# I've Been Hacked



## Casheti (Mar 7, 2007)

A .txt appeared in my documents saying

"CALLUM

YOU ARE BEING OWNED BY IAN AND BRAD MUAHAHAHHAHAHA!!!!!!!!"

Callum is my real name in case you don't know.

Ian sent me a file over msn, of which I was interested to have. I won't go into what I thought it was, as I will be flamed by Slater probably.

Anyways, how do I get rid of what they gave me? 

If they can make files, they can also delete them.


----------



## Pinchy (Mar 7, 2007)

Boot in safe mode and delete


----------



## Casheti (Mar 7, 2007)

How can I delete it if I don't know what it is?


----------



## Casheti (Mar 7, 2007)

I deleted the file he sent me, but that doesn't mean the RAT, (or whatever it is) has gone...


----------



## Pinchy (Mar 7, 2007)

Havent you got a firewall program which you can block off unknown IP addresses? Or the router?

Also, change the title of the thread, mods arent gonna like it.


----------



## Casheti (Mar 7, 2007)

Anything bad there? I have a feeling they've hidden it from taskmgr too


----------



## Casheti (Mar 7, 2007)

Pinchy said:


> Havent you got a firewall program which you can block off unknown IP addresses? Or the router?
> 
> Also, change the title of the thread, mods arent gonna like it.



The title is like that because I'm angry.

I got owned by some pathetic little 18 year old scriptkiddies with no life.

And I have Kaspersky Anti Virus, and Windows Firewall.


----------



## Deleted member 3 (Mar 7, 2007)

It's most likely a trojan, if your viruskiller doesn't detect it Check for running processes that seem fishy. If taskmanager doesn't show any you could use something like hijackthis.
Also you could check the startup with msconfig.

If you fail to remove it I recommend reinstalling Windows, you don't want such programs living on your computer.


----------



## Casheti (Mar 7, 2007)

- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
CALLUM

YOU ARE BEING OWNED BY IAN AND BRAD MUAHAHAHHAHAHA!!!!!!!!
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
Fuck you I'm formatting
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
You're a twat
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
And so is he
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
Both little scriptkiddies with no life
BrДd says:
lawl
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
Why do you do it
BrДd says:
it wasnt me
BrДd says:

- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
What's the point
BrДd says:
oi
BrДd says:
it wasnt
BrДd says:
me
BrДd says:
what have i sent you?
BrДd says:
u want to get rid of it?
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
He sent me a "BF2 Hack"
BrДd says:
LAWL
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
I WONDERED WHY IT WAS SO HUGE
BrДd says:
kaspersky dont own  
BrДd says:
infact
BrДd says:
okay look
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
No Kaspersky isn't designed to pick up on home wirrten scripts
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
Only big ones
BrДd says:
home wriiten scripts?
BrДd says:
HAHAHA
BrДd says:
dude
BrДd says:
that is pure programming
BrДd says:
not no scripts
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
Just shut the fuck up. You say "I'll tell you how to get rid of it" and just do something else
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
YOU'RE BOTH KIDS
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
ITS CHILDISH
BrДd says:
u want to get rid of it?
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
NO
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
FU
BrДd says:
okay
BrДd says:
u keep it
BrДd says:
formatting wont do shit
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
...........lol
BrДd says:
trust me
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
Okay
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
If you say so
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
NOT
BrДd says:
lawl
BrДd says:
it wont
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
I don't believe anything you say anymore
BrДd says:
hahaha
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
I thought you were a good guy
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
But I guess I was wrong
BrДd says:
did it pop up?
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
?
BrДd says:
the .txt file
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
It just appeared in there
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
In my Documents
BrДd says:
loooool
BrДd says:
i didnt do shit
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
So why is your name in it
BrДd says:
ian just added my name
BrДd says:
and if u post anyshit in SC (which has nothing related to this) then i will gte ian to delete all ur file
BrДd says:
files*
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
any shit?
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
Like what
BrДd says:
i dunno
BrДd says:
we put nothign like that in our "real" hacks
BrДd says:
so, im just warning you
BrДd says:
brb
BrДd says:
bk
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
so?
BrДd says:
....
BrДd says:
so u r formatting?
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
Yes
- Callum - | - (¯`·._.·-· ́ ¯   ̀ ·-» [يσґ] ĈÅ§ħΞŦї «-·´ ¯   ̀·-·._.·´¯) - | - Ғέαґ ЋΞ ρǐήğ-Ǖ - says:
After school
BrДd says:
lawl

*he says a format won't fix it. I reckon he's lying. Don't you?*


----------



## Casheti (Mar 7, 2007)

DanTheBanjoman said:


> It's most likely a trojan, if your viruskiller doesn't detect it Check for running processes that seem fishy. If taskmanager doesn't show any you could use something like hijackthis.
> Also you could check the startup with msconfig.
> 
> If you fail to remove it I recommend reinstalling Windows, you don't want such programs living on your computer.



Nothing in msconfig startup.

Can you check the screenie I posted of taskmgr please?

I dunno what to look for.


----------



## Pinchy (Mar 7, 2007)

download Hijackthis

LOL a format has to fix it...remember, a format deletes all your files


----------



## Alec§taar (Mar 7, 2007)

*Casheti: A living example of WHY security is important...*

See my subject-line/title-line above...

You might want to try the program I put up here:

*CIS SCORING TOOL SECURITY BENCHMARK:*

http://forums.techpowerup.com/showthread.php?t=26818

(CIS = Center for Internet Security)

Run it, follow its directions, so you NEVER have this happen, again...



* Don't feel bad, it happens... happened to me, just as it happened to you (albeit, when it went down for me, it was 1994 on IRC)...

APK


----------



## Deleted member 3 (Mar 7, 2007)

Alec, sure those tests are fun, though they won't remove trojans, they don't even check for them. It just checks some settings, if you're stupid enough to run BF2 hack which you got from some random guy then setting password policies or network shares has no effect at all.


----------



## Alec§taar (Mar 7, 2007)

DanTheBanjoman said:


> Alec, sure those tests are fun



More than JUST fun: They are USEFUL, & over the 'long term' as well... it doesn't help to cure someone, if they just turn around the next day & catch it again... see my point?

That's selling Casheti palliatives, when what he needs is a cure, a LONG TERM VACCINATION CURE, not JUST a "short-term" fix.



DanTheBanjoman said:


> though they won't remove trojans, they don't even check for them.



True, but, show me where I stated they did?

Tests of that nature can guide him in learning how to secure his system so he never, EVER (hopefully, & certainly less chance of it) gets 'targetted for termination' again...



"1 ounce of prevention is worth 1 lb. of cure" type of thinking...

(The return on investment's excellent in other words)

APK

P.S.=> You guys handle the immediate cure in other words, & I will point the "Casheti horse" to the water, for the LONG TERM VACCINATION... up to him, to drink it, is all... apk


----------



## Deleted member 3 (Mar 7, 2007)

Vaccination is done before you're sick, once you're sick vaccinations don't work anymore.

In fact, a vaccination actually works by introducing the disease in a crippled form for the immune system to react to, once the immune system know sthe disease it can fight it off the next time.
I think being infected with a trojan right now is the vaccination Casheti needs, next time he won't happily run any hack he gets from people.
Then again once he gets over this illness it won't hurt him to make his computer safer while he's at it. Fix the trojan (assuming it is a trojan) first though, Windows settings are completely unrelated at the moment. Unless of course he has network shares standing wide open.


----------



## Alec§taar (Mar 7, 2007)

DanTheBanjoman said:


> Vaccination is done before you're sick, once you're sick vaccinations don't work anymore.



It will in this case, once he is cured...

(& Computers are NOT people, they always can be reformatted if the hardware's still ok, & redone, + REDONE RIGHT, & security-hardened... thus, your analog doesn't hold really)



* It's always worth securing yourself: Just so you don't get 'bugs' at all, OR @ least, as much!

(Argue the semantics of it ALL you like, but the point is undeniable: *"1 ounce of prevention is worth 1 lb. of cure", no questions asked*...)

APK

P.S.=> Usually, the case is, you get HIT by a bug, & go thru the hassle of trying to remove it, IF you can remove it (I have seen ones where you can't & iirc the name was W32Pinfi)... it teaches you a lesson, or @ least, it did me... apk


----------



## Poisonsnak (Mar 7, 2007)

Casheti - 

I would try the "netstat" tool to narrow that process list you have a bit.  If you open a command window (start - run - "cmd") and type "netstat -ano" it will give you a list of connections on your PC and their corresponding PID.  Then if you use "tasklist" (maybe open a new command window) - type "tasklist /svc" it will show all running processes, their PIDs, and (if applicable) which services are contained in those processes.

My results:


```
C:\Documents and Settings\Jared Epp>netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       860
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:50300          0.0.0.0:0              LISTENING       1516
  TCP    127.0.0.1:1027         0.0.0.0:0              LISTENING       392
  TCP    127.0.0.1:1029         0.0.0.0:0              LISTENING       460
  TCP    127.0.0.1:1032         127.0.0.1:1033         ESTABLISHED     1856
  TCP    127.0.0.1:1033         127.0.0.1:1032         ESTABLISHED     1856
  TCP    127.0.0.1:1034         127.0.0.1:1035         ESTABLISHED     1856
  TCP    127.0.0.1:1035         127.0.0.1:1034         ESTABLISHED     1856
  TCP    192.168.1.49:139       0.0.0.0:0              LISTENING       4
  TCP    192.168.1.49:1139      72.14.253.93:80        ESTABLISHED     1856
  UDP    0.0.0.0:445            *:*                                    4
  UDP    0.0.0.0:500            *:*                                    628
  UDP    0.0.0.0:4500           *:*                                    628
  UDP    192.168.1.49:137       *:*                                    4
  UDP    192.168.1.49:138       *:*                                    4
```


```
C:\Documents and Settings\Jared Epp>tasklist /svc

Image Name                   PID Services
========================= ====== =====================================
System Idle Process            0 N/A
System                         4 N/A
smss.exe                     484 N/A
csrss.exe                    540 N/A
winlogon.exe                 568 N/A
services.exe                 616 Eventlog, PlugPlay
lsass.exe                    628 PolicyAgent, ProtectedStorage, SamSs
ati2evxx.exe                 792 Ati HotKey Poller
svchost.exe                  812 DcomLaunch, TermService
svchost.exe                  860 RpcSs
svchost.exe                  932 AudioSrv, CryptSvc, Dhcp, dmserver,
                                 EventSystem, lanmanserver,
                                 lanmanworkstation, Netman, Nla, SENS,
                                 Themes, winmgmt, wuauserv
svchost.exe                 1000 Alerter, LmHosts
spoolsv.exe                 1028 Spooler
ati2evxx.exe                1096 N/A
oodag.exe                   1516 O&O Defrag
explorer.exe                1804 N/A
RTHDCPL.exe                  360 N/A
daemon.exe                   384 N/A
CLI.exe                      392 N/A
ctfmon.exe                   412 N/A
CLI.exe                      460 N/A
firefox.exe                 1856 N/A
cmd.exe                     1952 N/A
tasklist.exe                1920 N/A
wmiprvse.exe                1448 N/A
```

Basically take a look at any connections in the list, find their PID, and find out if that process is one you're ok with.  For example, in my netstat list I have this entry:

```
TCP    192.168.1.49:1139      72.14.253.93:80        ESTABLISHED     1856
```
and the corresponding entry in tasklist (cross-referenced by PID)

```
firefox.exe                 1856 N/A
```

This is the web browser session to TPU I'm typing in right now.

Also to help troubleshooting you may try "netstat -ao" instead this will give you the names of foreign computers where possible instead of just their IP addresses.

If you see an entry with Foreign Address as 127.0.0.1 this is called a loopback address and is your computer connecting to itself (so you can pretty much ignore it).  0.0.0.0 on the other hand indicates your computer is listening for an incoming connection (which can be dangerous).

The last part I'll mention is UDP, these by nature are harder to track than TCP (they're not connection oriented so you can't tell who is connecting to them), in mine you can see I have only 5 entries and they either correspond to the Windows System process or lsass.exe which is running 3 services - PolicyAgent, ProtectedStorage, SamSs - which I know are ok.

Good luck!


----------



## Slater (Mar 7, 2007)

Thats what u get for using hacks nub ^_^


----------



## Fleekar (Mar 7, 2007)

I guess if ur gonna reformat, backup your files. Just unplug ur Lan so that further sending of trojans wont happen while your picking what to keep.


----------



## Ben Clarke (Mar 7, 2007)

Hmm... despite what you've all been saying, a format might not fix it...  some virii self replicate, so if the harddisk is active and the virus detects it, it will check whats going on, and if it looks like a format is taking place, it copies itself to memory, then puts itself back onto the drive when the format is complete. I think there was a Chernobyl variant that did this...


----------



## Steevo (Mar 7, 2007)

Or use a tool called Active Ports. GUI, easy to use and it will kill processes. If the process won't die use Rootkit revealer, as it can terminate the process. Then go delete it.


----------



## Alec§taar (Mar 7, 2007)

netstat - an

or

netstat -ano

Are a better commandline for this, mainly because they show the endpoints AND the executable creating them on YOUR site of the IP connection fence, so-to-speak!

APK

P.S.=> The tool Steevo mentions is nice, because it's GUI... apk


----------



## Casheti (Mar 7, 2007)

Slater said:


> Thats what u get for using hacks nub ^_^



There he is. Right on time to flame me.

I already have hacks you twat. I was trying to get BETTER ones.


----------



## Casheti (Mar 7, 2007)

What do you guys reckon to this? I don't know how to analyse it.

I want to do everything possible to stop a format because I have no hardware capable of storing such big amounts of data that I need to back up.

And as for using DVD's, my writer has a broken motor, and is slow anyways because of it's 4X writing speed.


----------



## Casheti (Mar 7, 2007)

Logfile of HijackThis v1.99.1
Scan saved at 16:56:24, on 07/03/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\System32\msconfig.exe" /auto
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix: 
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O20 - Winlogon Notify: klogon - C:\Windows\system32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

Got a few errors during the scan, not sure if it matters...


----------



## oily_17 (Mar 7, 2007)

Checking here might help understand HJT logfile.

Or get an expert to look at it here.


----------



## oily_17 (Mar 7, 2007)

In HJT logfile line starting  "013" seems suspicious.But I am no expert.


----------



## Casheti (Mar 7, 2007)

Thanks. I posted on that site, I hope they can find the problem 

I think he did it to me cos he's jealous of my X850XT.

He only has a 7600GT ROFL!!!  

And he has a stutter lmao...


----------



## oily_17 (Mar 7, 2007)

Hope they sort it soon they can be busy.


----------



## Alec§taar (Mar 7, 2007)

Casheti... now, I have a feeling, this MAY be why my "APK Registry Cleaning Engine 2002++ SR-7" may NOT be working for you...

I built in native "AntiVirus Protection" into it... if it changes size, even 1 byte? It will NOT run, & try to shut itself down & warn you it may be infected... typically, binary infectors WILL add size to an .exe, even a Win32 PE format one.

See here, the technique's "UNIQUE", & rated well @ Slashdot's developer section (where one of my "technical/intellectual" heroes hangs no less, in Mr. John Carmack):

-----------------------------------------------------------------------
*Code Auditing the Defcon Way :*

http://it.slashdot.org/comments.pl?sid=158231&cid=13257227
-----------------------------------------------------------------------

Modded up, a +2, "INTERESTING" @ the one site where I feel the VERY WORST CRITICS ONLINE exist, especially for Windows fans, lol...

(& trust me: They don't like ME personally very much there because I often 'get into it' w/ their Unix/Linux crowd, & leave them on 'the ropes' 9/10 times, & their solution? Ban APK... lol, or TRY to. I just go in again, blowing by the 'wet paper lock ban', & mess w/ 'em after that laffing usually, but only once to prove a point I can).

Now, is it original thought? Doubt it, very little of THAT exists imo, but it is an illustration of a single time that 'hardcoding' (often frowned upon in this field & rightfully so) is useful & GOOD actually!



* Enjoy the read, & do 'entertain the possibility' that that may have stalled it out on you, & you only so far of 1000's of users of the program, trying to protect YOU... 

However, then again, it may NOT be the reason here... but the fact you stall out on it only tends to lead me in THAT direction, because you suspect you may be infected or have been hacked/cracked... too bad, it sux, been there & haven't been since!

APK

P.S.=> For me, being hacked? It was "proper motivation" to learn, lol, "THE DARK SIDE OF THE FORCE" & from the "sith" (hackers/crackers) that practice it in fact, themselves... (years ago, more than a decade now in fact!) - "KNOW THY ENEMY!"... apk


----------



## Polaris573 (Mar 7, 2007)

You said you were using windows firewall?  For future reference, even the free version of zonealarm is infinitely better.


----------



## zekrahminator (Mar 7, 2007)

Slater, the next time you go reporting a post, please ask yourself this question: 


> did I start it?


.


----------



## pt (Mar 7, 2007)

if format doesn't work, put every thing in your hdd to 0
like completely erase it, turn everything to 0000000000000  
seagate has a programm that do this


----------



## Poisonsnak (Mar 7, 2007)

Hmm netstat wasn't as helpful as I had hoped, one thing to try maybe is shutting down MSN since it is using a few UDP connections on there and see if they can still get in or not while it's turned off.


----------



## Alec§taar (Mar 7, 2007)

Poisonsnak said:


> Hmm netstat wasn't as helpful as I had hoped, one thing to try maybe is shutting down MSN since it is using a few UDP connections on there and see if they can still get in or not while it's turned off.



Did you try:

netstat -an

or

netstat -ano

(*OR better yet, in this case?*)

netstat -b

@ a DOS command prompt? The last commandline shows the endpoints for EITHER tcp or udp with other switches, & also the programs on YOUR side maintaining connections... 

APK

P.S.=> My bad, earlier... perhaps WRONG commandline switch I recommended for THIS particular problem's analysis... try that last one, netstat -b... & good luck! apk


----------



## JC316 (Mar 7, 2007)

If it comes down to a reformat, isn't there a dos command that completely wipes the hard drive without asking for authorization?


----------



## Apa (Mar 7, 2007)

In the hijackthis file, the 





> O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)


 looks a bit suspicious, tho it says "file missing".
Perhaps uploading the log to www.hijackthis.de and look at the results would help a bit? D:

If you want WORKING (online) cracks (with no virus) for games later, PM me hehe... I have tons...


----------



## Casheti (Mar 7, 2007)

Okay I formatted, but now there's a new problem.

I can't even get the internet to work on my PC now so I'm using my sisters.

I've installed the ethernet drivers and everything. But it says there's no network.

WTF...

I use a CAT5E cable from my router to my PC. Normally it works. Why not now???


----------



## Casheti (Mar 7, 2007)

FUCK THIS I'M FORMATTING FOR ABOUT THE 8TH TIME. Literally.

I should have been doing my English coursework 5 HOURS AGO, THANKS TO THIS PRICK IM GONNA FAIL.


----------



## Polaris573 (Mar 7, 2007)

Casheti said:


> FUCK THIS I'M FORMATTING FOR ABOUT THE 8TH TIME. Literally.
> 
> I should have been doing my English coursework 5 HOURS AGO, THANKS TO THIS PRICK IM GONNA FAIL.



You don't have to fail your assignment because of him.  Just forget about your computer woes for a while and go to your local library to use a computer there.


----------



## Alec§taar (Mar 7, 2007)

Casheti said:


> FUCK THIS I'M FORMATTING FOR ABOUT THE 8TH TIME. Literally.



Man, another "casheti classic", lol... no offense intended man, but you blow me away sometimes, lol!

(@ least you're honest about things, I give you that, & you DO NOT PULL PUNCHES, lol!)

Man - I hope this works out for you, blowing an exam or homework etc. sux... call your prof./teacher if you have to, get extension!

Most teachers would make exception to this... point him here IF you have to as evidence thereof!

Good luck man!

APK


----------



## pt (Mar 7, 2007)

Polaris573 said:


> You don't have to fail your assignment because of him.  Just forget about your computer woes for a while and go to your local library to use a computer there.



10:26pm in england/portugal/marrocos  
library's are closed


----------



## Casheti (Mar 7, 2007)

Alec§taar said:


> Man, another "casheti classic", lol... no offense intended man, but you blow me away sometimes, lol!
> 
> (@ least you're honest about things, I give you that, & you DO NOT PULL PUNCHES, lol!)
> 
> ...



Okay, it's all good now...

He had the nerve to try and send me another file as soon as I got back onto msn. It was only a song, but I don't trust him at all now, regardless of whether it's an mp3 (not really sure of what can be attatched to songs tbh) or an .exe.

Lesson learned! 

I'm interested in what pt had to say about the 00000000 thing. What's this?

P.S. Alec I'm happy to still help you with your APK Registry Cleaner.


----------



## Casheti (Mar 7, 2007)

As a suboccurance (is that even a word?? Hell I dunno) of this event, I strive to get more security. At the moment I am using Kaspersky AntiVirus and Windows Defender/Windows Firewall. Any other precautions I can take that won't slow me down too much? This is Vista after all, which makes it hard to game already, without the worry of extra AV programs.


----------



## pt (Mar 7, 2007)

use comodo firewall


----------



## ktr (Mar 7, 2007)

just unplug you computer from the internet...


----------



## niko084 (Mar 8, 2007)

Well if it writes itself properly... You could have to re low-level format your hard drive... If they are really good it will write itself into your bios, video card, and anything else it can...

Probably not that good...

I did the same thing to my little brother and a few of my friends, thats a simple remote access program.


----------



## Ketxxx (Mar 8, 2007)

I told u not to accept that file :shadedshu


----------



## Alec§taar (Mar 8, 2007)

Casheti said:


> Okay, it's all good now...
> 
> He had the nerve to try and send me another file as soon as I got back onto msn. It was only a song, but I don't trust him at all now, regardless of whether it's an mp3 (not really sure of what can be attatched to songs tbh) or an .exe.



That is EXACTLY what happened to my nephew, w/ the NASTIEST virus I ever saw... & I don't think there's a removal tool for it yet: It's called W32Pinfi... that was back in 2001 mind you, iirc...



Casheti said:


> Lesson learned!



"The University of Life" (per Christian Bale & John Malkovich in "The Empire of the Sun") - nothing QUITE like the 'school of hard-knocks' man... as the saying goes:

"It'll LEARN ya!"



Casheti said:


> I'm interested in what pt had to say about the 00000000 thing. What's this?



I.E.-> Zero'ing out the HDD securely probably... 3x 0-1-0 iirc, is the gov't std. for a secure wipe, but it may have gone up now (I am fairly certain it has, but if not? Oh well...)

E.G.-> See, I did some 'forensics' work in my day, & 2-3 years ago, specifically on this note, for a LARGE financial firm (one of the planet's largest & for 800 rigs on lease)... I used a tool called "Acronis Disk Cleanser" in 4x pass max config wipe mode to do so. It by FAR surpasses the std. D.O.D. requirement, & this method even defaults the fabled ENCASE program, for data recovery via directory reconstruction file table work.



Casheti said:


> P.S. Alec I'm happy to still help you with your APK Registry Cleaner.



Sure, because I am NOT 110% sure that is what is causing your difficulties, per the above, & I have NO way of knowing if he sent you a binary infector or not... so, your tests? ARE appreciated!

APK

P.S.=> THIS IS WHY I STAY OFF IRC, AIM, MSN, you-name-it... 

See, there's some CLEVER freaks out there, bent on destruction @ times imo, & I was a victim to 1 once... 

However - many WILL tell you how they did, what they did, & it's HOW I learned about security @ least @ the outset, back in 1994-1999 really... have much more to go imo too!

(E.G.-> Some of them, folks you would NOT believe, some famous in this field in fact, I have noted it before - Mark Joseph Edwards being one in fact, he tried, did not breakthru, but I had it trapped in IRC MIRC logs & then more, via a known professional security toolset used by law enforcement called "NetScanTools Pro", which I licensed... had to have it, I was hanging around trying to do what I said above: "KNOW THY ENEMY"... I no longer use NetScanTools though, & later wrote my OWN toolset much like it... ) apk


----------



## Casheti (Mar 8, 2007)

Well, seeing as I formatted your progam may work now. Only one way to find out.


----------



## aximbigfan (Mar 8, 2007)

my advice would be to try a format, THEN reflash your bios. if the little bastard did get into your bios that should fix it.


chris


----------



## Alec§taar (Mar 8, 2007)

Casheti said:


> Well, seeing as I formatted your progam may work now. Only one way to find out.



Give it a go, & let me know here or in PM, one way or another, because this perplexed the HECK outta me that only YOU of 1,000's of users of it since 1997 have problems... even VISTA users, they work, now that I 'patched' its configuration!

APK

P.S.=> Apply the .reg file in the program's zipfile distro, FIRST, prior to running it (IF you still use VISTA that is) & then right-click on it, use the "Run As Administrator" first time you run it... after that? You can run it normally via desktop double-click on shortcut... thanks for the test! apk


----------



## bigboi86 (Mar 8, 2007)

Casheti said:


> *he says a format won't fix it. I reckon he's lying. Don't you?*



If it's in the boot sector then a normal reformat wont get rid of it, you'll then have to fdisk MBR.


----------



## pt (Mar 8, 2007)

i cant help you on 0000 stuff, try asking danthebanjoman


----------



## Alec§taar (Mar 8, 2007)

pt said:


> i cant help you on 0000 stuff, try asking danthebanjoman



I put it on the last page, I THINK (I mean I think it applies to what he's asking, rather)...



I.E.-> Zero'ing out the HDD securely probably... 3x 0-1-0 iirc, is the gov't std. for a secure wipe, but it may have gone up now (I am fairly certain it has, but if not? Oh well...)

E.G.-> See, I did some 'forensics' work in my day, & 2-3 years ago, specifically on this note, for a LARGE financial firm (one of the planet's largest & for 800 rigs on lease)... I used a tool called "Acronis Disk Cleanser" in 4x pass max config wipe mode to do so. It by FAR surpasses the std. D.O.D. requirement, & this method even defaults the fabled ENCASE program, for data recovery via directory reconstruction file table work.

APK

P.S=> "A Jedi gains power thru understanding whereas a Sith gains understanding, thru power!" - Darth Sidious... apk


----------



## pt (Mar 8, 2007)

Alec§taar said:


> I put it on the last page, I THINK (I mean I think it applies to what he's asking, rather)...
> 
> 
> 
> ...




that's it, my brother did it once to a putter that was full of viruses, seagate has a programm that do this, it took about 6hours or more to do it in a 40gb hdd


----------



## Greek (Mar 8, 2007)

cash ill pop down his house on sunday and make sure its off for good


----------



## Steevo (Mar 8, 2007)

Boot to Debian and wipe your MBR. Use your XP disk to recreate your MBR.
Boot to Lycoris live or Knoppix, mount the volume, give yourself write permissions, and delete it. The virus that is.


If you believe it has compromised your BIOS use a winflash utility to perform a checksum, or boot to a unwriteable floppy and BIOS flash program.


----------



## Casheti (Mar 8, 2007)

Greek said:


> cash ill pop down his house on sunday and make sure its off for good



Smash up his PC while you're there.


----------



## Casheti (Mar 8, 2007)

And DO make sure he hasn't got it anymore 

I'm skeptical as to how someone with the mental ability of an 11 year old can get it to stay in the gfx card memory, and if so, it's flash time!


----------



## bigboi86 (Mar 9, 2007)

Steevo said:


> Boot to Debian and wipe your MBR. Use your XP disk to recreate your MBR.
> Boot to Lycoris live or Knoppix, mount the volume, give yourself write permissions, and delete it. The virus that is.
> 
> 
> If you believe it has compromised your BIOS use a winflash utility to perform a checksum, or boot to a unwriteable floppy and BIOS flash program.



Or just use the F-Disk MBR dos command, and then create a new MBR using the XP disk . 

But most viruses like this are hidden in the MBR.


----------



## Fusion (Mar 12, 2007)

Ignore this post by me, I was wrong


----------

