Hacked and remote controlled computer

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

We used to have a Win 2k sp4 fully patched IBM laptop. Several time when the
user were connected to our lan, the computer were remote controlled. Someone
delete mail, choose Start-Run and wrote a message to the user. A bit scary. I
scanned it with, antivirus software, adaware software, check entries in the
registry. Checked processes in taskmanager, look for strange connections with
netstat... but found nothing. I format and installed Win XP SP2, and it seems
to have started again. I can tell for sure that no one from inside our
network doing it. And even if that was the case it has to exist some remote
control aplication, which I couldn't found. A thought would be that there is
some kind of a root kit, but I dont know have to found them. I tried to boot
in safe mode but there were no strange service that was running...
 
Download Ad-aware SE and scan your PC for the presence of spyware:
http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button

Symantec Security Check
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/?id=827315

Dealing with Unwanted Spyware and Parasites
http://www.mvps.org/winhelp2002/unwanted.htm

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.aspx

----------------------------------------------------------------------------

:

| We used to have a Win 2k sp4 fully patched IBM laptop. Several time when the
| user were connected to our lan, the computer were remote controlled. Someone
| delete mail, choose Start-Run and wrote a message to the user. A bit scary. I
| scanned it with, antivirus software, adaware software, check entries in the
| registry. Checked processes in taskmanager, look for strange connections with
| netstat... but found nothing. I format and installed Win XP SP2, and it seems
| to have started again. I can tell for sure that no one from inside our
| network doing it. And even if that was the case it has to exist some remote
| control aplication, which I couldn't found. A thought would be that there is
| some kind of a root kit, but I dont know have to found them. I tried to boot
| in safe mode but there were no strange service that was running...
 
1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (personal free version)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download sysclean.com and place it in that directory.
Dowload the signature files (pattern files) by obtaining the ZIP file.
For example; lpt194.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point
10) Please report back your results

Dave





| We used to have a Win 2k sp4 fully patched IBM laptop. Several time when the
| user were connected to our lan, the computer were remote controlled. Someone
| delete mail, choose Start-Run and wrote a message to the user. A bit scary. I
| scanned it with, antivirus software, adaware software, check entries in the
| registry. Checked processes in taskmanager, look for strange connections with
| netstat... but found nothing. I format and installed Win XP SP2, and it seems
| to have started again. I can tell for sure that no one from inside our
| network doing it. And even if that was the case it has to exist some remote
| control aplication, which I couldn't found. A thought would be that there is
| some kind of a root kit, but I dont know have to found them. I tried to boot
| in safe mode but there were no strange service that was running...
 
Micke__1 said:
We used to have a Win 2k sp4 fully patched IBM laptop. Several time
when the user were connected to our lan, the computer were remote
controlled. Someone delete mail, choose Start-Run and wrote a message
to the user. A bit scary. I scanned it with, antivirus software,
adaware software, check entries in the registry. Checked processes in
taskmanager, look for strange connections with netstat... but found
nothing. I format and installed Win XP SP2, and it seems to have
started again. I can tell for sure that no one from inside our
network doing it. And even if that was the case it has to exist some
remote control aplication, which I couldn't found. A thought would be
that there is some kind of a root kit, but I dont know have to found
them. I tried to boot in safe mode but there were no strange service
that was running...
Click to expand...

When this first happened, was the laptop protected by a perimeter firewall
on your LAN that blocks all potentially dangerous ports? Was this computer
ever used on unprotected networks? Kept patched with all critical updates,
and running good current generation antivirus software?
 
Hi There,

The whole idea of a rootkit is that you can't find it. Damned if
AV/spyware/malware detection will find rootkits once they have
successfully been installed.

That said, there *are* a few methods (and tools) that you can use to
detect the presence of a rootkit on a windows system.

Note that some of these techniques assume that you have a good
understanding of what you are looking at:

Check out the following tools:

VICE (http://www.rootkit.com)
Klister (http://www.rootkit.com)
SDT Restore (http://www.security.org.sg)
rkdetect (http://www.securiteam.com/)

Use another operating system (like knoppix) to check the contents of the
system volume information folders and other "system only" folders. and
don't forget the recycle bin ;)

Use LADS to check for the existence of alternate data streams in files..

Perform a full listing of *every* file on the system (you will need to
be running as LOCALSYSTEM to do this, yes there are ways. and no I will
not tell you how on a public newsgroup). Then do the same over with the
drive mounted via a share from a remote box.

Dump the registry (remotely) to a text file, do the same locally and
compare.

Safe mode is about as useful for rootkit detection as peanut butter is
for wireless networking.

you have pretty much gone through everything else, however, I would
still recommend you check out http://www.auscert.org.au/4323 (Windows
Intrusion Detection Checklist) in case there is anything you have missed.

Finally, contact Microsoft they can and most likely will help. Even with
a rootkit.

Hope this helps.

MacLeonard
 
Back
Top