Has my computer been hacked?

[MARVINJCOHEN]

I am suggesting to my parents that they do a system recover on their
computer to get it to the stage it was when it was delivered from the
factory. This would be a lot of work, but I think its necessary.
These are my reasons:
1. The Norton Anti Virus is disabled for 5 to 6 minutes on start up.
2. When you click on the HP (Hewlett Packard) bar at the top, it starts
off OK, and then says "malicious script executing"
3. When I do Symantec's online scan (from their web page), I'm told
that a port is open.
4. I use Eudora email on my parents computer. Eudora is not as safe as
Outlook Express. Recently I opened an email that just locked the
computer for two minutes. I tried clicking on it a half hour later,
and it did the same thing. I wonder if it might have executed some
malicious code.

So, I need an expert opinion - Should I tell my parents to stop doing
financial transactions on their computer and should I rebuild all the
software for them?
Thanks,
Marvin

 

[tim]

I am suggesting to my parents that they do a system recover on their
computer to get it to the stage it was when it was delivered from the
factory. This would be a lot of work, but I think its necessary.
These are my reasons:

I'm no expert, but I'd take the machine to someone competent in cleaning it
up before doing what you suggest.

 

[David H. Lipman]

From: <[email protected]>

| I am suggesting to my parents that they do a system recover on their
| computer to get it to the stage it was when it was delivered from the
| factory. This would be a lot of work, but I think its necessary.
| These are my reasons:
| 1. The Norton Anti Virus is disabled for 5 to 6 minutes on start up.
| 2. When you click on the HP (Hewlett Packard) bar at the top, it starts
| off OK, and then says "malicious script executing"
| 3. When I do Symantec's online scan (from their web page), I'm told
| that a port is open.
| 4. I use Eudora email on my parents computer. Eudora is not as safe as
| Outlook Express. Recently I opened an email that just locked the
| computer for two minutes. I tried clicking on it a half hour later,
| and it did the same thing. I wonder if it might have executed some
| malicious code.
|
| So, I need an expert opinion - Should I tell my parents to stop doing
| financial transactions on their computer and should I rebuild all the
| software for them?
| Thanks,
| Marvin

No. I don't think it is neccessary. Follow every step in the set of instructions that I
have provided below. Then I suggest dumping Norton software and installing Kaspersky or
NOD32 anti virus software. Additionally, make sure the OS and all components are up-to-date
with all Service Packs and Hot Fixes.

--

If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
It is possible that is how you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version...

C:\Program Files\Java\jre1.5.0_06


http://www.java.com/en/download/manual.jsp



For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[Beauregard T. Shagnasty]

4. I use Eudora email on my parents computer. Eudora is not as safe as
Outlook Express.

Har! I love a good joke!

Recently I opened an email that just locked the computer for two
minutes. I tried clicking on it a half hour later, and it did the
same thing. I wonder if it might have executed some malicious code.

Ok, is this an HTML email? Does it have an attachment? If so, what kind?

 

[David W. Hodgins]

4. I use Eudora email on my parents computer. Eudora is not as safe as
Outlook Express. Recently I opened an email that just locked the
computer for two minutes. I tried clicking on it a half hour later,
and it did the same thing. I wonder if it might have executed some
malicious code.

Eudora is not going to autoexecute anything like Outlook Express does.

In addition to David Lipman's advice, I'd also consider hardware
problems. Start with scandisk or chkdsk, as appropriate. Run
a ram test, and ensure the system temperatures are ok.

Regards, Dave Hodgins

 

[anpaul]

NOD32 free and easy for you to get rid of the ugly man.

I used to get inflected with the virus and melicious script, after I
have installed the NOD32 it is free of it.

But you should do the clean it by yourself if you think it is any
malicious script around.

googled to download NOD32 is free

 

[anpaul]

NOD32 free and easy for you to get rid of the ugly man.

I used to get inflected with the virus and melicious script, after I
have installed the NOD32 it is free of it.

But you should do the clean it by yourself if you think it is any
malicious script around.

googled to download NOD32 is free

 

[MARVINJCOHEN]

David,
You suggest dumping Norton software and going with little companies
without much of a rep. I think thats risky. Then you say I should run
MULTI_AV.EXE on my computer. Are you going to give me the source code
to this program so that I can read the whole thing to make sure its
safe, and then let me compile it? You say to disable my firewall (or
use WGET.exe) while I run MULTI_AV.EXE. Suppose I'm a lazy user and
just disable my firewall. Would this be safe?
The internet is a strange place - you could be a very helpful,
knowledgable individual, or you could be a hacker. I would have no way
of knowing. In fact, you can be 3 people at once in this forum. (I am
two myself.)
To answer some of the questions in this forum -
1. the email that locked my computer did not have an attachment.
2. The reason I think Eudora is less safe than Outlook Express is that
I posted my question to a Eudora forum, and was told that Eudora was
not safe. Also, in Outlook Express you can set all messages to be read
as plain text, which prevents mischief. In fact, this is suggested by
Microsoft Windows Help on my XP computer.
3. When I clicked on the HP bar I'm not sure where the "malicious
script" message came from - but I don't think it was NAV. I could
repeat the experiment right now, but for obvious reasons I don't want
to do that.
-- Marvin

 

[David H. Lipman]

From: <[email protected]>

Replies are inline...

|
| David,
| You suggest dumping Norton software and going with little companies
| without much of a rep. I think thats risky. Then you say I should run

On the contrary, they have a great reputation and are ICSA certified.
http://www.icsalabs.com/icsa/main.php?pid=b31a$6140dfe3-4a851ebd$eaa4-72b

http://www.av-comparatives.org/


| MULTI_AV.EXE on my computer. Are you going to give me the source code
| to this program so that I can read the whole thing to make sure its
| safe, and then let me compile it? You say to disable my firewall (or
| use WGET.exe) while I run MULTI_AV.EXE. Suppose I'm a lazy user and
| just disable my firewall. Would this be safe?



Compile it ? It is open source interpretive code to begin with and provides a front-end to
other ICSA Certified command line AV scanners from; McAfee, Sophos, Trend Micro and
Kaspersky.

As for the FireWall, WGET is a GNU free FTP and http 'get' utility and is open source.
Unfortunately a FireWall may block its ability to retrieve the needed utilities, AV scanners
and AV signature files and thus leaving the utility unable to perform its function. I can't
and won't distribute the AV scanners directly. As for disabling tghe FireWall
alltogether... I wish this would NOT have to be done but if the FireWall does NOT give
WGET.EXE permission to access the Internet then thast is the option. If the PC is behind a
NAT Router, this is not a problem. If the PC is up-to-date with patches and hotfixes with
no NAT Router than there is only a slight risk. If the PC is not up-to-date and is not
behind a NAT Router than the PC is being maintained properly in the first place and it is
already "at risk" FireWall or not.



| The internet is a strange place - you could be a very helpful,
| knowledgable individual, or you could be a hacker. I would have no way
| of knowing. In fact, you can be 3 people at once in this forum. (I am
| two myself.)


Do your homework -- start with Google !


| To answer some of the questions in this forum -
| 1. the email that locked my computer did not have an attachment.


That isn't indicative of a virus -- is it ?


| 2. The reason I think Eudora is less safe than Outlook Express is that
| I posted my question to a Eudora forum, and was told that Eudora was
| not safe. Also, in Outlook Express you can set all messages to be read
| as plain text, which prevents mischief. In fact, this is suggested by
| Microsoft Windows Help on my XP computer.


Go to an authotrrative location such as a CERT aor Secunia and compare patched and unpatched
known vulnerabilities of both products. If you really think OE is safer, whay are you not
using it and leaving your parents PC "At Risk" (based upon your own statement). Personally
I use Pegasus Mail.


| 3. When I clicked on the HP bar I'm not sure where the "malicious
| script" message came from - but I don't think it was NAV. I could
| repeat the experiment right now, but for obvious reasons I don't want
| to do that.
| -- Marvin


If NAV is the AV software on your PC then *IT* should be declaring "a malicious script".
Otherwise yopu have to ask what is generating this message and is it really true. i have my
doubts.

Instead of arguing you POVs, I strongly suggest taking proactive messures. Let's face it,
for all the arguments you just made, you failed to provide substantial information in your
original post. For example what version of NAV, what OS and Service pack level, what is the
EXACT message concerning the malicious script and its sourcem what was the "Open Port" (TCP
or UDP) that was reported and the facts surrounding Eudora and the email message. Don't you
think that the fact that the email message had no attachment was important to state in the
original post ?

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David,
You suggest dumping Norton software and going with little companies
without much of a rep.

I can assure you that Eset has a very good rep and a mature, reliable
product.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFEZ0WR7uRVdtPsXDkRAs+WAJ4lnFhqzJNiAXf9TNGWHbIYjFRWhwCeJXuE
OXPWks741A97opsgOv1z6E0=
=OWTM
-----END PGP SIGNATURE-----

 

[tim]

David,

The internet is a strange place - you could be a very helpful,
knowledgable individual, or you could be a hacker. I would have no way
of knowing. In fact, you can be 3 people at once in this forum. (I am
two myself.)

If you were seriously worried about all of this, why are you here? A few
minutes of googleing would show you who David is.
I'll restate my position on your original question.
Take it to someone who is competent, and pay them to do it for you. So far,
you don't look like you're up for the job.

 

[Peacekeeper]

David,
You suggest dumping Norton software and going with little companies
without much of a rep. I think thats risky. Then you say I should run
MULTI_AV.EXE on my computer. Are you going to give me the source code
to this program so that I can read the whole thing to make sure its
safe, and then let me compile it? You say to disable my firewall (or
use WGET.exe) while I run MULTI_AV.EXE. Suppose I'm a lazy user and
just disable my firewall. Would this be safe?
The internet is a strange place - you could be a very helpful,
knowledgable individual, or you could be a hacker. I would have no way
of knowing. In fact, you can be 3 people at once in this forum. (I am
two myself.)
To answer some of the questions in this forum -
1. the email that locked my computer did not have an attachment.
2. The reason I think Eudora is less safe than Outlook Express is that
I posted my question to a Eudora forum, and was told that Eudora was
not safe. Also, in Outlook Express you can set all messages to be read
as plain text, which prevents mischief. In fact, this is suggested by
Microsoft Windows Help on my XP computer.
3. When I clicked on the HP bar I'm not sure where the "malicious
script" message came from - but I don't think it was NAV. I could
repeat the experiment right now, but for obvious reasons I don't want
to do that.
-- Marvin

Mate David is Legit what he says will do a good job checking your PC
After that do the suggested scandisk check as mentioned below

Tony/Peacekeeper
Mcafee moderator
http://forums.mcafeehelp.com

 

[Phil Weldon]

'Marvin' wrote, in part:
| You suggest dumping Norton software and going with little companies
| without much of a rep. I think thats risky. Then you say I should run
| MULTI_AV.EXE on my computer. Are you going to give me the source code
| to this program so that I can read the whole thing to make sure its
| safe, and then let me compile it? You say to disable my firewall (or
| use WGET.exe) while I run MULTI_AV.EXE. Suppose I'm a lazy user and
| just disable my firewall. Would this be safe?
| The internet is a strange place - you could be a very helpful,
| knowledgable individual, or you could be a hacker. I would have no way
| of knowing. In fact, you can be 3 people at once in this forum. (I am
| two myself.)
_____

If you spend a little time with this newsgroup,
microsoft.public.security.virus, and alt.comp.virus you should be able to
get a sense of who is a responsible, knowledgeable contributor and who
isn't.Usenet newsgroups have a sort of 'peer review' (at least for well
populated groups.) Any wrong or dangerous information is usually called
down quickly and corrected. If you have doubts about the posts you read,
then do some research. Google archives every post to Usenet newsgroups; you
can search by author, subject, key words, dates, newsgroup.

Your hypotheticals are just wheel-spinning; either take the system to a
reputable local computer repair shop, or learn how to judge the worth of the
answers posted in Usenet newsgroups. Too much second guessing can lead to
paralysis.


Also, it is a really bad idea to use your real email address identity when
posting to Usenet newsgroups as you seem to have done. Spammers have
programs that automatically harvest email addresses from Usenet newsgroups.
Even worse, some Internet worms running on infected systems harvest email
addresses from Usenet newsgroup, then use these harvested addresses as 'To:'
fields AND as faked 'From:' addresses for sending more infected email. Use
a domain name guaranteed to be invalid so as to not bring spam and infected
email down on an innocent email box. '(e-mail address removed)' is reserved
and cannot be a valid email address.

Phil Weldon

|
| David,
| You suggest dumping Norton software and going with little companies
| without much of a rep. I think thats risky. Then you say I should run
| MULTI_AV.EXE on my computer. Are you going to give me the source code
| to this program so that I can read the whole thing to make sure its
| safe, and then let me compile it? You say to disable my firewall (or
| use WGET.exe) while I run MULTI_AV.EXE. Suppose I'm a lazy user and
| just disable my firewall. Would this be safe?
| The internet is a strange place - you could be a very helpful,
| knowledgable individual, or you could be a hacker. I would have no way
| of knowing. In fact, you can be 3 people at once in this forum. (I am
| two myself.)
| To answer some of the questions in this forum -
| 1. the email that locked my computer did not have an attachment.
| 2. The reason I think Eudora is less safe than Outlook Express is that
| I posted my question to a Eudora forum, and was told that Eudora was
| not safe. Also, in Outlook Express you can set all messages to be read
| as plain text, which prevents mischief. In fact, this is suggested by
| Microsoft Windows Help on my XP computer.
| 3. When I clicked on the HP bar I'm not sure where the "malicious
| script" message came from - but I don't think it was NAV. I could
| repeat the experiment right now, but for obvious reasons I don't want
| to do that.
| -- Marvin
|

 

[Befunge Sudoku]

David,
You suggest dumping Norton software and going with little companies
without much of a rep. I think thats risky.

Norton is well-known for causing various problems.
Kaspersky and Eset (NOD32) aren't small, they're just not as big as Symantec (Norton) -
and they have very good reputations among antivirus professionals.



--
Post presented in its original aspect ratio of 1.78:1 - scrollbars at
the sides of the screen are normal in this format. This high-definition
digital message was created on a run-of-the-mill PC from the restored
35mm negative. To further enhance it, many grammar and spelling errors
and other inaccuracies have been removed using the DB EBD-TC system.

 

[MARVINJCOHEN]

David,
You say that your code is open source. Fine. Then you should
distribute the open source, and have your users make the source into an
EXE. Otherwise, you are telling people on this forum to download a
program, run it, and take it on trust that it corresponds to the open
source.
I did download your program and run it - and then second thoughts
struck me afterwards.
You say I can tell from google that you are not a hacker. I looked on
google and groups.google, and I see you have web pages, and I see you
have asked questions and answered questions. But a knowledgeable
hacker could do this too. I'm not trying to give you a hard time here,
but caution is called for.
You ask why I'm still using Eudora. The answer is - I'm not - not any
more.
You say you doubt my assertion that I clicked on the HP toolbar and got
a "malicious script" warning . I can understand your saying that,
since I don't see why (or how) a hacker would do this. But see - now
you are saying you don't trust assertions on this forum. Which is
reasonable, since you don't know me.
Likewise, I would say to users of this forum:
1. Don't download and run software from strangers on this forum. If
you wouldn't open an unknown attachment in your email, why would you
run a program from a stranger
2. Be careful of following links on this forum as well.
-- Marvin

 

[edgewalker]

David,
You say that your code is open source.

In the case of interpretive script, both the source code and the "program"
being distributed are the exact same data.

 

[Art]

David,
You say that your code is open source. Fine. Then you should
distribute the open source, and have your users make the source into an
EXE. Otherwise, you are telling people on this forum to download a
program, run it, and take it on trust that it corresponds to the open
source.
I did download your program and run it - and then second thoughts
struck me afterwards.
You say I can tell from google that you are not a hacker. I looked on
google and groups.google, and I see you have web pages, and I see you
have asked questions and answered questions. But a knowledgeable
hacker could do this too. I'm not trying to give you a hard time here,
but caution is called for.
You ask why I'm still using Eudora. The answer is - I'm not - not any
more.
You say you doubt my assertion that I clicked on the HP toolbar and got
a "malicious script" warning . I can understand your saying that,
since I don't see why (or how) a hacker would do this. But see - now
you are saying you don't trust assertions on this forum. Which is
reasonable, since you don't know me.
Likewise, I would say to users of this forum:
1. Don't download and run software from strangers on this forum. If
you wouldn't open an unknown attachment in your email, why would you
run a program from a stranger
2. Be careful of following links on this forum as well.
-- Marvin

Marvin, please try a little common sense and logic. If David's
multi-av contained malware don't you think there would be all
kinds of howls and screams in the various newsgroups he offers
his program? It's not like it's something new and unknown. Probably
thousands of people have used it. Some of us have reviewed
and tested it and critiqued it. All of this you could find out in a
hour or two spent thoroughly checking out newsgroup archives using
multi-av as the key search word.

Your use of the term "stranger" is really peculiar since David
isn't a stranger here ... but you certainly are. Which makes
your post look pariticularly ludicrous to the regulars here, I'm
sure. It would be laughable if it wasn't so pitiful.

Art
http://home.epix.net/~artnpeg

 

[Offbreed]

David,
You suggest dumping Norton software and going with little companies
without much of a rep. I think thats risky. Then you say I should run
MULTI_AV.EXE on my computer. Are you going to give me the source code
to this program so that I can read the whole thing

Hilarious, considering the rest of the post.