Serious help. Hacked? - Printable Version
-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Skype & Technology (/forumdisplay.php?fid=9)
+---- Forum: Tech Talk (/forumdisplay.php?fid=17)
+----- Thread: Serious help. Hacked? (/showthread.php?tid=87656)
Serious help. Hacked? by Vimto on 12-08-2008 at 08:57 PM
OMG HELP 
As i was about to write this just then "Okay so i have a problem...", the whole text deleted itself and someone must have hacked into my laptop, because they deleted it and wrote "well it isnt really a big problem is it? i could make it disappear"
I'm really freaked out! I've turned my internet off temporarily, but gunna switch it on to post this.
It's kinda scared me, any ideas how i can get rid of this?
RE: Serious help. Hacked? by Voldemort on 12-08-2008 at 08:59 PM
k, download hijackthis here and post the log here asap
and post a screenshot of your task manager
RE: Serious help. Hacked? by Vimto on 12-08-2008 at 09:04 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:04:41, on 08/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\JADE\AppData\Roaming\kerne1.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo XI\Corel Paint Shop Pro Photo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=1607
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcservicecall.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&home...{SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - C:\Program Files\ContextTool\ContextTool-2.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: 0 - {AC141EAB-017D-4C14-D9BB-A3C284BD0F01} - C:\Program Files\InstallShield Installation Information\quzak.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [kerne1] C:\Users\JADE\AppData\Roaming\kerne1.exe
O4 - HKCU\..\Run: [fab] C:\Applications\FabApplication.exe\
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\JADE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O13 - Gopher Prefix:
O15 - Trusted Zone: http://toolbar.imageshack.us
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/VistaMSNPUplden-us.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows...layerInstaller.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initia...eoEggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerSta...lient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 7199 bytes
RE: Serious help. Hacked? by prashker on 12-08-2008 at 09:09 PM
Paste that in here
http://www.hijackthis.de/
You'll see a few things that you'll want to check and then click "Fix Checked"
RE: Serious help. Hacked? by Vimto on 12-08-2008 at 09:11 PM
Scrrenshot
RE: Serious help. Hacked? by Voldemort on 12-08-2008 at 09:13 PM
quote:you wanna check this out
Originally posted by Vimto
C:\Users\JADE\AppData\Roaming\kerne1.exe
O4 - HKCU\..\Run: [kerne1] C:\Users\JADE\AppData\Roaming\kerne1.exe
END the process now (its on your task manager too), do an antivir/spyware scan,(if you don't want to or if its not detected then go send it to the recycle bin)
RE: Serious help. Hacked? by Vimto on 12-08-2008 at 09:15 PM
I ended that process, but I'm still quite worried :\
He had this dialogue box thing up talking to me, how can I know its gone or not?
RE: Serious help. Hacked? by vaccination on 12-08-2008 at 09:16 PM
http://www.symantec.com/security_response/writeup...14-5445-99&tabid=3
Should help 
RE: Serious help. Hacked? by Vimto on 12-08-2008 at 09:18 PM
:\
RE: Serious help. Hacked? by mezzanine on 12-08-2008 at 09:20 PM
kerne1.exe is Troj/Lineage-BS/Trojan-PSW.Win32.Lineage.lk.
Scan your computer with both an antivirus and a malware removal tool. For more details or if you want to do it manually, you can google for trojan removal instructions.
RE: Serious help. Hacked? by Quantum on 12-08-2008 at 09:20 PM
You need to install a firewall
RE: Serious help. Hacked? by matty on 12-08-2008 at 09:22 PM
quote:Ahaha likely a Sub7 trojan. End the task firstly. Secondly as shitty as it is enable the Windows Firewall. Then you can start to post the log.
Originally posted by Vimto
C:\Users\JADE\AppData\Roaming\kerne1.exe
If you want to catch them then extract the .bat file to your desktop when they are connected (Windows firewall needs to be off) run the bat file and it will create a log file on your C drive and end the process so they are forced to disconnect. Then you can post the file here (C:\log.txt).
And we can maybe see whats going on
.But thats my story.
The End.
RE: Serious help. Hacked? by Menthix on 12-08-2008 at 09:26 PM
Do what Sam suggested, because pasting your log in that site shows more dodgy processes than just that single one.
RE: Serious help. Hacked? by Mike on 12-08-2008 at 09:27 PM
Interesting case...
My guess is that he is a stalker who is spying on you
Seriously now, get a firewall like Quantum said (Comodo is a good one and free too)
quote:
Originally posted by Vimto
he whole text deleted itself and someone must have hacked into my laptop, because they deleted it and wrote "well it isnt really a big problem is it? i could make it disappear"
You should have told him to fix it
RE: Serious help. Hacked? by Jarrod on 12-09-2008 at 03:00 AM
if it is sub7 http://virusall.com/remsubseven22.shtml
RE: Serious help. Hacked? by TheSteve on 12-09-2008 at 04:35 AM
I would recommend disconnecting the internet (physically if required). Then killing the program.
RE: Serious help. Hacked? by Vimto on 12-09-2008 at 08:34 AM
I had to go off from the internet, they started controlling my mouse and stuff like that, pissed me off! They've deleted loads of files 
Everytime I tried to go onto a site to download a firewall and stuff they were closing the windows. 
Nothings happened so far this morning, i ran a virus scan and found some trojan files and removed them.
I'm taking my laptop into a repair shop just in case though.
Thanks everyone
RE: Serious help. Hacked? by Mike on 12-09-2008 at 08:43 AM
Don't you have access on another computer to download the firewall on a flash disk/CD/etc ?
RE: Serious help. Hacked? by Jarrod on 12-09-2008 at 12:17 PM
quote:i refuse to waste my system resources on such an nagging piece of turd, i even turned of windows firewall
Originally posted by Quantum
You need to install a firewall
RE: Serious help. Hacked? by prashker on 12-09-2008 at 12:21 PM
Nod32 Smart Security ftw
RE: Serious help. Hacked? by alegator on 12-09-2008 at 01:02 PM
If you want to be 100% safe I would format the drive and do a clean Windows installation with a good firewall/AV (Norton INternet Security is a good one).
RE: Serious help. Hacked? by vaccination on 12-09-2008 at 01:10 PM
quote:No. Unnecessary hassle
Originally posted by alegator
If you want to be 100% safe I would format the drive and do a clean Windows installation with a good firewall/AV (Norton INternet Security is a good one).
The av would remove it perfectly fine. If you want to remove it manually just delete the exes and remove the registry settings, and the call made to the exe in the shell as mentioned in the link I gave earlier.
---
Would everyone please stop repeating everything already said too? Thanks.
RE: Serious help. Hacked? by ShawnZ on 12-10-2008 at 12:27 AM
quote:
Originally posted by Vimto
I had to go off from the internet, they started controlling my mouse and stuff like that, pissed me off! They've deleted loads of files
Everytime I tried to go onto a site to download a firewall and stuff they were closing the windows.
Nothings happened so far this morning, i ran a virus scan and found some trojan files and removed them.
I'm taking my laptop into a repair shop just in case though.
Thanks everyone
...well, did you close kerne1.exe? and they were still able to control your computer?
also, how do you know they deleted files?
RE: Serious help. Hacked? by Curtis on 12-10-2008 at 12:52 AM
quote:
Originally posted by ShawnZ
quote:
Originally posted by Vimto
I had to go off from the internet, they started controlling my mouse and stuff like that, pissed me off! They've deleted loads of files
Everytime I tried to go onto a site to download a firewall and stuff they were closing the windows.
Nothings happened so far this morning, i ran a virus scan and found some trojan files and removed them.
I'm taking my laptop into a repair shop just in case though.
Thanks everyone
...well, did you close kerne1.exe? and they were still able to control your computer?
also, how do you know they deleted files?
I'm guessing this is all being done by remote so he either watched him delete them or he went to open the file and it wasn't there.
RE: Serious help. Hacked? by albert on 12-10-2008 at 01:39 AM
Did you try logging into safemode? Can they control the window in that mode too?
quote:I don't know, when stuff like that happens, I always reformat, just to be sure everything's gone. If one thing passed by, another probably did as well, and although the cleaners usually do an ok job, you need the cleaner to detect it, which gets a little harder.
Originally posted by vaccination
quote:
Originally posted by alegator
If you want to be 100% safe I would format the drive and do a clean Windows installation with a good firewall/AV (Norton INternet Security is a good one).
No. Unnecessary hassle
RE: Serious help. Hacked? by Adeptus on 12-10-2008 at 04:07 AM
quote:Formatting is not "unnecessary" by any means here and definitely the best idea yet.
Originally posted by vaccination
No. Unnecessary hassle
This is different from a regular malware infection because there obviously is an individual actively controlling the machine. Who knows what other backdoors they have set up by now and what else they have installed that the virus/spyware scanners have no clue about.
Although it sounds like this might be the doing of someone Vimto knows (most random "hackers" wouldn't be interested in revealing they have control of the computer) and it is a personal computer, this is a full-blown security compromise and the only true and proven response to that is wipe and format. She could physically disconnect the computer from the net long enough to back up non-executable data files, but format is the only way to be sure this machine will be trustworthy ever again.
RE: Serious help. Hacked? by vaccination on 12-10-2008 at 08:15 AM
quote:I highly doubt it's a pro 'hacker' though, more than likely just a ex-friend who found out about it and wants to scare/piss her off. Most hackers don't try and remote control all their victims and then talk to them =p
Originally posted by Adeptus
quote:Formatting is not "unnecessary" by any means here and definitely the best idea yet.
Originally posted by vaccination
No. Unnecessary hassle
This is different from a regular malware infection because there obviously is an individual actively controlling the machine. Who knows what other backdoors they have set up by now and what else they have installed that the virus/spyware scanners have no clue about.
Although it sounds like this might be the doing of someone Vimto knows (most random "hackers" wouldn't be interested in revealing they have control of the computer) and it is a personal computer, this is a full-blown security compromise and the only true and proven response to that is wipe and format. She could physically disconnect the computer from the net long enough to back up non-executable data files, but format is the only way to be sure this machine will be trustworthy ever again.
RE: Serious help. Hacked? by Jarrod on 12-10-2008 at 11:39 AM
my advice, use a router
RE: Serious help. Hacked? by Wally on 12-10-2008 at 12:46 PM
Just save your self all this trouble and format although you might be able to figure out what it is at the end of the day your pc has been infected. i know from expeirience , i know how these people hack and if this is what i think it is he has injected a single script or file that cannot simply be seen or removed. and your never gonna feel safe until you format. i always say once your pc is infected you can never totaly get rid of it.
also by cannot be removed i mean if he has injected this file into one of your critical system files you cant afford to delete it because it will cause windows not to run.
RE: Serious help. Hacked? by ShawnZ on 12-10-2008 at 01:14 PM
quote:
Originally posted by Adeptus
format is the only way to be sure this machine will be trustworthy ever again.
but what if they wrote malicious code to the bios!1
RE: Serious help. Hacked? by foaly on 12-10-2008 at 01:19 PM
quote:Or in the firmware of your display?
Originally posted by ShawnZ
quote:
Originally posted by Adeptus
format is the only way to be sure this machine will be trustworthy ever again.
but what if they wrote malicious code to the bios!1
RE: Serious help. Hacked? by matty on 12-10-2008 at 03:19 PM
It is a Sub7 trojan. It allows a user to externally connect and perform actions on your computer. Removing the server application from the PC will resolve the problem.
http://en.wikipedia.org/wiki/Sub7
wally please learn the difference between a virus and trojans. A virus spreads and deletes files. Trojans open backdoors to the computer (a server) to allow others to connect. The trojan does no harm nor infects files. There is no need to actually format and reinstall Windows in this case.
RE: Serious help. Hacked? by Vimto on 12-10-2008 at 04:16 PM
I'm a complete dunce when it comes to computer tech talk!
But I think it's what matty said, I've just read up on that, sounds about right. It hasn't happened again yet.
Thanks again though!
RE: Serious help. Hacked? by wj on 12-11-2008 at 01:07 AM
quote:
Originally posted by matty
The trojan does no harm nor infects files. There is no need to actually format and reinstall Windows in this case.
You have to be careful with that, a Trojan can act like a rootkit where the file is no longer visible to the user or many anti-virus/malware programs and still run in the background. In some cases formatting is usually the only option (without extensive work and specialized tools).
In this case, it's just someone screwing with you and the solution of removing Sub7 will work. But for a few good practices:
- Get a good antivirus program installed, If you want one for free check out Avast.
- A firewall is a must in this day and age. Software or Hardware, Most home router have a basic firewall built in and that is really all you need. Just make sure it's turned on and you are not in the DMZ.
- Be careful who you let play with your computer.
If you ever do run into a nasty bit of malware, Try malwarebytes to get rid of it.
RE: RE: Serious help. Hacked? by Wally on 12-11-2008 at 06:51 AM
quote:
Originally posted by matty
It is a Sub7 trojan. It allows a user to externally connect and perform actions on your computer. Removing the server application from the PC will resolve the problem.
http://en.wikipedia.org/wiki/Sub7
wally please learn the difference between a virus and trojans. A virus spreads and deletes files. Trojans open backdoors to the computer (a server) to allow others to connect. The trojan does no harm nor infects files. There is no need to actually format and reinstall Windows in this case.
ok it doesnt have to be a sub7 trojan in particular sub7 is a rat program
(Remote Administration tool) there are alot of these applications not just sub7 and i never said she could have a trojan or a virus even though these kind of applications are trojans. i know the difference.
some keyloggers which are in these rat programs are injected in critical system files and from the keylogger i know and use, it can be hidden from the task manager processes. but yes deleting the server application will resolve the problem but even if you did, you will have to figure out what the server installer is because the server made from these applications can be binded with any file and look like anything out of the ordinary so i say just format. there are so many reasons why she should just format. also wj's advice has my vote