I've been hacked, need help fast

All of my internet traffic is being secretly routed through someone else's server. I've scanned with TDS-3, but it turns up nothing. Formatting or reinstalling is not an option, but even if it was, I'd not want to pass up the opportunity for a learning experience.
Can anyone help, please?

 

Hi User8472,

Could you tell us how you arrived at that conclusion?
Maybe that will make it easier to put someone on the right track.

Regards,

Pieter

 

OK, I'm running Win98, and I have dialup.

When I first access the internet upon connecting (say by clicking a shortcut), I get a Not Found error, and at the bottom it says Apache with the version number, and lists the server as s0h.cc. I googled it, and s0h is "Skin of humanity", a hacker group. This happens for any server I connect to at first, even google. For a google search, I get "/search not found on s0h.cc".

Also, when I try to log into yahoo messenger, regardless of what password I put, it says ok (instead of wrong password), and it then says try another server (fake error).

Also, I've noticed my firewall lists 3 dialup adapters, when I only have one. The other two are blank (null name).

 

If you put Port Explorer beside it, what do you see then?
(get the free eval if you don't have it yet)

 

Also could you post your HijackThis log
Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
Don´t fix anything yet. Most of what it finds is harmless.

Regards,

Pieter

 

Sorry about all the delays, my computer is going bloody slow, and getting slower. I often have to try repeatedly to load a page, or download something. Taking me forever to get HJT.

Here's what PE shows:
--------------------------------------------------------------------------------------------------------------------------------------------------------------
| NAME | CREATION | PID | PROTOCOL | LOCAL ADDRESS | LOCAL PORT | REMOTE ADDRESS | REMOTE PORT | PORT STATUS | SENT | RECVD |
--------------------------------------------------------------------------------------------------------------------------------------------------------------
| iexplore.exe | 06:48 16/08/2003 | -915103 | UDP | images.real.com | 1025 | images.real.com | 1025 | LISTENING | 101/101 | 95/95 |
| iexplore.exe | 07:25 16/08/2003 | -915103 | TCP | [My IP Here] | 1109 | ns19a.genericdns.com | 80 | ESTABLISHED | 1/273 | 4/23360 |
| SYSTEM | --- | 0 | TCP | images.real.com | 1025 | localhost | 0 | LISTENING | --- | --- |
| SYSTEM | --- | 0 | TCP | localhost | 1101 | localhost | 0 | LISTENING | --- | --- |
| SYSTEM | --- | 0 | TCP | localhost | 1109 | localhost | 0 | LISTENING | --- | --- |
--------------------------------------------------------------------------------------------------------------------------------------------------------------

That images.real.com is odd. I end up listening on port 1025 (to myself) every time I connect. And port explorer shows the IPs as 127.0.0.1 and 0.0.0.0, same as TDS-3, but PE resolves it as images.real.com. Strange. On a side note, I've never had real player on my system, and don't have spyware either. I run Ad-Aware and Spybot on a regular basis.

Another strange thing. I installed PE, and rebooted as required, then linked directly to this thread to reconnect. Instead of the usual not found error, I god the s0h website, while IE claimed it was at wilderssecurity.com!

I'm having problems trying to download HJT. Most of the time it won't start, but when it does, it goes part way, then halts. If you tell me what info you want I can get it for you manually.

 

Sorry about all the delays, my computer is going bloody slow, and getting slower. I often have to try repeatedly to load a page, or download something. Taking me forever to get HJT.

Here's what PE shows:
--------------------------------------------------------------------------------------------------------------------------------------------------------------
| NAME | CREATION | PID | PROTOCOL | LOCAL ADDRESS | LOCAL PORT | REMOTE ADDRESS | REMOTE PORT | PORT STATUS | SENT | RECVD |
--------------------------------------------------------------------------------------------------------------------------------------------------------------
| iexplore.exe | 06:48 16/08/2003 | -915103 | UDP | images.real.com | 1025 | images.real.com | 1025 | LISTENING | 101/101 | 95/95 |
| iexplore.exe | 07:25 16/08/2003 | -915103 | TCP | [My IP Here] | 1109 | ns19a.genericdns.com | 80 | ESTABLISHED | 1/273 | 4/23360 |
| SYSTEM | --- | 0 | TCP | images.real.com | 1025 | localhost | 0 | LISTENING | --- | --- |
| SYSTEM | --- | 0 | TCP | localhost | 1101 | localhost | 0 | LISTENING | --- | --- |
| SYSTEM | --- | 0 | TCP | localhost | 1109 | localhost | 0 | LISTENING | --- | --- |
--------------------------------------------------------------------------------------------------------------------------------------------------------------

That images.real.com is odd. I end up listening on port 1025 (to myself) every time I connect. And port explorer shows the IPs as 127.0.0.1 and 0.0.0.0, same as TDS-3, but PE resolves it as images.real.com. Strange. On a side note, I've never had real player on my system, and don't have spyware either. I run Ad-Aware and Spybot on a regular basis.

Another strange thing. I installed PE, and rebooted as required, then linked directly to this thread to reconnect. Instead of the usual not found error, I god the s0h website, while IE claimed it was at wilderssecurity.com!

I'm having problems trying to download HJT. Most of the time it won't start, but when it does, it goes part way, then halts. If you tell me what info you want I can get it for you manually.

 

Woops, sorry about the double post, the page didn't load the first time.

The PE log is pretty messy, it should look better if you copy & paste into notepad or something.

When I spy on the images.real.com connection apparently I'm repeatedly sending myself a sinlge byte packet consisting of "!" (hex 21) on UDP port 1025. PE and my firewall associate this with iexplore.exe, and in my firewall it says it's listening for file sharing, but I have all file sharing turned off.
Now that I'm sitting here with no internet activity, I'm listening on a number of TCP ports around 11xx.

 

That loopback idea of local and remote port 1025 is no problem; indeed IE does send 1 byte packets, MSIMN (OE) too as you might notice.
Now you have at least an option to put your firewall under spy (add the PID manually to make sure it is spying on it) if you had one but i don't see any firewall? No Kerio either?

also look into your HOSTS file
In Windows, not the Hosts.sam but the one without extension.
You might like to add the
127.0.0.1 s0h.cc
line if that is a solution (please correct me if i'm wrong )

This is why we would love to see your hijackthis log all of us.
I am very sure you should have bunches of more sockets and processes running when connected to internet in the PE.
If you post like this
[ code ]
your text
[ /code ]
(without the spaces around the code you will get a better presentation of your log

 

I finally anaged to get HJT, and everything is normal. Not sure what you wanted to see from it. This hack is too clever for anything to be listed in HJT.

... Since when does IE <> MSIE? That's a little confusing...

I do? How would I go about integrating PE with my firewall?
I don't know why you'd expect to see a firewall, because PE shows programs that are using ports, and the firewall doesn't listen on ports.

If only it were that simple. For all intents and purposes, it's as if my connection is not being routed through their server. For example, if I go to www.whatismyip.com, it shows my IP. I've tried online security scans like scan.sygate.com, and it scans my IP. Only they show no active ports (I suspect because my responses may be filtered by the s0h server, since I should be responding with a few open ports like 1025).
If it were something as simple as a host file entry, or IE's proxy settings being changed, it would show their IP, not mine.

Here's my PE log again:

Code:

--------------------------------------------------------------------------------------------------------------------------------------------------------------
|     NAME     |     CREATION     |   PID   | PROTOCOL |  LOCAL ADDRESS  | LOCAL PORT |    REMOTE ADDRESS    | REMOTE PORT | PORT STATUS |  SENT   |  RECVD  |
--------------------------------------------------------------------------------------------------------------------------------------------------------------
| iexplore.exe | 06:48 16/08/2003 | -915103 |    UDP   | images.real.com |    1025    |    images.real.com   |    1025     |  LISTENING  | 101/101 |  95/95  |
| iexplore.exe | 07:25 16/08/2003 | -915103 |    TCP   | [My IP Here]  |    1109    | ns19a.genericdns.com |    80       | ESTABLISHED |  1/273  | 4/23360 |
|  SYSTEM      |        ---       |    0    |    TCP   | images.real.com |    1025    |       localhost      |    0        |  LISTENING  |   ---   |   ---   |
|  SYSTEM      |        ---       |    0    |    TCP   |    localhost    |    1101    |       localhost      |    0        |  LISTENING  |   ---   |   ---   |
|  SYSTEM      |        ---       |    0    |    TCP   |    localhost    |    1109    |       localhost      |    0        |  LISTENING  |   ---   |   ---   |
--------------------------------------------------------------------------------------------------------------------------------------------------------------

 

I assure you I'm quite familiar with everything in the HJT log, as I've customized almost every entry myself. I'm quite certain there's nothing of relevance. You may point out that there is a proxy entry of localhost:4001, but that is not being used. When I enable it, I run a third party software program to set up a proxy chain for anonymity. It is not currently active. No point.
Anyway, since you insist:

Code:

Logfile of HijackThis v1.95.0
Scan saved at 9:21:39 , on 8/16/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\TCLOCK\TCLOCK.EXE
C:\PROGRAM FILES\MAXMEM\MAXMEM.EXE
C:\WINDOWS\INTEGRATOR.EXE
C:\PROGRAM FILES\PORT EXPLORER\PEDEMO.EXE
C:\PROGRAM FILES\MSIE\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.google.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=file:///c:/windows/web/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=localhost:4001
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=
F0 - system.ini: Shell=c:\windows\Explorer.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_3_0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_3_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - Startup: TClock.exe.lnk = C:\TClock\TClock.exe
O4 - Startup: Hare.exe.lnk = C:\Program Files\Hare\Hare.exe
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: MaxMem.lnk = C:\Program Files\MaxMem\maxmem.exe
O4 - User Startup: TClock.exe.lnk = C:\TClock\TClock.exe
O4 - User Startup: Hare.exe.lnk = C:\Program Files\Hare\Hare.exe
O4 - User Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - User Startup: MaxMem.lnk = C:\Program Files\MaxMem\maxmem.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37590.9787847222
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://download.yahoo.com/dl/bookmarks/ybconvfav021210.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_3_0.cab
O16 - DPF: HushEncryptionEngine (Yahoo! Companion) - https://mailserver2.hushmail.com/shared/HushEncryptionEngine.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

 

Sorry for the MSIE i typed to fast, meant the MSIMN / OE

The firewall should show up as a hidden process in red for the blocked ports maybe localhost port 1025 to localhost port 0 for example.

Proxy port 4001 is Jap, isn't it? Nice thing!

One remark: does your system further run fine? Since i removed that AntiCrash thing mine runs much better and crashes far less frequently!

The analysis of your HJT log i leave to the experts.

 

Not much to worry about in your log:

Some orphaned entries:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=

This one, that you probably made yourself:
F0 - system.ini: Shell=c:\windows\Explorer.exe

And one running process I can't find much conclusive info on:
C:\WINDOWS\INTEGRATOR.EXE

Try downloading HijackThis 1.96 and run that. It shows a bit more then 1.95, but no need to post it if there are no surprises.

Regards,

Pieter

 

A firewall shouldn't be listening on any ports...

Yep, it's JAP.

I'm not really sure. It's really iffy. The main reason I use it is for Hare, I really need it.

I'm aware of that.

Yeah, I don't have much use for them so...

Yes, I added the full path, since one could place a trojaned explorer on the root of the main drive and it would get executed rather than the one in %WINDIR%.

That's an interface for Hare and Anticrash. Hare speeds up the system and anticrash is obvious.

I thought 1.95 was the latest... OK, I'll go look for that. I'm sure there will be nothing relevant though.

I ran WinDump, and s0h.cc shows up repeatedly in the packet logs, so I am being redirected through their server. I'm just not sure how to fix that.

 

In HijackThis version 1.96 have a close look at the listings under O17.
Check if they are really your providers DNS servers etc.

Regards,

Pieter

 

Odd, it only goes up to O16.

 

Can you check your internet connection if your DNS servers have been specified?

In that case something like this should show up:

O17 - HKLM\System\CCS\Services\Tcpip\..\{E7D075D7-9BE1-42DB-9B6C-9854C9530696}: NameServer = DNS.ser.ver.one DNS.ser.ver.two
and then ofcourse showing IP numbers instead of what I posted

Regards,

Pieter

 

msimn = Outlook Express

 

A hacker would normally leave a back door open perhaps on a high range port not used by default by any trojan.

if you want a full scan (0 to 65535 inclusive) of your ports from outside of your network to see what any hacker could see just say the word. Online scans don't normally do every one, just known ones.

PS it might take a while to complete.

 

I've done online scans, including one that scans all ports (scan.sygate.com). They all report no open ports both with and without the firewall. I suspect it's because s0h.cc is affecting my responses. The probes are getting to me just fine, its what I send back that gets muffled. The only ports I seem to be listening on are low ones like 1025, and 1100 - 1200 or thereabouts. All from iexplore.exe.

 

Hi User8472,

Can you do a Find File for s0h_Win32hlp.exe on your computer?

Regards,

Pieter

 

I've spent hours searching my hard drive for the string s0h and s0h.cc. Trust me it's not there. I do have the source code for that though.

 

In that case you should know that file is the one used to download any trojans onto your computer.

Remaining: the mystery of rerouting your traffic over a server that is down.

Did you check the DNS entries in your internet connection.
Also no O13 entry in HijackThis 1.96 ?

Regards,

Pieter