Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Think I am hacked - Can anyone help?


  • Please log in to reply
12 replies to this topic

#1 ZIA9872

ZIA9872

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 12 January 2011 - 10:01 PM

I think I have a persistent hacker who is somehow accessing my computers. Can anyone look at my TCPview log an help me out? I will attach it.

Edited by ZIA9872, 12 January 2011 - 10:06 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:49 PM

Posted 13 January 2011 - 11:05 AM

Attach it please
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 ZIA9872

ZIA9872
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 13 January 2011 - 01:47 PM

Here is the TCPview file. I also ran hijack this if you need to see that as well.

Attached Files



#4 ZIA9872

ZIA9872
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 13 January 2011 - 01:54 PM

For some background on the reason I believe I may have a problem.
The computer is a (Toshiba sattelite Laptop- Running windows Vista)


Recently when I shut my laptop down ( I usually just use "sleep mode" )- upon startup my Norton Internet Security 2011 settings were all turned off. My free lavasoft adaware keeps giving me an error message on startup or wake from sleep mode.

Also recently - just after thanksgiving I believe I got a HUGE windows update download - was that normal? I mean it took like fifteen minutes to update and also was a pretty large sized download.
Since that update I have had lots of trouble.

I know this may sound odd but it also seems as though someone may be remotely controlling ITUNES.

Any ideas...?

#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:49 PM

Posted 13 January 2011 - 02:37 PM

Some applications are designed poorly and are not meant to function while waking up after coming out of system standby or hibernation.

What do you mean remotely controlling iTunes?

#6 ZIA9872

ZIA9872
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 13 January 2011 - 02:44 PM

I mean that during playback Itunes seems to only play songs from about twenty percent of my library. (I like to run it in shuffle mode so I can hear
different tunes from all my albums. )
I also found a "sentinel" file in the Itunes folder when I changed my folder options to "show hidden" and it has a HA (hidden Attribute) in its properties description. Online - it says this may indicate that it could be spyware.

I have never owned an IPOD and yet I often see Itunes Mobile Device Helper as well as Itunes Helper on in my task manager.
I also noticed that 4 computers are currently authorized in my Itunes account - but I only have two.

I just contacted apple support about the issue and am hoping I can create a new account an somehow still access the songs I have previously purchased.

#7 ZIA9872

ZIA9872
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 13 January 2011 - 02:48 PM

On my other computer - my main PC - i noticed a program called Windows live mesh - which allows any mobile device to connect to a home computer and access and control the files. With all the new technology - I am sure it is possible. - Just don't know how to get rid of it and\or prevent it from happening in the future.

I have a cisco router and set it up by following the recommended settings - but I am not sure that it is protecting me.

#8 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:49 PM

Posted 13 January 2011 - 02:50 PM

those applications that you are associating with being malware are not malware. They are part of iTunes and cannot be removed. you can remove Live Mesh as that was installed during Windows Live Essentials 2011. You must have did a full install of that.

#9 ZIA9872

ZIA9872
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 13 January 2011 - 03:00 PM

ok. so you are saying that windows live 2011 was an update that just installed the live mesh thing?

#10 ZIA9872

ZIA9872
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 13 January 2011 - 03:11 PM

Also - i have the hijackthis log from my main PC - I noticed a few "runOnce" entries. Could you take a look at that and let me know what you think?

#11 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:49 PM

Posted 13 January 2011 - 03:23 PM

HiJack this logs are not required here, but tell me what they are.

#12 ZIA9872

ZIA9872
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 13 January 2011 - 03:30 PM

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')

and there are these two things - with unknown owner - I have lots more in the services section with unknown owner -

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

Where can I have someone look at the Hijack this logs thoroughly? Is there a particular forum?

BY the way - Thank you for taking the time to respond. !!! : )

#13 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:49 PM

Posted 13 January 2011 - 05:20 PM

What is mctadmin

The others are files are added by Windwows Live Messenger.

The forum that handles the Logs are the Malware Removal Section in the Security Section.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users