Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I've been hacked...how to get them out now?


  • Please log in to reply
15 replies to this topic

#1 Nigelajodha

Nigelajodha

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Trinidad & Tobago, West Indies
  • Local time:09:00 PM

Posted 14 June 2014 - 11:15 PM

Stopping way short of formatting and restarting my laptop.... can I get back my security??

 Around the second week in May 2014 I have noticed some different patterns that made me suspicious of some unknown activity on my laptop. I'll list them for you.

                                 Firstly this is a one  user laptop with no other accounts. I am using WiFi through a Stealth 300 router with a WEP2 security. Factory installed Win 8 Dell Inspiron 17R SE

  1. Log on Screen opens to switch user ( I never ever use this feature)
  2. After log on start screen opens straight to “My Computer” rather than Desktop
  3. Router Name NEXXT appears and disappears  randomly
  4. Unable to reconnect to NEXXT router using given passwords only doing so after many attempts
  5. After start up, folders found in minimise layout
  6. One instance of “Unable to stop flash drive as someone is accessing it”
  7. Internet assigned homepage resorts back to “about blank” instead of Google
  8. Encrypted flash drive.... is open and running upon startup of PC
  9. Netstat- b shows active connection without ownership
  10.  No activity on flashdrive yet when eject option is used it says it cannot be carried out as  its in use
  11. My You tube history as of yesterday is showing in my history a video I never saw before or  knowingly viewed.
  12. I have no technical training in network security at all  so I have been just viewing videos of how to check see if another instance is running on my PC. Netstat-ano shows several users and well as stated earlier netstat - b shows at least 2 connections which carry no ownership and are also configured in gibberish eg rather than groups of numbers seperated by dots and colons. I have these 2 TCP addressess listed as a combo of letters and numbers with double colons and brackets also included in it's make up. A internet search of this IP address  returns.... nothing.
  13. Another PC at home ( hard wired) has been checked and "seems" ok .. except for dgen.exe being present on it

Edited by Nigelajodha, 14 June 2014 - 11:18 PM.


BC AdBot (Login to Remove)

 


#2 palerider2

palerider2

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:00 PM

Posted 15 June 2014 - 03:02 AM

 

Stopping way short of formatting and restarting my laptop.... can I get back my security??

 

 

 

Really sorry to say this, but my answer to your question is no.  :mellow:

 

Hackers use malware, for which there are generally no signatures and so unlisted in virus definition files.

 

And so, it could easily be impossible for a present virus scan to find any of it.

 

However, if you have not been hacked, virus removal is often possible. Others here may wish to comment on your list of symptoms.


Edited by palerider2, 15 June 2014 - 03:06 AM.


#3 1PW

1PW

  • Members
  • 316 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North of the 38th parallel.
  • Local time:07:00 PM

Posted 15 June 2014 - 03:06 AM

Hello nigelajoda:

 

If you have only one account on the laptop, and it's the Administrator account, immediately change its password to a more secure one and create a Limited User Account (LUA) with a good, different, secure password for that account. Use the LUA for almost all your computer work.

 

If the lone account you were using is a LUA, immediately change its password to a more secure one.

 

Regardless of their present passwords, change your router's passwords to more secure ones.

 

Items 3&4 may be due to a marginal Wi-Fi connection with the router NEXXT.

 

Item 7: May have happened if your browser was reset or it was completely un-installed/re-installed.

 

Item 8: May be OK if your idea of shutdown is hibernating instead.

 

Item 9: A netstat -b will show the PID and the application associated with the connection.

 

Item 10: This happens frequently with applications that do not properly release thier resources. A reboot corrects this.

 

Item 11: Your YouTube account's password may have been hacked.  Change the password even if linked to gmail.com

 

Item 12: Please specify the usernames you see.  Some may be quite normal. You are also running ipV6 (along with ipV4) if you're seeing IP addresses with hexidecimal notations. Google ipV4 & ipV6 if you wish more knowledge.

 

Item 13: Do you have any games installed? The last item in this post applies to your

 

If you have performed secure financial transactions with the the laptop, assume the worst and hope for the best. At a minimum, change all possible passwords to more secure ones. I'll leave credit card and personal identification issues up to you.

 

Do you keep both computer's OSs and applications scrupulously up to date?

 

In a reply to this thread, please list the laptop's security applications. (Anti-Virus, Anti-Malware, Anti-Exploit, Anti-Executable, HIPS, etc.) and be as exact and with much more complete detail; which Windows 8 OS is installed on the laptop.

 

I only partially agree with honorable member palerider2. Our knowledge of malware, and their workings, has made great advances. A well thought out security arsenal will offer surprisingly adequate performance these days.

 

Thank you.


Edited by 1PW, 15 June 2014 - 04:25 AM.

All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus.


#4 Nigelajodha

Nigelajodha
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Trinidad & Tobago, West Indies
  • Local time:09:00 PM

Posted 15 June 2014 - 04:24 AM

It came installed with Mc Afee and recently, due to a crash I had problems with McAfee working I had to go online with them and in this process I had to install Mc Afee Virtual technician. I dont have any other security system installed. I will state something here that is with great skepticism as I dont wanna offend anyone in the IT community...but... I  have considered that ..........Mc Afee could be the culprit.

I have been taught ole school and I never allow anyone virtually on my PC. This feature in any form in a open vulnerability of any system and when ( after waiting several months) I decided to reuse the laptop, and contact Mc Afee,I had to allow the tech online to fully access my laptop which required me logging in with several instances of my passwords during the repair. I was extremely uncomfortable with this process but it presented as the only solution to fix the paid subscription of their service.

Oh btw I do have a LUA along with the Admin account which I have never accessed ( dont even know the password).

 

Regarding my listed observations

 

Item 7: Have never reinstalled or reset my browser. I have it set to load Yahoo Google and MSN at the same time. Only Google has been doing this

 

Item 8: Strictly ole school as a personality quirk - shut down only ( dis is why I picked up on the first instance of switch user) I never use it. I am strickly Log off & shut down. Do not use hibernate or switch user feature

 

Item 12: TCP  [fe80: :bla8:cbec:1575:823e%13]:445 DIAMONDS: 54529    Established

                       Can not obtain ownership information

               TCP  [fe80: :bla8:cbec:1575:823e%13]:54529   DIAMONDS:microsoft-ds Established

                        Can not obtain ownership information


Edited by Nigelajodha, 15 June 2014 - 04:54 AM.


#5 palerider2

palerider2

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:00 PM

Posted 15 June 2014 - 04:46 AM

 

I only partially agree with honorable member palerider2. Our knowledge of malware, and their workings, has made great advances. A well thought out security arsenal will offer surprisingly adequate performance these days.

 

 

Very politely put.  :cowboy:



#6 1PW

1PW

  • Members
  • 316 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North of the 38th parallel.
  • Local time:07:00 PM

Posted 15 June 2014 - 05:20 AM

Very politely put.  :cowboy:

You deserve no less! :)

All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus.


#7 1PW

1PW

  • Members
  • 316 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North of the 38th parallel.
  • Local time:07:00 PM

Posted 15 June 2014 - 06:01 AM

It came installed with McAfee and recently, due to a crash I had problems with McAfee working I had to go online with them and in this process I had to install McAfee Virtual technician. I don't have any other security system installed. I will state something here that is with great skepticism as I don't wanna offend anyone in the IT community...but... I  have considered that ..........McAfee could be the culprit.
I have been taught ole school and I never allow anyone virtually on my PC. This feature in any form in a open vulnerability of any system and when ( after waiting several months) I decided to reuse the laptop, and contact McAfee,I had to allow the tech online to fully access my laptop which required me logging in with several instances of my passwords during the repair. I was extremely uncomfortable with this process but it presented as the only solution to fix the paid subscription of their service.

If you contacted McAfee directly, and although generally your fears are not totally unwarranted, you probably received quite safe service.

When your paid subscription to McAfee expires, many avenues of increased protection can be chosen. In the meantime, a great deal of self directed study can lead you towards greatly enhanced protections as you are likely under served now.

Oh btw I do have a LUA along with the Admin account which I have never accessed (don't even know the password).

It is just as well you keep that arrangement for now but change all your passwords.

Please consider using one of many reputable malware removal resources. Bleeping Computer's is certainly top notch.

HTH :)

Edited by 1PW, 15 June 2014 - 06:02 AM.

All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:00 PM

Posted 15 June 2014 - 07:46 AM

If you contacted McAfee directly, and although generally your fears are not totally unwarranted, you probably received quite safe service.

I agree. McAfee is among the top most popular security vendors. They (and other legit security vendors) would not jeopardize their reputation and risk loss of revenue for doing something like you suggest.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Nigelajodha

Nigelajodha
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Trinidad & Tobago, West Indies
  • Local time:09:00 PM

Posted 15 June 2014 - 09:25 AM

Well I'll just keep this in mind, Mc Afee being straight up, Cant prove who or what is doing this to me anyway. In the mean time any thoughts on those 2 TCP's I posted? Is their configuration display normal?

I have been reading and came across  SNORT & HIDS, can they help if used in my situation?



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:00 PM

Posted 15 June 2014 - 11:43 AM


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Kilroy

Kilroy

  • BC Advisor
  • 3,335 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:09:00 PM

Posted 16 June 2014 - 09:01 AM

I'm in the camp with palerider2.  Once a machine has been compromised you can no longer trust anything it tells you.

 

I say we take off and nuke the entire site from orbit. It's the only way to be sure. - Ripley

 

While your machine may seem clean and you may believe you have removed an infection there is no way that you can be sure.  Most people aren't going to monitor the network traffic from outside a machine to ensure that the machine is not broadcasting information without their knowledge.



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:00 PM

Posted 16 June 2014 - 06:37 PM


This is what Jesper M. Johansson, Security Program Manager at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Nigelajodha

Nigelajodha
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Trinidad & Tobago, West Indies
  • Local time:09:00 PM

Posted 17 June 2014 - 10:14 PM

Folks this is one for the books. As a layperson have I stumbled unto something?? Presently I am using a desktop that was installed on the 5th of this month due to a physical hard drive failure. By comparison this is like the suggested fix for a compromised PC.. To flatten and rebuild. This is the fix for a compromised PC?

    I have been viewing and trying to understand  how  hacking works . My first stop was to check  netstat -b and view the tcp protocols  that are listed. I decided to ( as suggested )  to Google some of them.

This demolished / rebuilt PC has on it .dgen.exe , pastebin, ArenaNet diagnostic utility, Speeky ( excuse the spelling) just to name those IP's I've checked online. Some of these sites are even in foreign languages unknown to me.

All of these IP's are Established on this desktop .. that has just been completely rebuilt from scratch ( the suggested fix for a compromised PC). None of these sites in any way have been visited to the users knowledge or technical ability. Why are these sites established only mere days after a fresh install??

 I 'll be now checking  as many of my acquaintances that I can get to do a netstat-b on their systems and see what types of IP's come up. Are we all hacked... unknowingly?

I just stepped away from the desktop ( but facing it) to eat . Suddenly the display went off ( no probes, maybe it went to sleep) without a breath of air to disturb it the display came back up 2 sec  later. I saw this for myself. Am I being remotely viewed? 



#14 palerider2

palerider2

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:00 PM

Posted 18 June 2014 - 02:44 AM

My advice, for the next step, would be to download TCPview and use that in place of netstat. You'll find that much more convenient to use.

 

Then, spend time just casually watching it. Make sure that every time you cease browser activity ALL of the connections disappear after about 3 minutes.

 

Also, maybe post some IP addresses in this thread which you find suspicious.



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:00 PM

Posted 18 June 2014 - 12:39 PM

Did you try the suggestions I provided in Post #10?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users