Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hello All -- I've definitely been hacked


  • Please log in to reply
18 replies to this topic

#1 Becky99

Becky99

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 14 September 2010 - 07:08 PM

Thank you in advance -- My computer was hacked a few months ago (Win XP) so I decided to upgrade and clean install Win 7 64x. I configured my router according to all the safety manuals, as well as my Comodo firewall w/Defense+ (in painful detail so I got it right and set to maximum security). Also had F-Secure running, Malawarebytes & 64x SuperAntiSpyware.

I was in a standard user account and then switched users to my Admin acct (I had not logged into Admin acct that day I'm 99% positive). When I got into the Admin account the background screen was black, the User Credentials folder was open on the screen as well as a system monitor. This was the 2nd day after the clean install! When I first connected to the internet, my firewall was already set up (from CD that I downloaded from Comodo and scanned for malware) and router fully configured. First thing I did was download all Windows updates and patch dll vulnerability.

I had been doing backups along the way at each step w/ Acronis True Image, and after this I immediately went to backup (disconnected from internet and logged as Admin) and couldn't access Acronis -- said I didn't have necessary privileges, even as Admin! SO, I had to reinstall Acronis to get it working. Finally, I uninstalled an Nvidea Physxs thing I had and it said "Admin has set..."some policy or something, so I used Revo to get rid of it.

My friend referred me to you and had some guesses: possibly ICMP or Teredo/ip6 tunneling (whatever that is) and someone might have used the Nvdea thing with "Lightning Hash Cracker" (whatever that is). I don't have any known enemies, so don't know who would be doing this, though I do use the computer for some business & financial transactions (I've contacted all those institutions and am in lockdown). Attached is my sanitized file from Tcp view as you requested. Seems to be lots of listening going on at very high numbered ports, not sure what that means. Please help me with this! Thank you kindly! PS -- Forgot to mention that I did all of the setup from my desktop w/hardwire (router doesn't allow any remote login/control). PS again -- looking some of these up on the net I realize I didn't set anything in my router or firewall about pinging. I don't know if these "echo requests" and other things should be turned off or not. Probably in my case it looks like from what I can gather. Okay, look forward to hearing from you all! Bye.

Attached Files

  • Attached File  TP7.txt   3.42KB   11 downloads

Edited by Becky99, 14 September 2010 - 08:04 PM.


BC AdBot (Login to Remove)

 


#2 Becky99

Becky99
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 15 September 2010 - 10:05 AM

Here's an update -- My boyfriend was looking at my registry keys last night (he's been helping me and has been on this board the past few weeks, so if this sounds familiar it's just my computer, not some new evil spreading around) and there was something called Ipv6 Tunnel, and something else called PIP (I think) tunnel a little below that. Should these be there? Sorry to sound so ignorant but I'm not very good with computer internals. Would be nice to plug it in without being afraid though! Okay thanks. PS I did take another look at my router guide and there's a section about VPN Tunnels which are enabled by default -- I didn't do anything with that in setting it up because it didn't seem like a threat, but now this "Tunnel" word really worries me. Bye :thumbsup:

Edited by Becky99, 15 September 2010 - 10:10 AM.


#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,462 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:41 AM

Posted 15 September 2010 - 11:18 AM

Nothing wrong with IPV6 tunneling. Tunnels in general are fine if you use them. If you dont set them up they wont be used and can be ignored.

Nvidia is fine as well.

I dont see anything wrong with the tcpview either.

What makes you think your Windows xp was hacked?

#4 Becky99

Becky99
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 15 September 2010 - 05:50 PM

Hi Grinler! Please see my top post. In brief, when I logged into my Admin account for the first time that day (on Win 7 after a clean install) the screen was black & my credentials manager was open on the screen along with a system monitor log (I had been in a standard user acct and then switched to Admin).

Then today, I noticed something weird with my email (on my laptop now using Vista), so I restarted, and when I logged in to my user account Dell Media Center was open on the sceen (I never touched it). I used Revo to uninstall it, and among the items it found were about 5 registry keys under Comodo permissions, each saying something like "private application\allow All\In&Out, etc". I never used Dell Media, and confirmed my boyfriend never did either -- in fact this laptop has been used only about 5 times -- I bought it for a vacation when I had to log into work a few months ago.

Also, just after this Dell Media Center incident today, a Comodo pop up window appeared saying "Warning, we strongly recommend you terminate explorer.exe...and whatever it was doing was a "Buffer Overflow attack," so I hit the "Terminate" button. Also, when I logged into Admin just now the screen has a black background.

Furthermore, my desktop was hacked (which my boyfriend often uses and which I was describing in my first post) and his CC info was stolen as well as other stuff with all kinds of fraudulent charges (that was XP, then the Admin incident above -- my first post and as described in first line of this post) was right after a clean install of Win7. SO, looks as though my desktop w/new install of Win 7 & my laptop today have both been hacked!

It's like someone is hacking into my IP. Please help! I feel sorry for these people who do this -- really should be more productive and positive with your time than be so mean-spirited towards others! Thanks!

Edited by Becky99, 15 September 2010 - 05:58 PM.


#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,462 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:41 AM

Posted 15 September 2010 - 05:53 PM

I cant explain the black screen, but is it possible that you left those programs running the last time you logged in as administrator?

Do you have a wireless router or hardware router?

#6 Becky99

Becky99
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 15 September 2010 - 08:51 PM

Neither I nor my boyfriend have ever opened Credential Manager. Neither of us knows what it's even used for -- he noticed it first actually and pointed it out to me and freaked out and for the last few weeks has done nothing but read stuff on this site & other security things. We also never even know about the system monitor window that was open as well. There's absolutely no way, I can assure you 100%, those programs have ever been opened by us. After this buffer overflow attack today he told me to download and install a thing he read about called EMET which I've done. My Admin screen is still black. My girlfriend said when this is cleared up I should get Winpatrol where she has this cute little Scottish Terrier who sits in her window and barks when something is wrong! Does that really work? That's so cool!

My boyfriend created a custom Event Log thing that I just looked at and there's all sorts of things in there from today, like Kernal power has been off for 17 seconds and things and it has a user ID if I click on the system + button below. Would that help? It's full of warnings and a few things that say Critical. We both really appreciate your help. If we can figure out what's going on at this point we'll better be able to protect ourselves, but I have no idea. What do you suggest? Thank you so much! Oh sorry, I have both, my laptop is wireless and desktop is wired. My wireless was set up with a wire without internet connection and has like a 40 or 50 digit WPA2 code that looks like this: THfc%}2hscrtILLL67&(*=...etc. Total nonsensical. Everything else about the setup I wrote about -- I went through the Advanced Configuration part in absolute detail and my boyfriend checked it when we set it up. How could this be happening?

Edited by Becky99, 15 September 2010 - 08:57 PM.


#7 Becky99

Becky99
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 16 September 2010 - 11:19 AM

Okay here's the latest -- I was surveying my programs with the use of a file monitor program and found a bunch of strange entries like C:\Program Files\Microsoft Silverlight\4.0.50826\uk\mscorrc.dll and the company name is listed as two Russian words! Several others in the Silverlight folder under the VBA.resources.dll within Silverlight also has these Russian words where "Microsoft Corporation" should appear, and another one that says the company is Microsoft except there are funny characters at the start and end of it like this:
,Microsoft Corporation'.

Grinler, or one of you guys please help! I'm not going to panick, or do anything until I hear from you. If they want to read my boring emails then fine (I'm writing this using Keyscrambler so hopefully any spies won't know I'm asking for your help and we can figure out what's going and help others on your site as well). I know you all are busy but please help me when you have a moment! Thanks.

Ps -- this is far-fetched but let me run it by you: My boyfriend used to do stock trading on my desktop; if he were being targeted by organized Russian cyberthieves (we're not even talking all that much money, btw), would it be possible for them to survey my desktop hardware and create a firmware-based rootkit, like an imprint of itself on the hardware, which would explain such a fast attack right after a clean install of Win 7? I've been reading about the Zuess Banking trojan and the Man-in-the-Middle attacks which happened at HSBC to thousands of people so it's hard for me to distinguish fact from fantasy at this point. I thought by boyfriend was being a little paranoid but now I'm wondering. Thanks!

Edited by Becky99, 16 September 2010 - 11:53 AM.


#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,462 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:41 AM

Posted 16 September 2010 - 11:58 AM

Those letters you are seeing are not russian characters. Its just an encoding issues between different character sets. I have it on my computer too.

Personally, I don't think your hacked. Please scan your computer using a variety of tools such as ESet Online Scanner, Kaspersky Online Scanner, and Malwarebytes' Anti-Malware. Let me know what it finds.

#9 Becky99

Becky99
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 16 September 2010 - 03:53 PM

Will do, thanks. But the Kaspersky link is broken. I suppose I can look it up myself, unless my browser is insecure. I'll run the others though.

#10 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,250 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:01:41 AM

Posted 16 September 2010 - 04:23 PM

It's not just you. The link doesn't work for me and I cannot for the life of me find where Kaspersky moved it to. Perhaps it's offline or they discontinued it?

#11 Becky99

Becky99
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 16 September 2010 - 09:14 PM

Okay thanks Andrew & Grinler -- I ran the other two scanners and they came up with nothing. But Grinler, why do you say you don't think I've been hacked? How can I explain away the fact that when I logged into my Admin account the Credentials Manager was open as well as a system monitor, as well as the other things I told you about?

Also, would these scanners really pick up a hacker trying to cover tracks by making registry changes and planting rootkits? I'd really like to feel comfortable about using my PCs but this is weird stuff. Now when I try to log on using my wireless at first it shows disconnected, then after about 5 min it connects. Furthermore, I can't use my email -- neither Hotmail nor yahoo (yahoo I haven't used for months) -- explorer just hangs and each time a second instance of my email session opens up but its a blank screen. I've never experienced anything like this. What can I do now? We can clean install everything but we already did that with Win 7 and then there was that Admin account Credential manager thing, so I have to believe there's a hole somewhere in my setup or a hardware/firmware rootkit planted. Please let me know what I should do next. Thanks again!

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,462 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:41 AM

Posted 17 September 2010 - 07:54 AM

I can't answer as to why the credentials manager was open. Its not something that a hacker would typically play with.

http://windows.microsoft.com/en-us/windows...dential-Manager

For a hacker to get in they must have a backdoor. A scanner would typically find these types of programs.

Do you have a wireless router or hardware router between your computer and your internet connect?

#13 Becky99

Becky99
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 17 September 2010 - 11:10 AM

Yes I have a brand new hardware router and configured as much security in the Advanced Configuration section of the manual as I knew how (I left the IPSec, the PPTP & L2TP enabled because they were by default & I have no idea what they were). Also have a personal wirewall (but looking at it last night its not configured to stop anything from getting out, or "phoning home" as they say).

I guess my question boils down to this: how plausible is it for a determined hacker/cyberthief to have seen my boyfriend doing online trading in a more or less very unsecured computer (before we knew much about all of this) to have put a "firmware rootkit" on my desktop as a backdoor device? I know it must be designed for a specific piece of hardware, but the system was exposed so that would have been easy to determine. Question is, how difficult is that? If the answer is relatively easy, we'll have to replace hardware where it might reside and reinstall the OS. If the answer is "your crazy for even asking -- only in the Twighlight Zone," then we'll do a clean install of everything for peace of mind and be on our merry way (after all security protocols are followed as you guys have graciously laid out). Thank you again! PS That description of Credential Manager (thanks for that btw) doesn't sound all that innocuous to me! I'm not a hacker or know a thing about it, when I read this it sounds like I might want it to connect to someone's computer no? I think I'd like to disable it really!

Quote: "Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. By storing your credentials, Windows can automatically log you on to websites or other computers. Credentials are saved in special folders on your computer called vaults. Windows and programs (such as web browsers) can securely give the credentials in the vaults to other computers and websites."

Edited by Becky99, 17 September 2010 - 11:16 AM.


#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,462 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:41 AM

Posted 17 September 2010 - 11:36 AM

IPSec, PPTP, and L2TP can be disabled unless you are using VPNs.

I think its not possible that the scenario you describe has happened. Remember credentials manager just makes it easier for you to connect to another server/account without entering your login information each time. Its not so people can connect to you. So yes, its fairly innocuous in regards to you and your computer.

Make sure you have no port forwarding configured on your router/firewall. Then do a clean install. Unless you run malware by mistake, you will not be hacked.

#15 Becky99

Becky99
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 17 September 2010 - 12:03 PM

Very well then. Thank you very much for your time. If you have any other suggestions re: appropriate defense strategies or particular resources they would certainly be welcome. This site is extremely helpful, and thanks to all of you who participate (or should I say participate with benign intentions -- the rest should really get on with enjoying life while you have it)! Bye.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users