:

I do not recommend that you have more than one antivirus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please remove either Avast! or AVG-Free. AVG-Free can be a bit of a pain to remove, so if you choose to remove it I would visit their website and download their special removal tool to get rid of it.

***************************************************

okay. . . now let's check things out.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

IMPORTANT!!! - when you save the file, rename it to something random, such as bubbles.exe This must be done before beginning the download!

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

~Blade


In your next reply, please include the following:
Malwarebytes log

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#3 infx13

infx13
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 04 September 2009 - 10:30 PM

Thank you for your very detailed responses to my questions (as well as the encouragement lol)

I followed the steps listed above, though I accidentally did a full scan instead of the quick one and had started it prematurely in anticipation based on another similar response in the forums. I'll make sure to read any further instructions much more carefully and be less quick to jump the gun.

I should also clarify, that upon further inspection, Windows Defender and AVGfree were NOT running in tandem. AVG is set to protect, defender was only setup to do a bi-weekly scan. As for Avast! I have that disabled, and run it manually to just sweep up what AVG, Defender and Ccleaner may have missed. Anyways, here is the log from Mbam:

_________ ___________ _________

Malwarebytes' Anti-Malware 1.40
Database version: 2743
Windows 6.0.6002 Service Pack 2

9/4/2009 10:50:40 PM
mbam-log-2009-09-04 (22-50-40).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 417452
Time elapsed: 1 hour(s), 30 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

________ ___________ _____________
It found a couple Trojan.vundo's, but those turn up occasionally when I scan with Avast!/AVG/Defender and usually get removed without any problems. Any time I use my limited knowledge to help out a friend or family member too, they usually have it. Maybe they were just hiding though on my system and now Mbam got rid of it for good?

Thanks for the help so far, and the extremely well worded response.

PS: I'm not sure if this is relevant, but I'm almost positive the person I suspect may have fairly comprehensive knowledge of using the program Backtrack. I had heard him speaking of it before with other members, and upon further investigation it seems like a legit tech tool for offensively testing a systems vulnerabilities, but can also be used maliciously. (Like I said, he supposedly works in security in addition to his open-source hobbies) So I'm not sure if this may or may not helpful to your diagnostics.

Edited by infx13, 04 September 2009 - 10:32 PM.


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,785 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:16 AM

Posted 04 September 2009 - 11:11 PM

You honestly don't need Avast! on your system at all. If you keep Malwarebytes on your system and use it as a supplement to AVG and Defender you should be well protected. You can add the tool we'll run next to your arsenal as well, though you should configure it not to start with Windows since you'll only be making use of the manual scanning. Let me know if you need help with that.

The entries Malwarebytes found look like leftovers of a previous infection.

Let's run another scanning utility. Please note that this scan will take some time to run.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (uncheck all others):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". When logging in, do NOT log in under the account titled "Admin" or "Administrator"

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
~Blade


In your next reply, please include the following:
SUPERAntiSpyware log

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#5 infx13

infx13
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 05 September 2009 - 12:42 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/05/2009 at 01:06 AM

Application Version : 4.28.1010

Core Rules Database Version : 4086
Trace Rules Database Version: 2026

Scan type : Complete Scan
Total Scan Time : 00:39:41

Memory items scanned : 200
Memory threats detected : 0
Registry items scanned : 6158
Registry threats detected : 0
File items scanned : 41978
File threats detected : 26

Adware.Tracking Cookie
cdn4.specificclick.net [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
cdn4.specificclick.net [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.specificclick.net [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.specificclick.net [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.specificclick.net [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.specificclick.net [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.specificclick.net [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.specificclick.net [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.specificclick.net [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.specificclick.net [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.specificclick.net [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.specificclick.net [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.specificclick.net [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.specificmedia.com [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.ads.pointroll.com [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.ads.pointroll.com [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.ads.pointroll.com [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.ads.pointroll.com [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.ads.pointroll.com [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.ads.pointroll.com [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.ads.pointroll.com [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.ads.pointroll.com [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.ads.pointroll.com [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.ads.pointroll.com [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.apmebf.com [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]
.interclick.com [ C:\Program Files (x86)\Sony\EverQuest II\mozilla\cookies.txt ]

Why the heck were there cookies in the folder of a game I haven't played in almost a year lol

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,785 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:16 AM

Posted 05 September 2009 - 09:43 AM

[quote]Why the heck were there cookies in the folder of a game I haven't played in almost a year lol[quote]
The simple answer is because they just never got deleted.

All that SAS found were tracking cookies.

I'm fairly confident that you're clean.

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#7 infx13

infx13
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 05 September 2009 - 07:36 PM

Thank you for your help. Your probably right, and either way it was about time I checked everything out.

A couple quick questions though:

1. Why in the task manager when I right click certain processes and try to see where they are located. Nothing happens?
I can locate almost all the processes except for a few. I'm doing this while running as admin. Ex Processes: crss.exe (2 instances running)

2. Why is the Trusted Installer running when I'm not installing anything?

3. I generated a HJT log just out of boredom, and many of the suspicious files say "File missing"

Well thank you for the general help. I guess I'll post a HJT log over in the proper forum and see if anyone wants to scan it over for me. I see a quite a few suspicious things but I of course don't want to take action without some help.

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,785 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:16 AM

Posted 05 September 2009 - 08:14 PM

Alrighty. . . good luck! Make sure to reference this topic in your new post in the HJT forum, it might aid the Helper there to see what steps we've already taken here.

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users