Re: recovering from hack/trojan

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 04/25/04 

Date: Sun, 25 Apr 2004 16:16:48 -0400

You've got a LOT of problems.

Formatting is not such a bad idea, but formatting without knowing how you
were hacked or how to make your machine more secure next time is and has
been a complete waste of time.

Make sure you don't put the computer onto the network or Internet until
AFTER you have fully patched and hardened it. Here is some information that
may help:

http://windowsupdate.microsoft.com [for patches]
www.microsoft.com/technet/security [for hardening checklists]
http://securityadmin.info/faq.asp#harden [ditto]

Patches are not the only thing you should do, but if your system is fully
patched, I bet you wouldn't have this problem.

Do you need front page installed? That could perhaps be a security issue as
well.

Webcam light coming on can be a likely indicator that you have back door
trojan software installed on your computer. Problems with hard drive space
may indicate that a hacker is using your computer as a hidden FTP server.

Codecs being installed and NTFS switching to FAT is not likely a hacker
technique. I don't know of any way to switch from NTFS to FAT, nor of any
MS patches that fix anything like that.

Once a computer is hacked, no amount of patches or service packs remove the
hacking. Some hackers even patch the systems themselves to prevent other
hackers from using the same vulnerability to hack the system.

You may also want to consider a good hardware firewall in addition to your
software firewall, as these are a little harder to bypass than software
firewalls. www.netgear.com start around $70 US, as do www.linksys.com

"L H" <manklub@hotmail.com> wrote in message
news:3afa01c42a25$1ed77610$a401280a@phx.gbl...
Hi.

For the past 6 months, we have been struggling with a
compromised network. There were many indicators that we
were being monitored, such as the webcam coming on
spontaneously, the audio would stop coming over the
speakers, but diagnostics said that it was working. At
one point I even got a splash screen that said "YOU ARE
BEING WATCHED". Codecs for streaming audio and video
appeared that were not removable. (ie: the Uninstall or
Remove button was disabled.) The firewalls were having
rules installed, and hidden remote access adapters and
protocols would appear in command-line utilities such as
netsh and netstat but were not removable. Group policies
keep getting applied to our computers, which start out
benign, but eventually lock us out of our computers
entirely. By the time we start being denied access to our
own network and internet connections, we also lose
property sheets to many files, objects and folders. Other
indicators or symptoms are that the contents of
installation CDs change, and the hard drives never show
more than 2 Gigabytes of used space. Evidently, the
drives get redirected to virtual drives. The Distributed
Transaction Tracking, Remote Registry, COM+, WBEM and DCOM
services, among others, get reenabled shortly after we
disable them. If (and we have been doing this at least 2
times a week per machine for 6 months) we reformat and
reinstall (flashing the bios as a precaution), and use new
Workgroup names, the old workgroup name comes back,
eventually. Firewalls get changes or disabled, virus
scanners don't detect anything and run way too quickly, in
my opinion.

The following program groups show up almost every time,
soon after an install: (I will try to build a tree) Keep
in mind, we DO NOT INSTALL IIS! There is also older
versions of Windows Media (4.2, i think), IE5 and 4 and
FrontPage installed.

Folder PATH listing
-C:\Program Files
---Common Files
³ ---InstallShield
³ ³ ---Engine
³ ³ ³ ÀÄÄÄ6
³ ³ ³ ---Intel 32
³ ³ ---IScript
³ ---Microsoft Shared
³ ³ ---DAO
³ ³ ---Microsoft Plus!
³ ³ ³ ---1033
³ ³ ³ ---LaunchAppContent
³ ³ ³ ---1033
³ ³ ---MSInfo
³ ³ ---Speech
³ ³ ³ ---1033
³ ³ ---Stationery
³ ³ ---TextConv
³ ³ ---Triedit
³ ³ ---VGX
³ ³ ---Web Folders
³ ³ ---web server extensions
³ ³ ---40
³ ³ ---admcgi
³ ³ ³ ---scripts
³ ³ ---admisapi
³ ³ ³ ---scripts
³ ³ ---bin
³ ³ ³ ---1033
³ ³ ---bots
³ ³ ³ ---vinavbar
³ ³ ---isapi
³ ³ ³ ---_vti_adm
³ ³ ³ ---_vti_aut
³ ³ ---servsupp
³ ³ ---_vti_bin
³ ³ ---_vti_adm
³ ³ ---_vti_aut
³ ---MSSoap
³ ³ ---Binaries
³ ³ ---Resources
³ ³ ---1033
³ ---ODBC
³ ³ ---Data Sources
³ ---Services
³ ---SpeechEngines
³ ³ ---Microsoft
³ ³ ---Lexicon
³ ³ ³ ---1033
³ ³ ---SR
³ ³ ³ ---1033
³ ³ ---TTS
³ ³ ---1033
³ ---System
³ ---ado
³ ---msadc
³ ---Ole DB
---ComPlus Applications
---Internet Explorer
³ ---Connection Wizard
³ ---PLUGINS
³ ---SIGNUP
³ ---Yahoo
---Messenger
---microsoft frontpage
³ ---version3.0
³ ---bin
---MSN Gaming Zone
³ ---Windows
---NetMeeting
---Online Services
---Outlook Express
---Windows Media Player
³ ---Skins
³ ---Visualizations
---Windows NT
³ ---Accessories
³ ---Pinball
---xerox
³ ---nwwia

There are many other things going on, such as IPX netbui,
etc... file systems have changed from NTFS to FAT32,
FAT12 and FAT16. Wowexec shows up running in taskmanager
and filenames go from lower to upper case. Microsoft help
desk personnel told us that all of this was impossible,
yet for some reason Microsoft has now released service
packs that address these issues, and others that I have
not enumerated here. the service packs however do not
appear to get the backdoors or trojans or hackers or
whatever out of our compromised machines. Reformatting
and reinstalling and changing hardware including mobos,
cpus, etc. seems to do no good, nor does staying off the
internet. we get something called "Microsoft Raw Channel
Protocol" installed and bound to network adapters with a
characterisitc of "NCF_hidden". we have dlls and inf
files that have suspicious misspellings and terminology in
them, and deleting and/or disabling and/or uninstalling
the suspicious items casue "session manager" blue screens
or the system file monitor restores them.

I have lots more but this will sum it up -- HELP!