Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked -Help please


  • This topic is locked This topic is locked
20 replies to this topic

#1 Albear

Albear

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 22 May 2010 - 05:09 PM

Last September I purchased a new Dell PC . At the time I had (and still have) a Toshiba laptop.

I have been o the internet at home since 1997 and my first proper job in 1974 was as a

computer operator on a giant ICL mainframe.I have driven computers all my lfe but am not a

techie. I have had nothing but dispair since I purchased the Dell. On day two when I was

loading the software I purchased from Dell I had a vista error message. I rang Dell and they

told me my system was corrupt and it would need reinstalling. I said fine and then they told me

I had to pay 100+ for them to come and do it!!!
I had paid for 4 years breakdown insurance but they told me this only covered hardware! So they

came and reinstalled of note was the fact that the ati radeon driver was not on the Dell

supplied disc (I don't know if this is where my vunrelability has come from?). So the

technician downloaded it. The machine was supplied with vista, wireless card and wireless

keyboard and mouse (no ps2). Over the next few months I kept losing connectivity or getting

multiple networks and unidentified networks. When I looked at seevices, remote call was always

running spoll was as was remote registry. I was signed in as admin on the machine but was being

denied access o many items. For example widows diagnostic service would not start. When I'd

access the service it was stopped and all greyed out, which was the same with all the remote

access services.
I contacted dell and they asked me for 100+ for software support, hey ho so I went for it and

they were pretty stroppy with me by the time I finished contacting them. They were telling me

there was nothing wrong with my machine, but I was losing connectivity regularly, I had no

control over what was running on my machine and some of my software was getting corrupted .
One of my programs ia a database for recording racing pigeon details, pedigrees and velocities,

I had files that were alien and a Borland error. I contacted the vendor who has sold over

30,000 copies and he didn't have a clue he posted the error on Borland forums and no one there

had ever seen the error!
On my machine I had a massstorage device appear and all my drives according to device manger

became portable devices. And I had terredo tunneling devices and Async adapters and ATapi

adapters (though I'm not sure that the atapi were always there). I went on to control

panel/uninstall and saw the modem device was being used 'regularly'but I never use the modem or

Fax.
Let me clarify the use on this machine. It is for home use only no other purpose and it is

(should not) be shared or accessed by anyone (or my laptop) and nothing should be shared.

However my machine shows all the hallmarks of being shared (hijacked!).
In December last year Dell (after asking me for more money ) told me I was entitled to a free

upgrade to windows 7 and that would solve all my problems (they had lost the image on my

machine, whatever that meant?). So I did and the one thing it did do was show me that I had a

VPN on my machine, when I converted and looked at Network & Security centre, I had my two

normal adapters aPLUS a VPN, I immediatley disabled it.
I spent January/February contacting Dell and they at one stage accused me of meddling with the

machine , well firstly I hadn't but secondly it is my machine!!
Then Mcafee played up (not for the first time since September). I had the green tick but could

not configure it, the chat reps kept telling me if I had the green tick it was OK BUT I could

not configure it, everything was greyed out!! So eventually for 3 weeks Mcafee accessed my

machine remotley every day and none could sort it. Eventually I got escalated to the top

technician (I was told) and he ran combofix which identified a root kit. He cleared it (I

think) but then told me my system was corrupt and I should get back to the manufacturer.
I posted on Bleeping computers after this asking for help and at the same time had my Toshiba

in wat PC World because of similar problems. PC World advised a complete wiping of the disc and

reinstall. I then decided to do the same with the Dell and withdrew my request on Bleeping.
I contacted Dell and asked that they wipe my hard disc and reinstall and take my wireless card

and yes I would pay them to do it but they must wipe my disc! So they came and they took my

wireless card out and they DIDN't wipe the disc!! I got back to them and at this stage my dvd

drive had stopped operating (no error messages) just not reading.So they took the Dell in and

returned it two weeks later but they had not wiped they had changed the disc drive (which I was

not expecting). We had a big bust up where the supervisor told me there was nothing wrong with

my machine!! I DID A REINSTALL MYSELF BUT STILL HAD PROBLEMS
Where to go??? I found a local computer man in the telephone directory he came around he has

good experience and was very genuine. He took my machine away to reinstall 'properly' as he put

it. He brought it back and told me it was a super machine and I might have had something on it

but now it was OK and that i had become a computer hypochondriac. He connected it and straight

away I felt it was still not right, it connected in to Network (2) why 2? For me it meant I had

two networks on but I had to go with it. But here we go again there was a teredo tunnel adapter

and the old remote services were running, even though since December I had prohibited remote

access on the machine. I tried to install my printer but of course my disc was for vista so I

would need to go mto HP website but then when I took the disc out windows started installing my

printer drivers. I was told this was because 7 is so intuitive, maybe. But it didn't feel

right. I had then tried to install my printer wirelessly on my Toshiba laptop and it wouldn't

install it told me that i could not have my printer and computeron different networks!
Then last week (week before?)I lost my lan adapter from my Dell, so i restored back about a

week to a good point, and to my surprise wjhen I looked at devices and printers I once again

had a mass storage device but more surprisingly i had another device a 'wireless optical

desktop'. I have no idea what one is. So in panic I undd the restore and the driver for the

optical desktop downloade but quickly 'masked' itself as a USB driver.
I have not touched the machine since because I opened a topic to help cure my Toshiba laptop

which is ongoing.
I was advised today Ineede to open a new topic for help with the dell, so that's what I'm doing

now. I'll post th link to that topic below in the hope it will help because I believe they are

one and the same. Extreme boy has been helping me with my Toshiba and I'd like again to thank

him for his help and patiensce becasue as you can see from this post I ramble but I don't want

to leave out any detail that mey be important. And this has been a total blight on my life this

past 7 moths , because evryone has been telling me there's nothing wrong with my machines.
http://www.bleepingcomputer.com/forums/t/315475/please-check-my-log-files/

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:19 AM

Posted 22 May 2010 - 08:10 PM

Hello,

I wish to clarify whether this topic concerns a different computer from the topic here: http://www.bleepingcomputer.com/forums/t/315475/please-check-my-log-files/

Also: Have you secured your wireless network?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Albear

Albear
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 23 May 2010 - 02:31 AM

Yes this is a different computer. In the same household. Not sure how to answer if I have secured my network. I have done everything possible to keep it secure, changed the admin pasword many times and the ssid many times. Have contacted my ISP many times. In the early days of my Mcafee was telling me an intruder was trying to access my computer, my gateway is ending in 254, the intruder had the same ip address except ending in 253. My ISP kept telling me not to worry it was picking up a close neighbour. I even hid my ssid when I had my wireless card removed and went to cable.
The other think I forgot to mention, was that when I rolled back and looked at the properties of my wireless keyboard, it was showing briefly as the wirelees optical dektop receiver and the language was changed from en uk to en us, they were both showing in a tre with en us the top. My keyboard regularly lost its setting to en us over the six months. When I had one of the reinstalls I got a new wirelss keyboard but that made no change to what was happening.
When I contacted my ISP when I had problems with installing printers recently, they connected to the Toshiba and found over 40 connections they told me that was indicative of spyware/malware on my machine and if I ran malwarebytes it would find it, I told them I had and it had ound nothing, they told me to use spybot because if malware hadn't spybot would, nothing. They then ran autoruns and deleted several files and got it down to about 16. As a point of interest on autoruns under the image hack tab one of the entries, on a google search identified that I had the backdoor bn virus?
Network and security centre has always shown connection to a secure network, except when I had unidentified networks.
Hope that is of help and explains?
Many thanks for this site.
Alabear

#4 MrBruce1959

MrBruce1959

    My cat Oreo


  • BC Advisor
  • 6,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich, Connecticut. in the USA
  • Local time:03:19 AM

Posted 23 May 2010 - 11:18 PM

Hello Albear and welcome to Bleepingcomputer.

One of my specialties is networking hardware.

I would like to assist you in finding ways to secure your network, but for me to offer you the best advice I have to ask you what your are using for a router. I would need the brand name and model number.

Many routers come with security features such as WEP, WPA-PSK(TKIP) and the newest, strongest encryption is WPA2-PSK(AES)

Make sure your router does NOT have UPNP enabled, make sure port forwarding or triggering is NOT enabled, make sure remote management is NOT enabled.

These settings in routers open your connection to vulnerabilities by hackers, check your routers logs if it keeps one for unauthorized access, check your routers menus for a list of attached devices to see if someone is remotely accessing your network.

I will watch for your reply regarding your routers brand and model number.

Best regards.
Welcome to Bleeping Computer! :welcome:
New Members: Please click here for the Bleeping Computer Forum Board Rules
 
My Career Involves 37 Years as an Electronics Repair Technician, to Which I am Currently Retired From.

I Am Currently Using Windows 10 Home Edition.

As a Volunteer Staff Member of Bleeping Computer, the Help That I Proudly Provide Here To Our BC Forum Board Membership is Free of Charge. :wink:

#5 Albear

Albear
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 24 May 2010 - 11:51 AM

Hello Mr Bruce, thank you for being kind enough to help me.
My router is a BT Homehub 2.0 v2 0 Type B item code 044024, supplied by my ISP Btinternet, security is WPA2 with up to 63 characters for the SSID key, my current key is in excess of 20. The first thing is my UPNP was enbled , I have now disabled it , so thank you for that. Under sytem properties I have not allowed remote access to my computer but I don't think this has made any difference. I have terredo tunnel adapters, rasasync adapters and the wireless optical desktop appearing on my machine, without any authority from me (that I am aware of). Indeed I feel I have no control over the scurity of this computer.
Mr Bruce you said 'make sure port forwarding or triggering is NOT enabled' , how please where I've tried to find how on my machine but t no avail, and you said 'make sure remote management is NOT enabled' what else should I do beside unticking remote access in system properties. Anything and everything you can impart will be gratefully received and implemented. At the moment though I have no access on my Dell because my lan adapter has dissapeared, I can get it back I believe if I restore back to a previous point. Please advise on what you would like me to do with my Dell and I will ASAP
Once again thank you very much for your help
Albear

#6 MrBruce1959

MrBruce1959

    My cat Oreo


  • BC Advisor
  • 6,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich, Connecticut. in the USA
  • Local time:03:19 AM

Posted 24 May 2010 - 01:15 PM

Thank you for providing the information you provided above for your hardware setup. :flowers:

I am currently putting your concerns at the top of my list, please be patient while I do some research and I will reply back to you ASAP. :thumbsup:

kind regards. :trumpet:
Welcome to Bleeping Computer! :welcome:
New Members: Please click here for the Bleeping Computer Forum Board Rules
 
My Career Involves 37 Years as an Electronics Repair Technician, to Which I am Currently Retired From.

I Am Currently Using Windows 10 Home Edition.

As a Volunteer Staff Member of Bleeping Computer, the Help That I Proudly Provide Here To Our BC Forum Board Membership is Free of Charge. :wink:

#7 Albear

Albear
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 24 May 2010 - 01:45 PM

Thank you

#8 MrBruce1959

MrBruce1959

    My cat Oreo


  • BC Advisor
  • 6,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich, Connecticut. in the USA
  • Local time:03:19 AM

Posted 24 May 2010 - 03:05 PM

Thank you


You're welcome. :flowers:

I wanted to review your other topic regarding your laptop issues first, to see what clues I could pick up out of that topic.

Now that I have reviewed that other topic, I will keep that information in mind while I do research on this current topic. :thumbsup:
Welcome to Bleeping Computer! :welcome:
New Members: Please click here for the Bleeping Computer Forum Board Rules
 
My Career Involves 37 Years as an Electronics Repair Technician, to Which I am Currently Retired From.

I Am Currently Using Windows 10 Home Edition.

As a Volunteer Staff Member of Bleeping Computer, the Help That I Proudly Provide Here To Our BC Forum Board Membership is Free of Charge. :wink:

#9 MrBruce1959

MrBruce1959

    My cat Oreo


  • BC Advisor
  • 6,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich, Connecticut. in the USA
  • Local time:03:19 AM

Posted 24 May 2010 - 03:35 PM

Please review this web page called "BT Home Hub 2.0 security advice" from your BT hub manufactures web site.

It explains how to secure your Hubs security settings.

http://bt.custhelp.com/app/answers/detail/a_id/11443/c/346



You can access your Hub's internal configuration software by doing the following: Access Hub Manager by typing bthomehub.home into the address bar of your
web browser.


I am still doing a little bit more research, so please be patient. :thumbsup:
Welcome to Bleeping Computer! :welcome:
New Members: Please click here for the Bleeping Computer Forum Board Rules
 
My Career Involves 37 Years as an Electronics Repair Technician, to Which I am Currently Retired From.

I Am Currently Using Windows 10 Home Edition.

As a Volunteer Staff Member of Bleeping Computer, the Help That I Proudly Provide Here To Our BC Forum Board Membership is Free of Charge. :wink:

#10 MrBruce1959

MrBruce1959

    My cat Oreo


  • BC Advisor
  • 6,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich, Connecticut. in the USA
  • Local time:03:19 AM

Posted 24 May 2010 - 05:49 PM

Mr Bruce you said 'make sure port forwarding or triggering is NOT enabled' , how please where I've tried to find how on my machine but t no avail


This setting will be found in your BT hubs software settings, not on the network cards configuration on the computer.

Here is a PDF version of your BT hub 2.0 user manual, which will help you configure your BT hardware.

http://bt.custhelp.com/ci/fattach/get/1451...6189/redirect/1

This link below points you to general answers to questions, for the BT ACCESS CONTROL choose a question to obtain a solution, there are multible choices look through those.
http://bt.custhelp.com/app/hub/c/346,1887,1891

As for what is the IP address 192.168.1.253 ? That is the IP address you use to access your HUB, it is the actual Internet Protocol address of the following url bthomehub.home This address is used to access your BT hubs internal software for configuring its settings.

Therefore this address is not of an suspicious nature, you can input bthomehub.home or 192.168.1.253 and it will access your Hubs internal setup software.

Any devices that access the hub will use the following IP addresses which are assigned by the Hub, so each device has its on address, they would be the following IP numbers 192.168.1.254, 192.168.1.255, 192.168.1.256 etc.

Any further questions please feel free to ask. :thumbsup:

Edited by MrBruce1959, 24 May 2010 - 05:50 PM.

Welcome to Bleeping Computer! :welcome:
New Members: Please click here for the Bleeping Computer Forum Board Rules
 
My Career Involves 37 Years as an Electronics Repair Technician, to Which I am Currently Retired From.

I Am Currently Using Windows 10 Home Edition.

As a Volunteer Staff Member of Bleeping Computer, the Help That I Proudly Provide Here To Our BC Forum Board Membership is Free of Charge. :wink:

#11 Albear

Albear
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 24 May 2010 - 06:16 PM

Hi Mr Bruce there is no facility in my router software rergarding port forwarding. I have been on my hub many many tines looking at every piece of configuration. I don't understand, when I installed Norton, norton tells me that it will configure my ntwork on the basis of history it finds on my machine, When I looked at Norton config, therewere many ports allowed through the firewall bynorton specifying specific ports. There is no where on the HUb to configure these, how are they configured??As to the router 253 yes theywere telling me it was aneighbour, i was already connected on 254 my hub gateway, why would Mcafee at the time tell me it was blocking an intruder 253?
The security on my Dell is I believe compromised. At thi moment I can not onnect on my Del, the network adapter has dissapeared how do I resolve please? And I reiterate there is no wghere in my BThub regarding ports!

#12 MrBruce1959

MrBruce1959

    My cat Oreo


  • BC Advisor
  • 6,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich, Connecticut. in the USA
  • Local time:03:19 AM

Posted 24 May 2010 - 07:53 PM

What Norton is doing is monitoring any activity that is attempting to access the Internet. This activity is tracked so a flag is sent up if anything tries to gain access to the outside world, even authorized programs, so the user has a notification that something might be sending information to another source.

Norton can be configured to allow the connection access without notifying you of such events, or it can be configured to block it or notify you of each event.

Such events are allowing Internet Explorer access to the Internet, if you say yes it allows the connection and Internet Explorer accesses the Internet and displays a web site using DNS (Domain Name System), if you say yes only this one time, it will allow but block the next time you try to use Internet Explorer, if you choose yes, but don't ask me again, it will always allow that connection without asking you for approval.

Any updates you do from software sites will be blocked unless you approve their access.

I am not sure which OS you are using, but Windows Vista and Windows 7 has their own built in firewalls.

You can find this program in the Windows Control Panel.

I want to caution you, not to enable this firewall if Norton is installed as a firewall, because running two firewalls at the same time is not recommended and will cause Internet connection problems.

As for Norton, if you are having issues with it, I suggest you go to the settings menu and see what it is approving and what it is denying.

If you post what Norton program this is and its version number, I can find a proper tutorial for you to use for configuring the program to default back to re-asking you for approval for any or all connections. This way you can start over again with a fresh slate, with-out un-installing the program.

I am going to have you visit a web site called GRC.com and the "Shields Up" section of their web site, here if you read the directions, you can have the web site scan your computers PORTS for any vulnerabilities.
It will scan and attempt to gain access to your computer, it is safe to use and will report back if any of your communications ports are open and vulnerable to hackers.

http://www.grc.com look for SERVICES tab in menu at top, click it, then look for SHIELDS UP! in menu then click it.

Look for a box on next page that says PROCEED it is on the "Welcome to SHIELDS UP" page.

On this next page it may list your ISP's IP address.
Please read the documentation on this page, it will explain how to use the site to check for open un-secured ports.

Edited by MrBruce1959, 24 May 2010 - 08:24 PM.

Welcome to Bleeping Computer! :welcome:
New Members: Please click here for the Bleeping Computer Forum Board Rules
 
My Career Involves 37 Years as an Electronics Repair Technician, to Which I am Currently Retired From.

I Am Currently Using Windows 10 Home Edition.

As a Volunteer Staff Member of Bleeping Computer, the Help That I Proudly Provide Here To Our BC Forum Board Membership is Free of Charge. :wink:

#13 Albear

Albear
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 25 May 2010 - 04:28 PM

Hi Mr Bruce have read and tried to comprehend, very difficult though because the network tabs referred to I have no access to on either of my machines (as far as I can see. More worrying I rn several utilities on my laptop which is what I have to use to communicate to you and they failed to work!
The site instructed me to contact them. So i emailed as directed
Below is a copy of my mail.

Hi I have had massive problems with my laptop and desktop over the past 6 months and nobody an find the reason. And most tell me I'm imagining it, however the guys on bleeping computer have been helping me with my laptop (thank God!)and I was advised to create a new topic for my pc, the chap advising on my pc told me to visit your site.
Now my first proper job in 1974 was as an operator on a giant ICL mainframe back in 1974and I've driven them eversince and the one thing I know is that the security on both machines is compromised why? Because I am refused access to change security, items are often greyed out even though I am the only administartor! And my machines are purely for pesonal use, if shared not with my intentional permission. And the network tabs you refer to dealing with port vunerability etc I cannot find on this laptop or my pc and as the topics (shortcuts below) explain I have lost my lan adapter on my desktop pc
Anway I ran your leak test on the laptop which tahnks to Bleeping computers is now running much better but it told me I was leaking and I had no firewall? I have Norton 360 on my machine with I thought a firewall I have configured to stop every type of externel network conections.
I have just run your DCombobulator and had the message returned RPC system fault and to contact you. I also did the 135probe which returned stealth dcom service manager. I disbled DCOm and restarted but 135 is still open. You instruct that I should contact you
The Bleepping computer topics for your information are:-
http://www.bleepingcomputer.com/forums/t/315475/please-check-my-log-files/
http://www.bleepingcomputer.com/forums/t/318460/hijacked-help-please/

Unplug and Pray fails to disable too it hangs and does not respond when i ask it to disbale (it reported enabled)
Mousetrap worked and told me I'm clear
Mousetrapcmd ...... call to PlayMetaFile succeeded, ...... Escape/setabortproc was *NOT* executed. So this failed too
Thanks
Alan

Mr Bruce my antivirus / firewall is Norton 360 version 3.8.0.41

Edited by Albear, 25 May 2010 - 04:38 PM.


#14 Albear

Albear
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 27 May 2010 - 02:15 AM

Hi Mr Bruce, I've found my problem with the lan adapter, the lanmanger had been disabled in the boot so the lan is available to try and connect though I have not done this until you instruct on the way forward. Also find below a reply from GRC.com. Which doesn't help very much. The big problem my intuition is saying on both machines, is the security is compromised, whoever has the top access/(administrator) on these machines is over riding any settings that may be made to seure the machines. Your instruction on how I close the ports down would be welcome because as I say the dialogue boxes illustrated on GRC.com are not available/hidden from me

REPLY
Thanks for letting us know of the error you received from DCOMbobulator. Unfortunately, at this time we are not able to correct this particular problem. Until we release a new version of DCOMbobulator, you will not be able to use the program.

All UnPnP is doing in WinXP is stopping, and then disabling, the SSDP Discovery Service.

We have not had many reports of UnPlug n' Pray hanging. The only thing we could suggest would be to run UnPnP is Safe Mode. If running Vista, you may want to (temporarily) turn off the UAC (User Account Control)

The UnPlug n' Pray web site answers most questions <http://www.grc.com/UnPnP/UnPnP.htm>.

If you ever need the UPnP Services back you can run UnPlug n' Pray again to turn it back on!!

Also, GRC and Steve have Twitter accounts and Blogs that can be easily subscribed to in order to receive periodic news and updates. Please see our <http://grc.com/news.htm> page for all the details.

Thank you for your cooperation, time and patience.

Sincerely,

Greg McIntyre
Gibson Research
Technical Support

#15 MrBruce1959

MrBruce1959

    My cat Oreo


  • BC Advisor
  • 6,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich, Connecticut. in the USA
  • Local time:03:19 AM

Posted 27 May 2010 - 08:15 AM

Thanks for your reports Albear and the information on your using Norton 360 3.8.0.41.

Be back with a reply later on today. :thumbsup:

Bruce.
Welcome to Bleeping Computer! :welcome:
New Members: Please click here for the Bleeping Computer Forum Board Rules
 
My Career Involves 37 Years as an Electronics Repair Technician, to Which I am Currently Retired From.

I Am Currently Using Windows 10 Home Edition.

As a Volunteer Staff Member of Bleeping Computer, the Help That I Proudly Provide Here To Our BC Forum Board Membership is Free of Charge. :wink:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users