Help: Someone has hijacked my computer

[news.rcn.com]

Got numerous problems with my computer, such as something is sucking all
memory and slowing it to a crawl most of the time. I can hear pretty
continuous hard drive spinning and activity while nothing is happening on
the computer which should be a symptom of something?

I have AVG running all the time and run av-cls reasonably regularly and when
it runs to completion, it reports nothing. But it has started behaving
strangely: I am supposed to have it running at the moment. But I pressed 4
and it downloaded the Kaspersky files and then when I told it to run the
program, it just returned me to the start link DOS-box. I then ran Trend and
it is giving me a 16 but substation error message telling me that some
Symantec\S32event1.dll virtual device driver has failed initialisation on
TrendMicro's lpt803.zip. ( I ignored it but am not now sure that the
trendmicro program is running properly or whether whatever has stopped the
computer running properly is also stopping the AV program from detecting it.
Meanwhile FireFox stops running every two or three days despite continuous
updating.

But there are some suspicious symptoms, including a BSOD with an error
message I cant remember but which I had never seen before. And a week or so
ago, while I was closing the computer down, I saw it trying to close
something which said DO NOT SHOW THIS BOX in that force-closing box which
you get when things like NVidia etc wont close down itself!

This morning the crawl slowed so much and numerous programs started crashing
(including some APOINT mouse driver and RAPI which I thought was something
pretty integral to XP) that I closed it by pressing the power button. When I
opened it up again, everything started very slowly as usual and I saw a
mysterious message which flashed on opening up FireFox and with nothing else
running telling me that it was sending three messages, two remaining, done:
All in about a half a second. That may have been Firefox sending a report
that it had just crashed to Mozilla but why are there three of them in a
situation in which I am suspicious that something has hijacked my computer

I have run RogueScanFix and tried posting a HiJackThis log (using the newest
version) on bleepingcomputer but there haven't been any responses in over a
week. I also have WhatsRunning running but cant see anything suspicious, or
whatever it is has managed to prevent TM or WR from seeing it. Am I being
paranoiac or is someone out to get me?

As usual no amount of SFCs, CCleaners, Scandisks, defrags, Adawares, Spybots
can assist.

 

[Colon Terminus]

Got numerous problems with my computer, such as something is sucking all
memory and slowing it to a crawl most of the time. I can hear pretty
continuous hard drive spinning and activity while nothing is happening on
the computer which should be a symptom of something?

I have AVG running all the time and run av-cls reasonably regularly and when
it runs to completion, it reports nothing. But it has started behaving
strangely: I am supposed to have it running at the moment. But I pressed 4
and it downloaded the Kaspersky files and then when I told it to run the
program, it just returned me to the start link DOS-box. I then ran Trend and
it is giving me a 16 but substation error message telling me that some
Symantec\S32event1.dll virtual device driver has failed initialisation on
TrendMicro's lpt803.zip. ( I ignored it but am not now sure that the
trendmicro program is running properly or whether whatever has stopped the
computer running properly is also stopping the AV program from detecting it.
Meanwhile FireFox stops running every two or three days despite continuous
updating.

But there are some suspicious symptoms, including a BSOD with an error
message I cant remember but which I had never seen before. And a week or so
ago, while I was closing the computer down, I saw it trying to close
something which said DO NOT SHOW THIS BOX in that force-closing box which
you get when things like NVidia etc wont close down itself!

This morning the crawl slowed so much and numerous programs started crashing
(including some APOINT mouse driver and RAPI which I thought was something
pretty integral to XP) that I closed it by pressing the power button. When I
opened it up again, everything started very slowly as usual and I saw a
mysterious message which flashed on opening up FireFox and with nothing else
running telling me that it was sending three messages, two remaining, done:
All in about a half a second. That may have been Firefox sending a report
that it had just crashed to Mozilla but why are there three of them in a
situation in which I am suspicious that something has hijacked my computer

I have run RogueScanFix and tried posting a HiJackThis log (using the newest
version) on bleepingcomputer but there haven't been any responses in over a
week. I also have WhatsRunning running but cant see anything suspicious, or
whatever it is has managed to prevent TM or WR from seeing it. Am I being
paranoiac or is someone out to get me?

As usual no amount of SFCs, CCleaners, Scandisks, defrags, Adawares, Spybots
can assist.

You might wanna check and see if you've been rooted.
Download Rootkit Revealer here:
http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.mspx

If you've been rooted, and I think you have been, about the only way to
recover is to do a format and clean install.

 

[news.rcn.com]

"> You might wanna check and see if you've been rooted.

Download Rootkit Revealer here:
http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.mspx

If you've been rooted, and I think you have been, about the only way to
recover is to do a format and clean install.

A few further suspicious items arose after I posted this message: Firstly I
noticed WhatsRunning shows a startup item for VF9 which (either does or
doesn't) run an exe file in my system32 directory called VF9485.exe. I was
advised that this is a remaining artifact of some trojan or virus I had a
year ago which has been removed and either I cant see the actual VF9485.exe
file in my system32 directory any more or it is hiding its presence there in
some way

Meanwhile at about the time I stopped that process (I only stopped it in the
startup folder!!), FireFox suddenly disappeared.

Secondly, there is a blue headed box on my screen which I have never seen
before saying Damage Cleanup Engine (DCE) reporting "No Virus Found" which
isnt a part of the no-longer-running Kaspersky is it? Meanwhile TrendMicro's
DOS box has apparently stuck on "executing BKDR_PCCLIENT.WZ pattern. When I
press OK on the supposed DCE box, the TrendMicro DOS box disappears, though
I can see the TrendMicro scan box scanning all local drives. When it gets to
SCANNING C:\*.*, a DOS box opens again and starts scanning. Which looks like
it is supposed to?Anyway it reports nothing it finds suspicious whatsoever
on my computer.

WhatsRunning's IP CONNECTIONS tab shows 405 connections running and about
twenty new ones being created every few minutes, almost every single one of
them being a VoIP service I use called SJPhone. Not sure if the presence of
an IP Connection means that the specified port is available to SJPhone or if
it is actually being used. However when I delete SJPhone from Task Manager,
the reports stop. (The computer doesn't necessarily run any faster)

 

[news.rcn.com]

"> You might wanna check and see if you've been rooted.

That didn't really work. Either I am reading it wrongly or the revealer only
revealed three harmless looking entries

Two in HLKM\SECURITY\policy\secrets one called sac* and one called sai*.
they are timestamped 31st August 2001 and I assume if they have been around
that long and are sized 0 bytes, they must be relatively harmless

Also one in profiles in FireFox dated this minute in my Application Data
folder in a directory called 545vdqcn.MyName in a sub-dir called cache which
I suppose I can delete easily enough. (It IS 128 kb and it does delete)

 

[Mr. Arnold]

That didn't really work. Either I am reading it wrongly or the revealer
only revealed three harmless looking entries

Two in HLKM\SECURITY\policy\secrets one called sac* and one called sai*.
they are timestamped 31st August 2001 and I assume if they have been
around that long and are sized 0 bytes, they must be relatively harmless

Also one in profiles in FireFox dated this minute in my Application Data
folder in a directory called 545vdqcn.MyName in a sub-dir called cache
which I suppose I can delete easily enough. (It IS 128 kb and it does
delete)

http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

 

[news.rcn.com]

LET EVERYONE COME DOWN ON ME LIKE A TON OF BRICKS FOR THE HERESY I AM
RELATING BELOW

http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

This doesn't really address the problem of what to do if your system was at
all times fully patched but you think you might have been hacked.
Especially when all indications from RootKitRevealer are that you haven't
been hacked (this is what mine says, isn't it? That
HKLM\SECURITY\Policy\Secrets\SAC* and SAI* aren't much to worry about? I
cant find any reference to them on the web being anything to worry about?)

All this page says is that (assuming everyone has unlimited time to go
through this POSSIBLY futile operation), every few weeks the nervous amongst
us are better safe than sorry to completely destroy all their data and
software and operating system and format their hard drives and reinstall
everything.

It also negated the utility of running backups of data as any backup may be
similarly infected every few weeks by something which has cleverly hidden
itself.

As it happens I do have another newer computer on which this problem is
trying to manifest itself: It has AVG protection, suitably updated
continuously. Yesterday it caught a trojan which it killed off. Thereafter,
a gigantic number of files which have and exe extension are reporting
Win32/Virut, which is apparently a virus which gets past firewalls and seems
to make corrupted copies (?) of every .exe file on your computer. AVG
catches about two to three of these a minute and moves what it calls the
infected files to a vault. I cant even launch av-cls as a backup as when I
do, I get a win32/virut virus message. I ran a Full System Scan (which
found 193 'infections') followed by an SFC /purgecache and a SFC /scannow
and it tried to tell me that firstly SFC was infected, then that it couldn't
be found.

The next day I ran a full AVG scan again after the daily update and it found
1017 infections all of which it says it healed! (I assume they are copies
because Windows is still running. Running it again results in even more
infections, curiously mostly in service pack uninstall files?)

I suppose
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx would
advise that the only option is to wipe the hard drive and reinstall
everything even though I had a fully patched system with fully up to date
anti-virus protection?

There has to be a better way than this? is there any way of running UBCD4WIN
and doing a full up to date virus check on the drive and running SFC
thereafter from UBCD4WIN?

Then only the ultra-ultra-ultra (ultra?) nervous amongst us might worry that
something infected the CD during its build process and kept itself hidden?

 

[Mr. Arnold]

LET EVERYONE COME DOWN ON ME LIKE A TON OF BRICKS FOR THE HERESY I AM
RELATING BELOW

You just don't want to face the truth.

This doesn't really address the problem of what to do if your system was
at all times fully patched but you think you might have been hacked.
Especially when all indications from RootKitRevealer are that you haven't
been hacked (this is what mine says, isn't it? That
HKLM\SECURITY\Policy\Secrets\SAC* and SAI* aren't much to worry about? I
cant find any reference to them on the web being anything to worry about?)

What does hack mean to you? If you got hacked, then it came past everything
you had in place to stop it or detect it.

All this page says is that (assuming everyone has unlimited time to go
through this POSSIBLY futile operation), every few weeks the nervous
amongst us are better safe than sorry to completely destroy all their data
and software and operating system and format their hard drives and
reinstall everything.

You're the one doing the driving, don't include the word US. It's you and
only you facing this problem at this time.

It also negated the utility of running backups of data as any backup may
be similarly infected every few weeks by something which has cleverly
hidden itself.

As it happens I do have another newer computer on which this problem is
trying to manifest itself: It has AVG protection, suitably updated
continuously. Yesterday it caught a trojan which it killed off.
Thereafter, a gigantic number of files which have and exe extension are
reporting Win32/Virut, which is apparently a virus which gets past
firewalls and seems to make corrupted copies (?) of every .exe file on
your computer. AVG catches about two to three of these a minute and moves
what it calls the infected files to a vault. I cant even launch av-cls as
a backup as when I do, I get a win32/virut virus message. I ran a Full
System Scan (which found 193 'infections') followed by an SFC /purgecache
and a SFC /scannow and it tried to tell me that firstly SFC was infected,
then that it couldn't be found.

I hate to be blunt about it. But you are the problem. The one sitting behind
the keyboard and mouse doing the typing at the keyboard and pointing &
clicking with the mouse.

The next day I ran a full AVG scan again after the daily update and it
found 1017 infections all of which it says it healed! (I assume they are
copies because Windows is still running. Running it again results in even
more infections, curiously mostly in service pack uninstall files?)

If you have 1, 017 infections which is a ridiculous amount to begin with
that it saw, then what about the other 1, 017 it didn't see and is still
there, possibly. How do you know what is and what is not on the machine? Do
you have some kind of crystal ball?

You ever hear of a zero day exploit meaning that it's so new that the
dectection software cannot detect it, because there is no signature for it
to be used by the detection software to dectect it?

With 1, 017 infections *that you know about*, a totally compormised
computer, there is no telling what's on that computer that a hcker could
have put there that is undetected.

I suppose
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
would advise that the only option is to wipe the hard drive and reinstall
everything even though I had a fully patched system with fully up to date
anti-virus protection?

A fully patch machine doesn't mean anything, and neither does that AV, when
there is a bad user behind the keyboard doing the typing, using the mouse
pointing and clicking.

There has to be a better way than this? is there any way of running
UBCD4WIN and doing a full up to date virus check on the drive and running
SFC thereafter from UBCD4WIN?

Yes, there is a better way. It called practicing safehex to begin with to
protect yourself and the computer.

http://www.claymania.com/safe-hex.html

It's called secure the operating system from attack as much as possible.

http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm

Then only the ultra-ultra-ultra (ultra?) nervous amongst us might worry
that something infected the CD during its build process and kept itself
hidden?

It's just some information. Did you need to fly off the handle on a rocket
ship to the Moon? It's your bed lay in it. It only affects you and no one
else but you as to what you do with your situation ----- unbelievable.


Here is another link *more information* that may send you to the Moon.

<http://www.windowsecurity.com/artic...d_Rootkit_Tools_in_a_Windows_Environment.html>