Physically Hacked/Unknown Trojan!

Discussion in 'malware problems & news' started by BairbreJ, Nov 3, 2005.

Thread Status:
Not open for further replies.
  1. BairbreJ

    BairbreJ Registered Member

    Sep 18, 2005

    First of all, thank you to anyone who takes the time to read this and
    respond. Warning, this is long but I have a bizaare situation here and
    it will tak a bit to explain it all.

    I have what acts like a trojan/worm/virus but no scanners are detecting
    it. I've tried every online scanner I can find. I have had my HiJack
    this log checked at GeeksToGo and they say it's clear. Nevertheless, my
    PC is constantly being invaded and it's all I can do to keep it going
    and *under MY control*.

    I have a Dell Dimension 2400 almost a year old running WINXP Home. A
    few months ago I was physically hacked. At that time I did have a
    trojan. The win32.paradropper. AVG caught it and GeeksToGo helped me
    with the rest.

    However, ever since then I have had I've had nothing but problems. I've
    done several (actually more than several) clean re-installs of the OS
    and from what I can tell by looking at the services logs (I'm NOT a PC
    whiz by ANY means), it looks to me as if a program is being run that
    installs a network on the machine. There are two accounts that are
    created, Help Assistant and Support_xxx(the xs are a series of numbers)
    and *then* the Owner account.

    I know that these are accounts created by MS and then disabled so I
    suppose that that's not too surprising. However, in the past I have
    had both of those accounts pop back up in the logs for brief period of
    time. Both the owner and safe mode administrative account have been
    hijacked on separate occasions even though both had very strong
    multi-phrase passwords.

    I even paid a pro to scrub the hard drive about a month ago to no
    avail. Since then I decided that as far fetched as it might seem that
    *maybe* the fax modem (I have DSL so don't even use a modem) I had
    disabled several times and the wireless configuartion services I had
    also disabled repeatedly that kept renabling themselves might be
    connected so I totally uninstalled the fax modem and it mysteriously
    reinstalled itself. **WHOA!** I went poking around in the registry
    googling all the software and sure enough I found software for something called Staccato that could be a wireless modem. WTH? It might also be a microprocessor chip *for* something wireless. I dunno...

    I unseated the modem altogether but of course that didn't solve my
    problems either. The very next day all hades broke loose. By this time
    I had all kinds of system monitoring software installed and sure enough
    Sysinternals Autorun showed a modem failure analysis (a different word
    was used but I can't recall it at the moment) the next day. I don't
    think I really believed it was a wireless modem until that showed up.
    I'm not sure I still do. How the hell would something like that work if it was?

    Then one by one every program on my system became inoperable.
    Eventually, that necessitated a complete re-install and of course that
    didn't solve my problems either. It has just settled things down to a
    dull distant rumble instead of a constant all out war. The most interesting incident during this episode was the attack on my firewall. To make a long story short, I had to reinstall it twice and tinker around with the registry to get it to function properly and during the process I was reading the Sysinternals Process Explorer dll logs which were communications from Sygate. I didn't understand most of it but I sure understood the words warning and trojan. They mentioned something about Nimbus which I googled but quickly got overwhelmed by since that seems to be a generic term. I saved a few of the logs in case they would come in handy.

    According to Sysinternals TCPView when the system is disconnected from
    my DSL 2wire Gateway Router cable, alg.exe is listening at TCP ports 1025, my anti virus, AVG at 10110, and system 4 (what is thato_O) is listening at 445. When I am connected, system 4 also listens at UDP port 139. I have a
    svchost.exe listening at TCP port 135. My firewall, Sygate, is "attached" to ports 1026 and 1027 and system 4 is "attached" to 137 and 138 but they have never been listening or established to my knowledge.

    Night before last something weird was going on (damned if I can remember what now, weird is SOP around here) and I was checking something out in safe mode and ended up in the in the hardware devices in the control panel for some reason and lo and behold I noticed there are all these icons for a whole bunch of WAN devices listed under the icon where my DSL icon is that I had never seen before. Well, I thought, that's whacked! I don't even know what WAN devices are! And then I notice that there is another **NEW** listing in hardware devices that I had never seen before either for Non Plug and Play Drivers some of which I recognized but some of which I have no clue about.

    I scurried back to regular mode and checked to see if I could bring that stuff up and sure enough there is a show hidden devices thing (why does Microsoft set up this stupid crap that makes it so damn easy for hackers?). I don't even know what this stuff is! So I started googling but hell, I still don't know much more than I knew before I started. I'm an 15th Century English Lit Major (some 20 years ago BTW...urgh...) Talk about being out of my league with the language here... Oh my! I get headaches and my eyes glaze over reading this stuff

    It was getting late so I decided I would just experiment with the WAN stuff and disable it all, reboot and see what happened. If I still had an internet connection then cool. If not, then OK, my bad, I could re-enable it. It was all cool so I went to bed and came back yesterday all set to do battle another day. When I went to google the other stuff, I didn't have any access to the Control Panel or My Computer! I tried to do a restore and of course, there were no restore points beyond yesterday.

    Gee, I wonder why? sigh... Time for another windows repair, rinse, repeat. This is just a small taste of the craziness I have been contending with trying to get this PC back under my control and operating normally. I have attempted to get help with this in the past and had my attempts to post blocked; my PC completely taken over and rendered inoperable so that I had to re-install my OS; and then I would think it was under control only to have it start all over in a few weeks after I had gotten everything back in place again.

    It took more than a little fiddling around to make this post. I tried to sign into my account yesterday but my password would not work so I had to send a request for a new one. When it it came through, my email (I use the sbc yahoo based stuff) mysteriously went on the fritz. Then I was googling some things so I would make more sense as I was talking to y'all and my browser went belly up.

    Basically I had an internet connection but no brower to work with. *huffy sigh* I am getting smarter about this crap though and this time I just uninstalled my exploreer and reinstalled it. HA! It worked! And what do you know, my email wasn't on the fritz either. But talk about being jerked around!

    Does anyone have any suggestions about where to go from here? I have little to NO money to spend on this but lots of time so it's got to be do-it-yourself. Any ideas about why the clean re-installs aren't clearing this bugger out? I recently "reset" the BIOS to factory defaults and did a clean re-install so it can't be that. Would doing another hard drive scrub be worth the bother? I've been reading about that and I'm sure I could take that on myself. I can't believe I paid someone $100 to do it for me!!!

    Whew! Thanks in advance for reading all of this and for answering! I really appreciate your time and efforts.


    edited to add: sorry about this funky formatting. I wrote this in notepad and it didn't translate so well.
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    May 9, 2005
    You're talking about re-install?
    Did you only reinstall or did you FORMAT and then install?
    Because some virii can survive hiding in the boot sector, therefore you must destroy the partititon and create anew.
    From what you tell, your computer sounds messed up and you're certainly not helping. Installing, uninstalling etc., not a good idea without a clear goal in mind. So first, do tell please if you only reinstalled or did you also format?
  3. BairbreJ

    BairbreJ Registered Member

    Sep 18, 2005
    Hello MRK,

    Yes, I did a complete reformat when the reinstall disk asked. The long one. Is there another kind?

    edited to add: OK, I just googled this. I had no idea about anything like this. Cool! Thanks!

    Last edited: Nov 3, 2005
  4. AvianFlux

    AvianFlux Registered Member

    Dec 7, 2004
  5. StevieO

    StevieO Guest


    I'm presuming that we can eliminate you having any pirated/cracked software on the PC ?

    Also i wonder if you have your Browser/PC securely locked down. You should at the very least set ActiveX/Scripting/Java to Disable or Prompt in Tools/Internet Options/Security in IE. The link that AvianFlux gave will help too.

    It sounds like you maybe could have been visiting some sites And/Or clicking/downloading things through possibly emails or other sites, that have taken advantage of the low security settings. Nasties often make use of those settings to install all manner of things. I expect this explains how you were infected with that Trojan !

    After the Reformats etc did you have a Firewall installed and Properly set up BEFORE you attempted an internet connection ? Did you then immediately go to MS Windows Update and install ALL the Security/Critical patches etc before surfing anywhere else ?

    I would suggest doing an fdisk including Deleting the Partion/s, then Creating a fresh one/s making them Active, and then Reformat/Reinstall. After that follow my above advice before doing anything else.

    What other security software do you have in place other than AVG ?

  6. BairbreJ

    BairbreJ Registered Member

    Sep 18, 2005
    Hello Mrk,

    Thanks again for your time and help.

    Well, that was an interesting excursion into unknown territory. I deleted my C Drive and an **E DRive**! I don't have two hard drives! What the heck is an E drive doing on my machine?

    Then I reformatted, got my antivirus and firewall back in place and came back and started all over again. No sooner than I got back here and and started looking at what the other guys were talking about and experimenting with closing off those ports Avian was is talking about, boom all hades broke out again. Choice expletive deleteds inserted here.

    My firewall started denying every website so I had to uninstall that and then my internet connection flat out quit working altogether. I couldn't figure that out out at all so I gave up, got myself a good Stephen King book and went to bed and read. Thank goodness this morning I was able to find a restore point that got my internet connection back.

    Sooo, any idea what that E drive was all about? Thanks for your interest and help.

  7. BairbreJ

    BairbreJ Registered Member

    Sep 18, 2005
    Hello AvianFlux,

    Thank you for your reply and the referral. I used the program and closed off those ports but everything I reported listening is still listening. I guess there'es no harm in them being there for the time being. The doors are closed and I've got a firewall and a router guarding them. :rolleyes: If anything gets past all that then I may as well chuck this sucker out the window. Make a nice splat going down nine floors, eh?

  8. ghodgson

    ghodgson Registered Member

    Dec 20, 2003
    E is often the letter given to a CD or DVD drive as A is always the floppy disc drive, and C usually the Hard drive. Are you sure you havent deleted your CD/DVD writer/drive.? Also programmes 'listening' is normal activity, your firewall should stop them from phoning out should they want to. Windows doors cleaner is very good, I have it on my PC.
  9. BairbreJ

    BairbreJ Registered Member

    Sep 18, 2005
    Hello ghodgson,

    Thank you for your reply. I have an A, C, and D drive. No fancy DVD writers or anything like that. No zip drives. Nothing extraneous. Pretty bare bones. Cheap-out-of-the-box Dell. More than enough for my needs but pretty mundane by today's standards.

  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    May 9, 2005
    Really confusing what you're telling.
    You are probably missing some vital steps.
    I have a very comprehensive guide if you're interested, it's even posted here on wilders, how to start from zero.
    Now, you should do this:
    Insert Windows CD ...
    When prompted DELETE existing partitions. Create NEW partition(s).
    Install windows.
    Install firewall (do NOT go online! Download file NOW, save it on a floppy or usb). Same goes for anti-virus. Download them now. I suggest ZoneAlarm and AVG Free.
    Now, during installation, UNPLUG your intrernet cable from the wall.
    INSTALL firewall and anti-virus.
    Now, you can go online.
    Install other security programs (which you can now download from RESPECTABLE sites). ASK if you don't know which.
    Install other things.
    You should be set without problems.
    Importantly, programs need to dial out, so you should allow them in your firewall, like avg updater, firefox or ie browsers and svchost for windows update.
    Try this, you should be ok...
  11. BairbreJ

    BairbreJ Registered Member

    Sep 18, 2005
    Hello Stevio,

    Thank you for your reply. I have a written to you in notepad but I can't seem to get it to take. I'm tired of fiddling with it. We'll see if this takes.


    ETA: Hmmm... must be the length. I'll break it up.
  12. BairbreJ

    BairbreJ Registered Member

    Sep 18, 2005
    Hello Stevio,

    Geeze what an ordeal it was to get this posted. I'm not sure exactly why it wouldn't take but here it is finally.

    Thank you for your reply.

    >>>I'm presuming that we can eliminate you having any pirated/cracked software on the PC ?<<<

    Pirated/cracked? Do you mean not quite legally obtained? Nope, not me. I'm a rather mundane Grandma who really doesn't have much on here and doesn't really do much besides play Euchre and word games on Pogo, hang around on Delphi and About and write.

    >>>>Also i wonder if you have your Browser/PC securely locked down. You should at the very least set ActiveX/Scripting/Java to Disable or Prompt in Tools/Internet Options/Security in IE. The link that AvianFlux gave will help too.<<<<

    Well, there's a thought. I went in and tightened all that up. Because I use the Pogo games it's a PITA but I did it. I really tightened up the intranet stuff. I've really never understood this stuff before. Boy am I getting an education.

    >>>>It sounds like you maybe could have been visiting some sites And/Or clicking/downloading things through possibly emails or other sites, that have taken advantage of the low security settings. Nasties often make use of those settings to install all manner of things. I expect this explains how you were infected with that Trojan !<<<<<

    Hmmm...I won't totally discount that but I really am careful about what I click/download. My email comes through the SBC Yahoo internet and I never EVER open attachments from anyone--not even my kids. I learned that lesson the hard way years and years ago. I've been using PCs since the early 90s so I'm not a novice. I had an IBM running WIN 95 for 8 years and it was still going strong until my son gave me this Dell for Xmas last year so I could get DSL. I sort of miss my IBM...I understood that old girl.

    >>>>After the Reformats etc did you have a Firewall installed and Properly set up BEFORE you attempted an internet connection ?<<<<

    I had the Windows Firewall and the first thing I did when I got connected was download Sygate, then disconnected and format the Sygate.

    >>>> Did you then immediately go to MS Windows Update and install ALL the Security/Critical patches etc before surfing anywhere else ?<<<<

    Now that's an interesting question. I have the SP2 bundled in with my WINXP so thats not a problem. If the timing is right, *sometimes* I can get the first three critical updates downloaded but when I go back for more, I get an error message. If I've signed up for automatic updates, *sometimes* they will come through, sometimes they won't. It's rather bizaare. Just one more of the bizarre things about this whole mess.

    >>>I would suggest doing an fdisk including Deleting the Partion/s, then Creating a fresh one/s making them Active, and then Reformat/Reinstall. After that follow my above advice before doing anything else.<<<<

    Could you please be more explicit about what an fdisk is and how you do it?

    >>>>What other security software do you have in place other than AVG ?<<<

    I have Ewido, Ad-Aware SE, Spyware Blaster, SpyBot, Microsoft Antispyware and Win Patrol. Win Patrol very often gets knocked out when the shenanigans start. Well, first my sound system goes and when I notice that is gone then I'll realize that Win Patrol has taken a hit. I'm not big on computer sound effects. I guess I should get in the habit of having the PC radio on or something...

    Thank you for your interest and taking the time to reply.

  13. Mrkvonic

    Mrkvonic Linux Systems Expert

    May 9, 2005
    Please read my other post (the newer one).
    And if you did everything I said, and you still have these problems, it is quite possible that your hard disk is dying, physically dying.
  14. controler

    controler Guest

    I don't know about Dell but some computer restore CD's do not ask you to delete
    the old partition before creating a new one. they only format the hard drive and
    reinstall all their factory crap. A real windows xp cd asks you if you would like to delete the active partition. I thought much funner to fdisk with a floppy didn't you guys? I don't know, I seem to like Terabyte's drive program. I need a program like that anyway if I am going to install MS shared toolkit without fdisking and reformatting. Yes pirited software will usualy contain backdoors.
    Even those free cracked windows XP cd's.
    In your first post you said your issue was hardware related? And now all the bad hardware has been replaced? I have seen a computers hard drive, motherboard, power supply, video card and CPU all fry at the same time. Sometimes the part is not completly gone and kinda still working. Was your problem lightning or power surge related?

  15. BairbreJ

    BairbreJ Registered Member

    Sep 18, 2005
    Hi Mrk,

    Hello, thank you for your reply. I hope you don't think I was ignoring you. I am having a very difficult time making replies on this board.

    Yes, I agree that this is all very confusing.

    I did delete Windows from the C drive and reinstall it but I do not understand what you mean by creating partitions. Could you expand on this a little?

    Unfortunately I do not have a CDRW nor do I know anyone who does so that I can download all of the information you suggested. I do have WINXP with the service pack 2 included so I have the Windows firewall. I also have a DSL router so nothing should be getting through while I download AVG and Sygate, right?.

    So you think my hard drive could be dying? God, I SOwish it would be that! That would be covered by warranty. All of this activity just seems so calculated and deliberate. Like not being able to get some posts to post to this board. To get my reply to Stevio to post, I finally posted a post that said "this is a test" and then went in and edited it to put in that text. Prior to that I must have tried about 50 times and gotten that white page you get when your internet connection isn't working. Just seems strange to me. Especially when it has happened at other sites I have asked questions at about other things that have been going on. To the point where I just can'y get through anymore.

    Confusing? To say the least. Also frustrating.

    Thank you for your time.


  16. BairbreJ

    BairbreJ Registered Member

    Sep 18, 2005

    No, my problem was not originally hardware. The original problem was a burglary. I came home to find my Apartment had been broken into and it was quite obvious my PC had been tampered with--it was on and my wordprocessing program was up and running etc. At that point in time I had a trojan. Things have gone downhill since.

  17. tansu

    tansu Registered Member

    Sep 13, 2005
    My advice to whom has this kind of a problem, and still wants to stick on to lovely windows os, just install a linux distro to your pc with a full format. Then do this:
    And if it goes on.. I dont know
  18. StevieO

    StevieO Guest

    Hi BairbreJ,

    Sorry to hear about your posting problems on top of the other ones !

    fdisk is an MSDOS program that you have to use from a floppy drive. It amongst other things enables you to delete/recreate the MBR Master Boot Record and delete/recreate the partion/s on your hard drive. It was mainly for Win 95/98 but can be a useful tool on other OS's.

    I have found some links which should help to give you more background and info which you asked for. Some of it is a bit indepth and most of it won't apply to your situation, but it's included anyway. If you are not sure about it then please DON'T attempt to use it.

    I might be tempted to do an Online scan at both of these excellent Free sites ans see what transpires.

  19. Mrkvonic

    Mrkvonic Linux Systems Expert

    May 9, 2005
    Tansu, it is wiser to install windows first, because windows destroys the master boot record upon installation and creates its own, so if you double-boot with linux, linux should come second.
    Now, on topic:
    I said delete partition. You said delete windows. TWO VERY different things.
    To make a proper COMPLETE install you need to do this:
    Insert cd into cd-rom.
    Boot from cd.
    You will be prompted with a screen asking you if you want to continue with windows installation. You hit enter.
    Then you need to agree to EULA, you hit F8.
    Then it will show you the existing parititions, something like this:
    c: <john> ntfs 43,222mb
    This is the letter the name the file system and the size of the partition.
    You select the partition with your key arrows, if it's not already selected.
    On your screen you will have instructions: do you want to delete this partition? I think you need to press C.
    Then to confirm I think you need to press L.
    Then your hard drive will be empty.
    THen you have the option to create a new partition.
    Create it the same size it was before, or create two if you like, so you can backup your data on non-system volume.
    There will be another tiny partition selected, about 8mb, DON'T TOUCH IT. Leave it as it is.
    After you create a new partition, the setup will ask you to format it. Format it with ntfs system. The other parition(s) can be either ntfs or fat32.
    After format, your setup of windows will start.
    That's a complete removal of all existing information. No virus or anything can survive that.
    Then install everything you need.
    Yes, you can download the firewall and anti-virus with windows firewall on.
    But then install them immediately. Then windows updates, immediately.
    And please mind the terminology. It's important and delicate.
  20. BairbreJ

    BairbreJ Registered Member

    Sep 18, 2005

    Thankyou for those links. I am studying the fdisk links. I feel as if I am going to college taking subjects I very much would have avoided if given the chance but they have been very helpful. I do very much appreciate your time and efforts.


    edited to add that I have scanned my PC at both online sites (as well as others) you mentioned numerous times and and nothing is ever detected but thank you for recommending them. I think I have my own little personal rogue trojan. How sweet.
    Last edited: Nov 9, 2005
  21. BairbreJ

    BairbreJ Registered Member

    Sep 18, 2005

    Thank you for your reply. I tried Red Hat Linux in the late 90's. The learning curve was a wee bit steep for me. I could not get it to co-operate and I gave it a good three years. The games were fun though. ;^> Spent a lot of time playing those games to blow off steam! I agree that Windows sucks with all its problems but Linux is too wide open for me. sigh...

  22. BairbreJ

    BairbreJ Registered Member

    Sep 18, 2005
    Hello Everyone,

    I thought I'd post an update to let y'all know the outcome of all your great efforts here. I really appreciated all your comments, advice, and links as I was on my "wascally wabbit" hunt. I think I have the SOB cornered but he turned out to be a badger and a rather mean one at that.

    I think I have a MBR Trojan. I actually watched it do its thing using Disk Investigator ( and an MS-DOS floppy yesterday afternoon. Amazing...

    I also used Registry Mechanic to dig around in my registry and it found 42 critical errors which I removed manually. Most of them were connected with Windows Media Player so I'm wondering if this is connected to that Sony thing. I've read Mark from Sysinternal's articles and that is downright scary. I've been dealing with this stuff for a lot longer than this has been in the news though so...

    I also found a keylogging file that had duplicate copies of every.damn.thing I have written in any word processing program or post I made on the internet plus a log of all the programs I have downloaded.

    There is also something going on with my Disk Management Console in the Computer Management Folder. Before I reinstalled Windows (following Mrk's suggestions) I got an "RPC server is unavailable error." huh? o_O Ok... That's something that's associated with something known as IPv6 and that is WAY over my head but I'm pretty damn sure I ain't doing it. Weird!

    So then I reinstall and hey everything is cool! So I get everything set up with all the security crap I do before I connect to the internet and take a deep breath and here we go. BOOOM! The very.first.thing I can't download SYGATE. I can't get Windows critical updates. I get this error message that tells me "the Disk Management Console failed to connect to the remote computer" and I need to "add the dmremote.exe to the Windows Firewall Exceptions list!"

    You bet, baby, right away! Let me just hand you my keyboard and mouse and here, have my monitor too. This chair is adjustable and ergonomically correct. You want coffee or cocoa? Comfy? Need a pillow? Nice view, hey? :-*

    I CAN get AVG and Ewido and everything else but, you know, that just makes me very suspicious because I figure these jokers have found a way around them. Oh well... I went back and got Grisofts 30 day trial AVG combo firewall. I figure I'll be reinstalling before that runs out. Hopefully I'll get this resolved by then. Not that I'm holding my breath...

    I'm not sure where to go from here. I'm thinking a total hard drive wipe out and maybe a new NIC because the more I read, the more I'm sure these guys probably have my physical address plus most likely my router info. Any suggestions?


    edited because I CAN spell and abbreviate!
  23. Mrkvonic

    Mrkvonic Linux Systems Expert

    May 9, 2005
    I fail to see the magic word from you, in your posts.
    If not... your trojan will be back...
  24. BairbreJ

    BairbreJ Registered Member

    Sep 18, 2005
    Hello Mrk,

    Yes, Sir, I did. TWICE! Which is WHY I began investigating and came to the conclusion that it is posibly a MBR Trojan. You said DON'T touch that little 8 however many bytes partition when I deleted my partitions and reformatted.

    Stevio recommended doing the fdisk/MBR so those are the things I kept in mind while I was researching and experimenting. When I started googling, I ran into all kinds of stuff saying "OMIGAWD whatever you do don't do the fdisk/MBR! Then you won't be able to reboot." like it was the kiss of death. Does that mean you won't be able to get up and running so you can reformat at all?

    Oh, in my last post, I forgot to mention that when I first downloaded Disk Investigator (DI) all I saw with any files in them was boot.ini and pagefilesystem. I checked the raw file data of my boot.ini with DI against the information at this site
    and just before "fast detect" there was (I deleted it) another command. Something about optin. I figured what the hell...

    I could have sworn I wrote it down but now I can't find it. Damn, I'm getting disorganized. This is so freaking complicated. :rolleyes: At anyrate, when I rebooted, I had files in ntldr and NTDECT.COM. Like I know what any of that means. ;)

    Anyhow, good to hear from you Mrk. Thanks for your reply.

  25. BairbreJ

    BairbreJ Registered Member

    Sep 18, 2005
    Hello again,

    I've been reading about hard drives over at DELL and I just tried to do the built in diagnostic. The screen came up with a 0: bunch of letters and numbers that I don't recognize. I'm screwed, right? :doubt:

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.