I'm being spied on!!

A while back when I was on "dial-up"on more than one occassion I was "hacked". This person knew exactly what he was after and went straight to my sensative files and deleted most of them. All that was left was empty pages. This definitely happened via the net - not some nasty so and so sitting physically in front of my PC. So now I have a router / modem.

He / they are at it again. I have good reason to believe that he / they can read all I am typing - remotely. My AV and antispyware have not picked up anything. But I know something has been going on.

What software is best protection specifically for this?

 

Hello,
Unplug the Internet line.
Full format.
Install again.
Mrk

 

Yes, Mrk is correct! (again).

When you have reinstalled, make sure all your user id's and passwords are completely changed and changed frequently. Ensure these id's and psw's are maximum strength allowed by each account. Your router also has a id and password to be maximized. FF has an ad in you can use for generating passwords.

I happen to use Roboform so I made a few for you to see what they look like. Don't use these of course :

pLn15Rgq bit strength 47, 8 characters

lnUnqID9KfnjsREO bit strength 95, 16 characters

VRxYGq5G3DwxO48rt23VH61P9IJsaqmU bit strength 190, 32 characters

If you include special characters

fpzR!bfiW26HSpnNA$@sOjSYrE*%Ne3j bit strength increases to 196 on 32 characters.

I strongly suspect this hacker is someone who knows you personally and you are not their favorite person. Hope I'm wrong.

If you use your PC for banking and ordering products, alter your bank and change ALL your account numbers.

Good luck

 

After you have reformatted, reinstalled and reset your passwords you can begin to get "better software" right now it isn't even safe for you to order products unless you buy them at the local store. If you went ahead looking for only a software solution it would be a serious error since the Key logger will Know what you have done software wise!

IMHO, (until Mrk publishes his findings) you need:

1. router
2. software in/out firewall
3. strong AV
4. strong ASW
5. CCleaner
6. hardened OS
7. maximun strength passwords and user id's
8. strong backup regime
9. extra on demand AV's, ASW's ,RKR and KLR's.

 

Hello
Off Topic, Escalader, what do you prefer: empty logs or another fine Linux article?
On Topic, I have written a guide to installing Windows XP from scratch. You might wanna try that. Link in the sig.
Mrk

 

Reformatting is enough? I still doubt.

 

when you reinstall windows, the option is there to wipe the disk so that all you are left with is windows itself.

If you want to be super clean you could use one of the many cleaner tools out on the market that overwrite the sectors with random 0's and 1's.

You could use web root cd bootable eraser or it's equivalent that completly wipes th drive prior to selling or donating your pc.

Then install from scratch.

It depends on ones level of fear.

 

Dismantle the keyboard and reflash your BIOS and each ROM of your devices

 

Several posts removed that were totally off topic to the discussion and suggest either a PM chat or placement in a more appropriate thread.

Bubba

 

If you have a firewall that logs all Network activity, you may be able to see an IP address of the person connected to your PC (although I'm not certain of this).

Anyone have any other ideas to confirm a hack ?

 

Id consider motive
as a simple malicious prank deleting files is pretty juvenile.
Someone in it for the money wouldnt do that, attempting to remain under the radar as much as possible. But someone with a grudge might do that, and have the tools to remotely penetrate the system. Id think its either a (rare) random script kiddie in it for the thrills or someone thats targeted you. In both cases tightening up the security would likely keep them out, but any physical access even for a minute or media passed or stored could put you back to square one again with someone determined to make your life more "interesting"

Id vigorously scan your stored data\backups before trusting it again.
And look hard at the aps youve got currently installed.
Determining how, might point to who.

 

I see something called a snoopstick USB device in a computer store the last time I was in one. I've seen these hardware keyloggers usually online or from specialists but see this in the store as a parent/boss aid in spying. What I mean to say is it doesn't have to be happen while online. If someone you know/don't know has had access to the machine they could install software/hardware keylogger.

 

I agree . Tisatashar , you'd better format your hard drive (FULL format) and then reinstall Windows . The first thing after the format/reinstall you should do is to ENABLE your firewall . Never connect to the net without a firewall !

You now have a router , make sure at least NAT is enabled . You'd better have the modem with dynamic IP so that your IP changes everytime you restart your modem . If you have static IP , contact your ISP to change the IP or make it dynamic .

You can read a brief description about (re)installing Windows here

 

Formating is highly over rated in my opinion since it often leads to an increadibly costly "Temporary" reprieve of the problems.
It is also the "All Purpose solutions of those who have no clue.
System ignorance is the true cause of problems. Investigate every single process and services running. Do a google search on each one until you know you are running all clean programs. Here is a bit of possible help to do all this I wrote in another post:

I would run Autoruns to research and scope auto loading process and services, BHO's etc... and use Process Explorer to research the functioning process in more dept and see their actual resource use and impact... You can find those tools free from www.sysinternals.com.

When you find a process or a service you don't recognize or that you suspect but you're antivirus/antispywre doesn't recognize don't panic. Symply put it through a multi engine virus scan. Virus total for example uses 15 different anti virus engines sequentially to scan the file. Just upload youre suspected file to the following site: http://www.virustotal.com/en/indexf.html the upload link is in the upper right corner!
You can also continue your search for info on the file at www.processlist.com or www.processlibrary.com they are decent database with useful info on many processes and services.


I would use Rootkit hook analyzer 2.00 from www.resplendence.com (It's quick and shows most kernel hooks.) You can then go back to process explorer to continue digging.

You want to make a backup of your registry with a tool that can do a registry comparative later and immediately pinpoint hostile modifications as well as restore previous registry entries (If you have backups).
You can use Advanced Registry Tracer for this from http://www.elcomsoft.com/art.html

This here is most important if you think you are being monitored: You want to monitor anything using any kind of network resources from or to your host pc since trojans and rootkits love using the network to bring in more viruses or phone home and open a doorway to the hackers. You need too look for which processes are "Listening" and on Which "Port" and at which "Remote Address" if any. You can use TCPView for this also from www.Sysinternals.com

I favour PortExplorer from www.DiamondCS.com since it provides far more powerful tools as well as being able to capture transactions for later analysis. It is also easier to quickly pinpoint suspicious activity with PE. In any case an "End Point" viewer may save you a lot of grief!!!

Also you should clean the registry of all clutter and empty all temp folders and directories on your PC. (A great many viruses and spyware hide in Temp folders so cleaning them daily greatly reduces problems with many minor infections...) You can use www.ccleaner.com for this.

Word for the Wise "Defragment Daily!!!"

This should keep you busy learning for a while!!!

 

1. assumes you can detect a rootkit
2. assumes a constant connection


if your rootkit detector is behind the curve of the constant development war you have a problem, if you dont find a rootkit is it there and undetected?
If the connection is intermittent detecting it is more labor intensive than a reformat. Further port scanning would be defeated if a port knocking strategy was adopted. While you could setup Snort as a man in the middle again labor intensive.

Which is why last year Microsoft admitted that a bare metal restore was a best practice in these cases. Id reached that conclusion earlier that year after spending an inordinate amount of time getting rid of an undocumented CWS varient on a clients box.

Defeating it can become a matter of pride, but certainty is hard to come by. It might be worth a shot if you can quickly locate the probable infection, but if not its going to be a better investment in time to start over and be sure.

Which is why I install, secure, benchmark, seperate the aps\OS from the data and image a known clean state on all the boxes I do these days. Making a recovery painless. Its fun to disrupt an infection and dig it out but its getting harder and harder to do with 100% level of confidence the box is actually clean. Its worth doing to determine how a subversion occurred if its your own security lineup that was broken, but on a marginally secured box whats the point? Start over and spend the time hardening it.

not that everything you just outlined isnt worth learning and practicing of course

 

I agree fully with "Best Practice" approach. However I have rarely encountered systems that actually did need a reformat. I do ear about people formating disks for insignificant issues all the time... Really the main problem we encounter day to day is due to ignorant users incapable or unwilling to harden their system. (Mostly from the "Unwilling" category I believe). Formating works great when you have all the applications disks on hand, and all your data is on backups. One of the issues with formating is you have not really removed an embedded threat until you actually Fdisk the partition and recreate a new one then format. Many users find this concept, well... inconceivable.

Another problem is most users are left with "Really" unprotected systems after a re-install. Consider this: Win Xp SP1 = No firewall and then you need to go online in that state to get updated and must go through all the activation/validation without current patches or service packs. and find/update all your other applications and utilities. Not to mention restoring your data (after cleaning it).

Then they need to harden it. Truth is Joe Average will not bother with half the first part. They will re-install often without reformat. and start using it right away. Not enough time or expertise they will claim...

That is my personal experience with formating. People get infected within hours of it because they now go online with completely unprotected systems. Keep in mind not everyone is a "Security or Systems expert" like we are...

What I actually recommend users do is use a disk imaging software instead. Create a disk image of a clean and fully configured version of your disk with all the updates and service packs installed. Then copy this to a new spare hard disk drive, or DVD (if its small enough to fit) and use the copy for day to day operations and keep the original in case you need to "Reformat" Then when the moment comes you need it you simply backup your existing data and then replace the disk with the "Clean" image. Then you copy the Original Image over the old infected one and restore your backups and Voila! all problems fixed... and you still have a ready copy of the image to work with next time!!!

For example I keep my images on external USB 2.0 based Hard disk drives.

You can use Farstone Drive Clone to do this. http://www.farstone.com/software/driveclone.htm

Still I would always consider not giving up on the attempts to figure out and clean out infections. No matter how tedious and difficult that job is. Even if in the end one has to rebuild everything up. I say this because it is the only actual way to figure out how one must and can protect themselves. Rebuilding blindly doesn't do much to prevent or pre-empt anything...

Also of importance: It is not because Microsoft said something that it is necessarily the ultimate truth on the topic. Mostly as regards security Microsoft has failed lamentably in the demonstrative areas and they are certainly not the "Leader" on security...

 

Exactly thats the real safe way

 

couldnt agree with you more. For personal and even wannabe power users

But having followed the rootkit wars between Holy Father & parties unknown vs Mark Russinovich, pjf_, ect. its getting pretty damn hard to be definitive or even reasonably sure about any box I havent personally benchmarked & secured before. So generally I simply start over build a layered defense for it, benchmark it and send it on its way (with a few courses for my friends\clients on secure operations) On average it takes about two years before they screw it up again.

Ive started to incorporate virtualization\sandboxing (with client instructions on employment) and think thats going to extend the secured period further. But Im still telling them that if they screw it up the best course is for me to reimage it back to the day I gave it to them after I try to figure out what it was they messed up with and address it.

all too true which is why I developed a checklist for forummates long ago about how to secure before connecting to the big bad intraweb

PS
I dont consider myself a security "expert" just reasonably intelligent and fairly well informed, informed enough to know how ignorant I truly am. If I was an security expert Id at least be a programmer capable of assessing malware directly.

and now for something not completely different
Unskilled and Unaware of It: How Difficulties in Recognizing One's Own Incompetence Lead to Inflated Self-Assessments. (Google cache) Winner of the 2000 Ig Nobel Prize for Psychology

when you contemplate its implications to otherwise intelligent people you might know that are oh so wrong when they stray outside their own true fields of "expertise" it is aptly qualified for the award "that first makes you laugh, then makes you think"

 

Hermescomputers: That's why i want to reformat and reinstall Windows SP2: i only do it once, configure it, and image it. I'll do it in February or something... There are things that don't tick very well. Instead of loosing time with it all, it's simpler to do this.

Not everyone wants to be a computer expert. Just enough understanding, and a practical approach to use the computer. This is far simpler and safe.

Unwilling, yes. They want to live their lives . It's different for you and possibly me, because you enjoy the learning of how computer software works, and it's probably your job too. Good advice is imaging, which i see you already give.

 

One of the things you may also want to add, depending on which firewall is used, is to clear out your components list at the start or end of a session. Outpost 4 and ZA 6.5 both make use of component monitoring and alert you when a component tries to establish an internet connection.

 

Personally I prefer a HIPS to do this (HIPS = Host Intrusion Protection System). A HIPS provide a more complete set of controls over internal primary as well as many subsystems. I personally use www.GhostSecurity.com GSS (AppDefend as well as Regedefend) This provides all the applications network controls needed for me. I know that GSS is a work in progress but used properly in the end it does a pretty decent job.

 

I was merely making acknowledgment based on our little discussion. Keep in mind I often perhaps improperly use my own customers label for me "I am a computer Professional" they call me expert. An opinion and perhaps I may have obfuscated the meaning by using the wrong term!!!

 

forums like this always have far more lurkers than participants and those of us that are more extroverted and opinionated do well to have a little voice in the back of our head saying Memento mori, memento mori lest we forget the relative nature of our understanding.

it wasn't an observation leveled specifically at you
( but you did provide a perfect opening for it )
Im as guilty of that particular sin as any

 

Thanks for the advice you guyz

Now that I'm clean again I'd like to stay that way. To stop someone remotely reading my PC what's the best way to 'defend' myself?

Here's what I've got now;

Router / modem for ADSL
NOD 32 (2.7)
LnS (outbound control - running on 'factory' settings)
CyberHawk

On-Demand - none active:
AvGas
Superantispyware
NoAdware

RegSupreme
TuneUp
CCleaner

Is there benefit in replacing the no frills LnS with say OuyPost or Comodo (remebering I've got a router)?

What about SSM or DSA or Privx?