Topic: Sure I am being hacked?  (Read 8223 times)

0 Members and 2 Guests are viewing this topic.

TheBigCheese

  • Guest
Sure I am being hacked?
« on: May 03, 2004, 04:36:53 am »
noticed some weird stuff with my pc lately online.

My email account has been hacked yet again, other forums I go to ,I have had new PMs that have been read but not by me.My computer and internet sometimes go at snails pace.My MSN messenger seems to have a life of its own and opens and logs on itself??????

I have done spybot, ad aware and antivirus, regularly, so it cant be that.
I dont have a firewall however  

Pestalence

  • Guest
Re: Sure I am being hacked?
« Reply #1 on: May 03, 2004, 06:09:54 am »
Have you used HijackThis to see if your system has a hijacker on it.. you will have to weed out hijacker software from actual system components.

 

TheBigCheese

  • Guest
Re: Sure I am being hacked?
« Reply #2 on: May 03, 2004, 06:48:07 am »
thanks ,I'll give it a whirl  

TheBigCheese

  • Guest
Re: Sure I am being hacked?
« Reply #3 on: May 03, 2004, 06:56:50 am »
well it listed a ton of things, which I cannot make head or tail of, though there are quite a couple of IP 's in there that are not mine.

what am I supposed to be lookinh for?  

Pestalence

  • Guest
Re: Sure I am being hacked?
« Reply #4 on: May 03, 2004, 10:05:53 am »
Well, not knowing what you have installed on your system, i can't say... But here is a guide that i use...

http://hjt.wizardsofwebsites.com/


I also follow up Hijack This by using a registry cleaner like Registry Mechanic...

hope that this helps.

 

Sethan

  • Guest
Re: Sure I am being hacked?
« Reply #5 on: May 03, 2004, 10:56:09 am »
Quote:

noticed some weird stuff with my pc lately online.

My email account has been hacked yet again, other forums I go to ,I have had new PMs that have been read but not by me.My computer and internet sometimes go at snails pace.My MSN messenger seems to have a life of its own and opens and logs on itself??????

I have done spybot, ad aware and antivirus, regularly, so it cant be that.
I dont have a firewall however  




You do update the antivirus signature files and the detections for Spybot and Adaware before you run them, right?

Stormbringer

  • Guest
Re: Sure I am being hacked?
« Reply #6 on: May 03, 2004, 11:01:42 am »
There is a new worm out. I saw an hyperlink on the AOL welcome screen saying I had effected a multitude of PCs and spreading fast.

TheBigCheese

  • Guest
Re: Sure I am being hacked?
« Reply #7 on: May 03, 2004, 11:15:05 am »
Quote:

Quote:

noticed some weird stuff with my pc lately online.

My email account has been hacked yet again, other forums I go to ,I have had new PMs that have been read but not by me.My computer and internet sometimes go at snails pace.My MSN messenger seems to have a life of its own and opens and logs on itself??????

I have done spybot, ad aware and antivirus, regularly, so it cant be that.
I dont have a firewall however  




You do update the antivirus signature files and the detections for Spybot and Adaware before you run them, right?  




Constantley Sethan, every day or two.  

TalonClaw

  • Guest
Re: Sure I am being hacked?
« Reply #8 on: May 03, 2004, 12:43:55 pm »
Don't forget the new MS critical updates.  Otherwise this worm will just keep reinfecting your computer.

Sethan

  • Guest
Re: Sure I am being hacked?
« Reply #9 on: May 03, 2004, 02:04:27 pm »
Quote:

Quote:

You do update the antivirus signature files and the detections for Spybot and Adaware before you run them, right?  




Constantley Sethan, every day or two.  




OK - in that case, definitely run Hijackthis.  There are forums where people can post their results from the program and get help, too.

Some things to consider:

If your machine was infected by a virus or downloader trojan, either could have downloaded perfectly legitmate tools to your computer that allow remote control of your machine.  Spybot, Adaware, and Antivirus programs will not detect these tools as malware.

I would also suggest that you do a CTRL-ALT-DEL to bring up Task Manager, and then post a list here of all the applications and processes running.  We have a few people here that might be able to help spot anything out of the ordinary.  That said, not all of these will show up in task manager - but it is a good place to start looking.  Next time you see unusual activity on your machine, run Task Manager again, and see what is running then that wasn't before.

Also, check to make sure there are not unusual folders or files on your machine - things that you did not put there and are not part of your OS or other programs.

Assuming we can find and remove the thing on your PC, the next step is to change the passwords for everything you do online - and not all to the same password.  It is possible someone's database was cracked, and they used the password info from there to get into your other stuff.  Might not be a bad idea to change the passwords up front anyway - it might force whoever has hacked your machine into coming to look for passwords again - and if we can catch them doing it, we can see what they are using.

If we can't find what is on your machine, back up your data, then wipe the machine and reload it - change all your online passwords as above first thing on coming back up (or better still from another machine while yours is being reloaded).

Get a firewall - even if it is a free, software-based one like ZoneAlarm.

Clark Kent

  • Guest
Re: Sure I am being hacked?
« Reply #10 on: May 03, 2004, 06:27:16 pm »
I'm just curious, and hope I don't sound like a complete fool.  So long as the only things I've downloaded have been fromreputable users on this forum (i.e. the d'deridex hardpoint editor), pics from friends of friends, and that's about it.  What are the odds that my system has or will be hacked over a dial up?  I'm not running any virus software, because the last time I had some on, my computer crashes skyrocketed to once every few minutes and the computer became all but completely inoperable.  This is a major problem, because my computer is constantly crashing regardless, has since almost day one.  Anything I should be on the lookout for?

CK

P.S.  I like Latinas...
....And apprentyl Asian ladies as well...

Pestalence

  • Guest
Re: Sure I am being hacked?
« Reply #11 on: May 03, 2004, 07:40:49 pm »
well, if you haven't adjusted your security settings, several web sites will sneak software on your system.. it is called hijacking...

here are some preventatinge methods..

use with what I posted above :


using IE :

to help prevent Hijacking Spyware :

hijacking Spyware is spyware that self installs toobars to your browser, changes your search engine defaults, changes your home page, and possibly changes your DNS settings to route through a new source, or even tried to force you to use a new dialer instead of the one you are use to.

In IE there are ways to prevent Hijacking software... and ways to clean out hijacking spyware.

First, Right click on Internet Explorer icon and select Properties.

Click on privacy tab

click on Advanced tab adn then put a check mark in Override Automatic Cookie Handeling.. then set First Party Cookies to Always Accept, 3red party cookies to Never, and check Always allow session cookies, then click apply...

this will eliminate 90% of new spyware cookies coming on to your system..

Now go into Security tab

click Internet in the box at the top and click Custom Level button.. first set everything to enable and click OK.. it will ask if you want to change the settings.. say yes.

now click custom level again and go through all the one's that says anything about Active X

for all of them that say Unsigned or Not Signed.. set to disable

the one's that state Signed set to Prompt

the ones that say not marked as safe, disable.

the one that says "Run Active X Controls and Plug-ins" and has an Administrator Approved setting.... set this to Enabled (otherwise some sites just don't work like Window's updates)

the one's that say marked as safe, set for Prompt.

click Ok and say yet to changing settings...

now what this does is that any page that uses active X controls will now have unsigned controlls blocked (usually hijackers) and the one's that are signed it will ask for your permission to run...

now sites like Microsoft Windows Update are safe to run and is necessary otherwise you can't update your system

Other sites, you can take your chances.. i usually say NO unless the page looks funky or will not load, then I refresh the page and say yes...

Now with these settings, some sites will start poping up Install Verifiers asking do you want to install X software.. These things are 90% of the time the Hijacking or Spyware software trying to get on your system...

I would then go back into Internet Explorer and go to Security settings and click on Restricted Sites and add the site trying to instal stuff on your system... this site will no longer be allow to do anything but display information from the page .. you get No More Download boxes.


Spyware and Hijacking Reemoval :

There are 3 programs that I use to remove Hijackers..

First is Spybot search and destroy..

i let this run through and remove all the registry keys that are invalid along with files and folders added by the hijacking software..

then it finishes scanning, I only remove things that are red titled, nothing else.

after using it and removing the red titled spyware objects.. it may state unable to remove all objects.. at this time I would allow it to scan one time at system boot.. and restart system.

after it runs through again, and if no red objects come up.. then just close it down.. if red objects pop up, all them to be fixed as well.

now when your done doing this and back in full windows mode.. I like using Ad-Aware 6... this will catch items missed by Spybot S&D.. Check everything that Ad-Awae shows and remove them..

Always check for updates.. the updates come out like Virus Definitions.. once or twice a day...

once you have internet Explorer set with the settings above, all these thing shoud ever find is 1 or 2 cookies.. no more than 5 in a week... Unless you say Yes to an active X control on a strange site by accident....

now if you have experienced a Hijacker software...

I use HijackThis.. it is a fantastic utility that scans IE settings and software running on your system and Active X controls...

if it lists anything for IE.. then remove them all.. (make note that you will need to eset your normal home page afterwards)

then delete the back up files...

now look through all the other stuff listed .. compare to what is in MSCONFIG Startup tab...

check anything not listed in MS Config ....

i would also check anything that says Quick time, real player, Real One, Sun Microsystems, Java, Jushed, and any un necessary software not needed at system start up...

Now before clicking fixed... Look for Acrobat Reader Axtive X control in the listing.. this is needed to display Acrobat reader in your browser window...

also look for anti-virus.. if you are using antivirus from any company, make sure that all these are unchecked...

check anything that says Tool Bar except the Anti Virus tool bar

now at the bottom, you will see 016 - DPF .. these are the actual Active X controls.. there are only 4 that I know of that are safe...

Shockwave Flash Object

Shockwave Active X control

Macromedia Authorware Web Player Control

Update Class - http://v4.windowsupdate.com/cCAB/x386/unicode/iuctl.CAB?38096.5954282407


those are the only 4 items that should be left as they are safe ... anything else.. i can't say if it is safe or not.. and I would remove it.. if a site you go to requires a control you removed.. it will ask to reinstall.. that is up to you to do so..

also refer to the above posting for the guide to HijackThis for better instructions and methods.

once you click Fix Checked.. it will list all the items as backup files in the same area as HijackThis.exe.. select all the backups and delete them...

Now finally to get Internet Explorer back to default settings.. right click IE once again and go to Properties.. click on Programs.. Whether or not IE is your default search engine... you can check or uncheck for IE to check to se if it is default or not...

now click Reset web settings and click OK..

IE is now back in it's default state free of hijackers...

Now I usually go into the Advanced tab and make sure of a few settings...

such as :

always send URL as UTF-8

Disable Script Debugging

Enable Install on Demand (internet Explorer)

Enable Install on Demand (other)

I uncheck Folder View of FTP sites

i check Use passive FTP (for firewall and DSL modem compatability)

I check use HTTP 1.1 and Use HTTP 1.1 through Proxy connections

if you have Sun Java, make sure it is checked

make sure Microsoft MV Java Console and JIT Compiler are both checked..  uncheck logging

skip down to Search from Adress Bar and choose which you like the best.. I prefer Display results and go to most likely site.

and at the bottom I have under security checked :

Do not save Encripted pages

Empty Temp internet Files

Enable Profile Asistant

use SSL 2.0

use SSL 3.0

use TLS 1.0

Warn if submitttal is being redirected and warn if changing between secure and non secure modes...


then i click Apply and OK..

Then i reset my home page.

now i can go into Internet Explorer, click on the search button.. and use customize and set up my search assistant and default search engine to what I want, usually Google.

Now hopefully, you will no longer need Hijack This... but the Spyware removal will be needed and should be used once a week...

and as a final thing just to keep the system clean... Registry Mechanic (paid version) will fix a lot of registry problems that may be on your system...

anyhow... just some suggestions to fix up your machine.. and it is a 1 time deal with exception of scanning for Viruses and checking for spyware once a week....

hope that this helps you all out... it will eliminate 90% of spyware getting on your system ever again, with exception of a few cookies which you eliminate once a week.
 

Clark Kent

  • Guest
Re: Sure I am being hacked?
« Reply #12 on: May 03, 2004, 11:57:51 pm »
thanks for the post, it was of great help.  

CK

P.S.  I like Latinas...
....And apparently Asian ladies as well...

TheBigCheese

  • Guest
The Plot Thickens
« Reply #13 on: May 04, 2004, 02:49:51 am »
I got a mailer delivery failure on my hotmail account.

Trouble is...

I never sent the mail!!!

I'l put it below, there were two exactly the same tried at different times.

-------------------------------------------------------

The original message was received at Mon, 3 May 2004 20:15:25 -0400 (EDT)
from dsl16-11-admiral.dwave.net [63.247.45.11]

*** ATTENTION ***

Your e-mail is being returned to you because there was a problem with its
delivery.  The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".

The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered.  The next line contains a second error message which is a
general translation for other e-mail servers.

Please direct further questions regarding this message to your e-mail
administrator.

--AOL Postmaster



   ----- The following addresses had permanent fatal errors -----
<dcihasky@aol.com>

   ----- Transcript of session follows -----
... while talking to air-yh04.mail.aol.com.:
>>> RCPT To:<dcihasky@aol.com>
<<< 550 MAILBOX NOT FOUND
550 <dcihasky@aol.com>... User unknown
-------------------------------------------------------------------------
The Attachment :
-------------------------------------------------------------------------

Received: from  aol.com (dsl16-11-admiral.dwave.net [63.247.45.11]) by rly-yh06.mx.aol.com (v98.5) with ESMTP id MAILRELAYINYH66-7944096e0931f; Mon, 03 May 2004 20:15:21 -0400
From: stevejones596@hotmail.com
To: dcihasky@aol.com
Subject: Mail Delivery (failure dcihasky@aol.com)
Date: Mon, 3 May 2004 19:14:50 -0500
MIME-Version: 1.0
Content-Type: multipart/related;
   type="multipart/alternative";
   boundary="----=_NextPart_000_001B_01C0CA80.6B015D10"
X-Priority: 3
X-MSMail-Priority: Normal
X-AOL-IP: 63.247.45.11
X-AOL-SCOLL-SCORE: 1:XXX:XX
X-AOL-SCOLL-URL_COUNT: 1
Message-ID: <200405032015.7944096e0931f@rly-yh06.mx.aol.com>
------------------------------------------------------------------------

Is this someone hacking my mail, they got Yahoo yesterday now they were using my hotmail account to send emails????  

Stormbringer

  • Guest
Re: The Plot Thickens
« Reply #14 on: May 04, 2004, 10:04:35 am »
that sounds like an older bug from a few months ago. Virus used for spammers to take over. Forgot it's name.

Sethan

  • Guest
Re: The Plot Thickens
« Reply #15 on: May 06, 2004, 01:05:32 am »
Cheese - there are a number of viruses that will scan your computer for Email addresses and use them to send out Email using their own SMTP engines - so you would never know if your machine was sending out messages, except that it would be slow (due to the volumes of messages being sent by the virus).

Newer versions of these viruses also alter the source address - so the mail doesn't look like it is coming from you.  Someone with your Email address on their machine may have the virus, and the virus is changing the source address so the mails it sends look like they are coming from you (among others).

Finally, some viruses originally arrive in the form of a delivery failure message.

TheBigCheese

  • Guest
Re: The Plot Thickens
« Reply #16 on: May 07, 2004, 03:01:30 am »
This should be stickyed as there is some good advice here

last night someone logged in as me on messenger with my MSN ID ???

whilst I was on, it then crashed.

 

Sethan

  • Guest
Re: The Plot Thickens
« Reply #17 on: May 07, 2004, 11:00:27 am »
Cheese - stickied.  See above about task manager stuff and changing passwords.

TheBigCheese

  • Guest
Re: The Plot Thickens
« Reply #18 on: May 11, 2004, 02:06:29 am »
I 've done all the suggestions and it seems to have worked so far,

thanks guys.  

Sethan

  • Guest
Re: The Plot Thickens
« Reply #19 on: May 11, 2004, 02:43:03 pm »
Cool - glad you got your machine back.