Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! I think I've been hacked


  • Please log in to reply
10 replies to this topic

#1 direwolf

direwolf

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 22 August 2010 - 01:36 PM

Hi,
I have an older emachines T2958PC with a celeron D 330 @ 2666 Mhz, 2x 512 DDR-SDRAM, Windows XP Professional 5.01.26000 Service Pack 3 buid 2600, Browsers are: Firefox 3.6.8, Internet Explorer 8.0.6001.18702, and I did install chrome but then had to go and erase every bit of it.

I use Crap Cleaner regularly, Avast Home version, Zone Alarm, Spybot tea timer, and I keep all browsers, antivirus, firewall, and anti malware programs up to date.

This past winter season I rented a room to a bizarre self described IT genius.
At some point I believe he accessed my PC, it became slower and there are still to this day folks logging into a network that I cannot access and is now invisible.
I'll include some screenshots, and a TCP log...
My tech abilities a almost nil, but I am not afraid of digging in and fixing things.
The symptoms are subtle, but things are running slower. I do not have a wireless router, yet there are still network connections showing up such as Desktop/My Network Places/Entire Network/Microsoft Windows Network/Mshome (and/or) /Workgroup
If I try to open Mshome I get this message: Mshome is not accessible, You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permission. This network path was not found.
I get the same message when I try to open Workgroup.

I though I was the administrator/owner, but apparently not any more!

I changed my computer name to "biteme" and moved myself to a new network, but this only caused the other networks to show up as empty.
A while ago I could see the people who would come and go in these two networks.
A few of these were: "Kane", "Martins", "Nancy", and "The Dell Family Computer (Dell)"
The quotqtion marks are mine and the latter name I know is the name that my roommate/renter/hacker uses because he told me so.
These would show up and go away along with a few other names. Now I can't see this information at all anymore, but I saved a screenshot of them.

when I run hijackthis there are entries for Internet explorer even when I am not using IE, and also Microsoft Messenger even though I never use messenger and thought I had disabled it.

Please HELP, tell me I am not just being paranoid!

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:29 AM

Posted 24 August 2010 - 04:19 PM

Is this person still renting from you? When you say other network, what do you mean? How do you see them? Do you double-click on the Networks icon and see them listed there?

#3 direwolf

direwolf
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 25 August 2010 - 12:16 PM

Thank you Grinler for your response.
The renter has left. He installed a wireless router and included my machine in the workgroup named "mshome".
After he left (he was a nightmare seasonal renter) and removed the wireless router, I noticed that there were two workgroups still showing up in "my network places/entire network"
For a while I could see the users of both of these workgroups, but that has changed to where I do not have access to them anymore.
I do not have a wireless router.
I have DSL, and when I first start up my connections are very fast, and if I look up who's on "my entire network" I can see the workgroup I recently created when I changed the name of my computer, with my machine showing there.
After a half hour or so there are two other workgroups which show up, and my browsing slows down.
Is it possible that somehow my machine is being accessed with some sort of "sharing" ports?

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:29 AM

Posted 25 August 2010 - 02:18 PM

Is the DSL line connected directly to your computer?

#5 direwolf

direwolf
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 25 August 2010 - 05:51 PM

Yes the DSL line is connected directly to my computer

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:29 AM

Posted 26 August 2010 - 03:32 PM

So when you click on the network icon, you see three workgroups? MShome and two others? What are the names of the two others. I do find this strange. Also do you have any entries for these other workgroups in this file:

C:\Windows\System32\drivers\etc\lmhosts

Its ok if that file does not exist.

#7 direwolf

direwolf
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 26 August 2010 - 09:26 PM

Thank you again for your reply.

When I follow the path of Desktop\My Network Places\Entire Network\Microsoft Windows Network and open Microsoft Windows Network up until yesterday to for the first few minutes I would see only one workgroup, "pleasant" which had my computer "bite me" in it.
Then two more workgroups would show up, one named Mshome and another named Workgroup.

As of this evening
the "Mshome" workgroup has been renamed "Geckoville"
If I try to open it I get the same message that it is not accessible, etc.
I kid you not, this has actually happened and I sure did not change the name!

The file C:\Windows\System32\drivers\etc\lmhosts shows up as being empty.

Is there any way to just kill all of the workgroups?
I am not part of a workgroup and I all I have is this one computer!







Here is a screenshot of my C:\Windows\System32\drivers\etc

#8 direwolf

direwolf
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 26 August 2010 - 09:35 PM

P.S: I don't seem to know how to attach a file to this message or a screenshot, so ignore the prior comment about the screenshot.

P.P.S: Just wanted to remind you that this guy is a self described IT wisard, but a shady character at best.
I know as a fact that he created the first workgroup and named it "Mshome" and that he called his computer "The Dell Family Computer (Dell)"

P.P.P.S: I am worried about the tcpview log I posted in my initial post, did I give away information I would have wanted to keep private?

Thaks in advance for your time and efforts, J

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:29 AM

Posted 28 August 2010 - 10:17 PM

I removed your tcpview log in order to hide anything that may be sensitive.

Download the attached h.bat and save it to your desktop. Then double-click on it and post the contents of the resulting log as a reply to this topic. If you are concerned it may contain private info, you can send it me via private message.

Attached Files

  • Attached File  h.bat   222bytes   4 downloads


#10 direwolf

direwolf
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 29 August 2010 - 12:08 PM

Thanks Grinler,
I sent you the results via private message.
J

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:29 AM

Posted 29 August 2010 - 07:15 PM

Fixed the batch file.

Download the attached file and send me the results like you did last time.

Thanks

Attached Files

  • Attached File  h.bat   225bytes   4 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users