I've been hacked, need help fast

Discussion in 'malware problems & news' started by User8472, Aug 16, 2003.

Thread Status:
Not open for further replies.
  1. User8472

    User8472 Guest

    All of my internet traffic is being secretly routed through someone else's server. I've scanned with TDS-3, but it turns up nothing. Formatting or reinstalling is not an option, but even if it was, I'd not want to pass up the opportunity for a learning experience.
    Can anyone help, please?
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi User8472,

    Could you tell us how you arrived at that conclusion?
    Maybe that will make it easier to put someone on the right track.

    Regards,

    Pieter
     
  3. User8472

    User8472 Guest

    OK, I'm running Win98, and I have dialup.

    When I first access the internet upon connecting (say by clicking a shortcut), I get a Not Found error, and at the bottom it says Apache with the version number, and lists the server as s0h.cc. I googled it, and s0h is "Skin of humanity", a hacker group. This happens for any server I connect to at first, even google. For a google search, I get "/search not found on s0h.cc".

    Also, when I try to log into yahoo messenger, regardless of what password I put, it says ok (instead of wrong password), and it then says try another server (fake error).

    Also, I've noticed my firewall lists 3 dialup adapters, when I only have one. The other two are blank (null name). o_O
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If you put Port Explorer beside it, what do you see then?
    (get the free eval if you don't have it yet)
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Also could you post your HijackThis log
    Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
    Don´t fix anything yet. Most of what it finds is harmless.

    Regards,

    Pieter
     
  6. User8472

    User8472 Guest

    Sorry about all the delays, my computer is going bloody slow, and getting slower. I often have to try repeatedly to load a page, or download something. Taking me forever to get HJT.

    Here's what PE shows:
    --------------------------------------------------------------------------------------------------------------------------------------------------------------
    | NAME | CREATION | PID | PROTOCOL | LOCAL ADDRESS | LOCAL PORT | REMOTE ADDRESS | REMOTE PORT | PORT STATUS | SENT | RECVD |
    --------------------------------------------------------------------------------------------------------------------------------------------------------------
    | iexplore.exe | 06:48 16/08/2003 | -915103 | UDP | images.real.com | 1025 | images.real.com | 1025 | LISTENING | 101/101 | 95/95 |
    | iexplore.exe | 07:25 16/08/2003 | -915103 | TCP | [My IP Here] | 1109 | ns19a.genericdns.com | 80 | ESTABLISHED | 1/273 | 4/23360 |
    | SYSTEM | --- | 0 | TCP | images.real.com | 1025 | localhost | 0 | LISTENING | --- | --- |
    | SYSTEM | --- | 0 | TCP | localhost | 1101 | localhost | 0 | LISTENING | --- | --- |
    | SYSTEM | --- | 0 | TCP | localhost | 1109 | localhost | 0 | LISTENING | --- | --- |
    --------------------------------------------------------------------------------------------------------------------------------------------------------------

    That images.real.com is odd. I end up listening on port 1025 (to myself) every time I connect. And port explorer shows the IPs as 127.0.0.1 and 0.0.0.0, same as TDS-3, but PE resolves it as images.real.com. Strange. On a side note, I've never had real player on my system, and don't have spyware either. I run Ad-Aware and Spybot on a regular basis.

    Another strange thing. I installed PE, and rebooted as required, then linked directly to this thread to reconnect. Instead of the usual not found error, I god the s0h website, while IE claimed it was at wilderssecurity.com!

    I'm having problems trying to download HJT. Most of the time it won't start, but when it does, it goes part way, then halts. If you tell me what info you want I can get it for you manually.
     
  7. User8472

    User8472 Guest

    Sorry about all the delays, my computer is going bloody slow, and getting slower. I often have to try repeatedly to load a page, or download something. Taking me forever to get HJT.

    Here's what PE shows:
    --------------------------------------------------------------------------------------------------------------------------------------------------------------
    | NAME | CREATION | PID | PROTOCOL | LOCAL ADDRESS | LOCAL PORT | REMOTE ADDRESS | REMOTE PORT | PORT STATUS | SENT | RECVD |
    --------------------------------------------------------------------------------------------------------------------------------------------------------------
    | iexplore.exe | 06:48 16/08/2003 | -915103 | UDP | images.real.com | 1025 | images.real.com | 1025 | LISTENING | 101/101 | 95/95 |
    | iexplore.exe | 07:25 16/08/2003 | -915103 | TCP | [My IP Here] | 1109 | ns19a.genericdns.com | 80 | ESTABLISHED | 1/273 | 4/23360 |
    | SYSTEM | --- | 0 | TCP | images.real.com | 1025 | localhost | 0 | LISTENING | --- | --- |
    | SYSTEM | --- | 0 | TCP | localhost | 1101 | localhost | 0 | LISTENING | --- | --- |
    | SYSTEM | --- | 0 | TCP | localhost | 1109 | localhost | 0 | LISTENING | --- | --- |
    --------------------------------------------------------------------------------------------------------------------------------------------------------------

    That images.real.com is odd. I end up listening on port 1025 (to myself) every time I connect. And port explorer shows the IPs as 127.0.0.1 and 0.0.0.0, same as TDS-3, but PE resolves it as images.real.com. Strange. On a side note, I've never had real player on my system, and don't have spyware either. I run Ad-Aware and Spybot on a regular basis.

    Another strange thing. I installed PE, and rebooted as required, then linked directly to this thread to reconnect. Instead of the usual not found error, I god the s0h website, while IE claimed it was at wilderssecurity.com!

    I'm having problems trying to download HJT. Most of the time it won't start, but when it does, it goes part way, then halts. If you tell me what info you want I can get it for you manually.
     
  8. User8472

    User8472 Guest

    Woops, sorry about the double post, the page didn't load the first time.

    The PE log is pretty messy, it should look better if you copy & paste into notepad or something.

    When I spy on the images.real.com connection apparently I'm repeatedly sending myself a sinlge byte packet consisting of "!" (hex 21) on UDP port 1025. PE and my firewall associate this with iexplore.exe, and in my firewall it says it's listening for file sharing, but I have all file sharing turned off.
    Now that I'm sitting here with no internet activity, I'm listening on a number of TCP ports around 11xx.
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    We have put the HijackThis file on our server for convenience matters - at least for the time being.

    You can grab a copy over on this thread.

    regards.

    paul
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    That loopback idea of local and remote port 1025 is no problem; indeed IE does send 1 byte packets, MSIMN (OE) too as you might notice.
    Now you have at least an option to put your firewall under spy (add the PID manually to make sure it is spying on it) if you had one but i don't see any firewall? No Kerio either?

    also look into your HOSTS file
    In Windows, not the Hosts.sam but the one without extension.
    You might like to add the
    127.0.0.1 s0h.cc
    line if that is a solution (please correct me if i'm wrong )

    This is why we would love to see your hijackthis log all of us.
    I am very sure you should have bunches of more sockets and processes running when connected to internet in the PE.
    If you post like this
    [ code ]
    your text
    [ /code ]
    (without the spaces around the code you will get a better presentation of your log
     
  11. User8472

    User8472 Guest

    I finally anaged to get HJT, and everything is normal. Not sure what you wanted to see from it. This hack is too clever for anything to be listed in HJT.
    ... Since when does IE <> MSIE? That's a little confusing...
    I do? How would I go about integrating PE with my firewall?
    I don't know why you'd expect to see a firewall, because PE shows programs that are using ports, and the firewall doesn't listen on ports.
    If only it were that simple. For all intents and purposes, it's as if my connection is not being routed through their server. For example, if I go to www.whatismyip.com, it shows my IP. I've tried online security scans like scan.sygate.com, and it scans my IP. Only they show no active ports (I suspect because my responses may be filtered by the s0h server, since I should be responding with a few open ports like 1025).
    If it were something as simple as a host file entry, or IE's proxy settings being changed, it would show their IP, not mine.

    Here's my PE log again:
    Code:
    --------------------------------------------------------------------------------------------------------------------------------------------------------------
    |     NAME     |     CREATION     |   PID   | PROTOCOL |  LOCAL ADDRESS  | LOCAL PORT |    REMOTE ADDRESS    | REMOTE PORT | PORT STATUS |  SENT   |  RECVD  |
    --------------------------------------------------------------------------------------------------------------------------------------------------------------
    | iexplore.exe | 06:48 16/08/2003 | -915103 |    UDP   | images.real.com |    1025    |    images.real.com   |    1025     |  LISTENING  | 101/101 |  95/95  |
    | iexplore.exe | 07:25 16/08/2003 | -915103 |    TCP   | [My IP Here]  |    1109    | ns19a.genericdns.com |    80       | ESTABLISHED |  1/273  | 4/23360 |
    |  SYSTEM      |        ---       |    0    |    TCP   | images.real.com |    1025    |       localhost      |    0        |  LISTENING  |   ---   |   ---   |
    |  SYSTEM      |        ---       |    0    |    TCP   |    localhost    |    1101    |       localhost      |    0        |  LISTENING  |   ---   |   ---   |
    |  SYSTEM      |        ---       |    0    |    TCP   |    localhost    |    1109    |       localhost      |    0        |  LISTENING  |   ---   |   ---   |
    --------------------------------------------------------------------------------------------------------------------------------------------------------------
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    We want to see the full log for one reason only: helping you out. Several of our staff members have vast experience and knowledge as for interpretation from those logs. Thus: let's have it, OK? ;)

    regards.

    paul
     
  13. User8472

    User8472 Guest

    I assure you I'm quite familiar with everything in the HJT log, as I've customized almost every entry myself. I'm quite certain there's nothing of relevance. You may point out that there is a proxy entry of localhost:4001, but that is not being used. When I enable it, I run a third party software program to set up a proxy chain for anonymity. It is not currently active. No point.
    Anyway, since you insist:
    Code:
    Logfile of HijackThis v1.95.0
    Scan saved at 9:21:39 , on 8/16/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\TCLOCK\TCLOCK.EXE
    C:\PROGRAM FILES\MAXMEM\MAXMEM.EXE
    C:\WINDOWS\INTEGRATOR.EXE
    C:\PROGRAM FILES\PORT EXPLORER\PEDEMO.EXE
    C:\PROGRAM FILES\MSIE\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\NOTEPAD.EXE
    
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.google.ca
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.ca
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=file:///c:/windows/web/home.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.google.ca
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=localhost:4001
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=
    F0 - system.ini: Shell=c:\windows\Explorer.exe
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_3_0.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_3_0.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    O4 - Startup: TClock.exe.lnk = C:\TClock\TClock.exe
    O4 - Startup: Hare.exe.lnk = C:\Program Files\Hare\Hare.exe
    O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
    O4 - Startup: MaxMem.lnk = C:\Program Files\MaxMem\maxmem.exe
    O4 - User Startup: TClock.exe.lnk = C:\TClock\TClock.exe
    O4 - User Startup: Hare.exe.lnk = C:\Program Files\Hare\Hare.exe
    O4 - User Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
    O4 - User Startup: MaxMem.lnk = C:\Program Files\MaxMem\maxmem.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
    O9 - Extra button: Trace (HKLM)
    O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37590.9787847222
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://download.yahoo.com/dl/bookmarks/ybconvfav021210.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_3_0.cab
    O16 - DPF: HushEncryptionEngine (Yahoo! Companion) - https://mailserver2.hushmail.com/shared/HushEncryptionEngine.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Sorry for the MSIE i typed to fast, meant the MSIMN / OE

    The firewall should show up as a hidden process in red for the blocked ports maybe localhost port 1025 to localhost port 0 for example.

    Proxy port 4001 is Jap, isn't it? Nice thing!

    One remark: does your system further run fine? Since i removed that AntiCrash thing mine runs much better and crashes far less frequently!

    The analysis of your HJT log i leave to the experts.
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Not much to worry about in your log:

    Some orphaned entries:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=

    This one, that you probably made yourself:
    F0 - system.ini: Shell=c:\windows\Explorer.exe

    And one running process I can't find much conclusive info on:
    C:\WINDOWS\INTEGRATOR.EXE

    Try downloading HijackThis 1.96 and run that. It shows a bit more then 1.95, but no need to post it if there are no surprises.

    Regards,

    Pieter
     
  16. User8472

    User8472 Guest

    o_O
    A firewall shouldn't be listening on any ports...
    Yep, it's JAP.
    I'm not really sure. It's really iffy. The main reason I use it is for Hare, I really need it.
    I'm aware of that. ;)
    Yeah, I don't have much use for them so... ;)
    Yes, I added the full path, since one could place a trojaned explorer on the root of the main drive and it would get executed rather than the one in %WINDIR%.
    That's an interface for Hare and Anticrash. Hare speeds up the system and anticrash is obvious.
    I thought 1.95 was the latest... OK, I'll go look for that. I'm sure there will be nothing relevant though.

    I ran WinDump, and s0h.cc shows up repeatedly in the packet logs, so I am being redirected through their server. I'm just not sure how to fix that.
     
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    In HijackThis version 1.96 have a close look at the listings under O17.
    Check if they are really your providers DNS servers etc. ;)

    Regards,

    Pieter
     
  18. User8472

    User8472 Guest

    Odd, it only goes up to O16.
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Can you check your internet connection if your DNS servers have been specified?

    In that case something like this should show up:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{E7D075D7-9BE1-42DB-9B6C-9854C9530696}: NameServer = DNS.ser.ver.one DNS.ser.ver.two
    and then ofcourse showing IP numbers instead of what I posted ;)

    Regards,

    Pieter
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    msimn = Outlook Express
     
  21. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    A hacker would normally leave a back door open perhaps on a high range port not used by default by any trojan.

    if you want a full scan (0 to 65535 inclusive) of your ports from outside of your network to see what any hacker could see just say the word. Online scans don't normally do every one, just known ones.

    PS it might take a while to complete.
     
  22. User8472

    User8472 Guest

    I've done online scans, including one that scans all ports (scan.sygate.com). They all report no open ports both with and without the firewall. I suspect it's because s0h.cc is affecting my responses. The probes are getting to me just fine, its what I send back that gets muffled. The only ports I seem to be listening on are low ones like 1025, and 1100 - 1200 or thereabouts. All from iexplore.exe.
     
  23. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi User8472,

    Can you do a Find File for s0h_Win32hlp.exe on your computer?

    Regards,

    Pieter
     
  24. User8472

    User8472 Guest

    I've spent hours searching my hard drive for the string s0h and s0h.cc. Trust me it's not there. I do have the source code for that though. ;)
     
  25. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    In that case you should know that file is the one used to download any trojans onto your computer.

    Remaining: the mystery of rerouting your traffic over a server that is down.

    Did you check the DNS entries in your internet connection.
    Also no O13 entry in HijackThis 1.96 ?

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.