Hacker!!!

[teaaememy]

Ok I had a problem with a hacker on yahoo. But nothing I have detected it. I have a firewall is there more I can do? I know they were putting a keylog on my computer I downloaded an antikey log but it doesn't appear to be working. Any advice would be appreciated. ~ Thanks

[mountainman]

Heading to the security forum would be a good place to start.

Those guys know what they're talking about... unlike me.

[Randy]

ask Norm

how do you know you were hacked?

[teaaememy]

a screen kept flashing on screen for a second. I know the persons user name because of it and reported them but I would like to be able to stop it from happening again. JCOS helped me out a lot by giving my programs to download but what I have download didn't stop it.

[Norm]

Originally posted by Randy
ask Norm

WTF?

It wasn't me, I swear!!

[YARDofSTUF]

Originally posted by Norm
WTF?

It wasn't me, I swear!!

BASTARD!!!

[Randy]

Originally posted by Norm
WTF?

It wasn't me, I swear!!

HA HA HA

then who? paft?

[Norm]

Kinda vague with the info.

Post your IP and we'll all take a shot at helping you out

Go over to http://www.grc.com and test your firewall with a port scan.
Also, get a good trojan scanner and check your system. Easiest way in is when a trojan holds the door open.

You sure this isn't just windows messenger ?

[Joint Chiefs of Staff]

Originally posted by Norm
Kinda vague with the info.

Post your IP and we'll all take a shot at helping you out

Go over to http://www.grc.com and test your firewall with a port scan.
Also, get a good trojan scanner and check your system. Easiest way in is when a trojan holds the door open.

You sure this isn't just windows messenger ?

Hey Norm.

A quick pop up screen by the vandal lol showed up every 10 minutes or so. Tammy was luckily enough to get a screen shot of it. It's a trojan alright since the firewall was introduced to her system after we found out.

The keylog.txt file found on in her systems folder would never have been found if she didn't get the path from the pop up.

She opened it up and there where her yahoo chats....word for word being sent back to that persons yahoo e-mail account which we also now have.

Tammy e-mailed abuse@yahoo but as of yet (i think) heard from them.

Did I miss anything Tammy?

[Norm]

Good detective work JCOS.

I doubt much will be done about it though. I've heard stories a lot worse where damage was done, and nothing was done.

All we can do is make sure we know our systems well enough to know when something is going on, and keep them secure best we can.

The cops won't lift a finger until the damage exceeds $5,000.

ISP's won't risk losing a customer and their $50 a month over a little incident. I wonder what they will do about the fact the chat sessions were being sent out. hmmm. That may be another legal issue altogether.

[Joint Chiefs of Staff]

Originally posted by Norm
Good detective work JCOS.

I doubt much will be done about it though. I've heard stories a lot worse where damage was done, and nothing was done.

All we can do is make sure we know our systems well enough to know when something is going on, and keep them secure best we can.

The cops won't lift a finger until the damage exceeds $5,000.

ISP's won't risk losing a customer and their $50 a month over a little incident. I wonder what they will do about the fact the chat sessions were being sent out. hmmm. That may be another legal issue altogether.

Thanks Norm but it was Tammy's quick fingers that got the screen shot. I should pass it over to you if you want to analyze it.

Got a good free trojan finder?

[Norm]

Originally posted by Joint Chiefs Of Staff
Thanks Norm but it was Tammy's quick fingers that got the screen shot. I should pass it over to you if you want to analyze it.

Got a good free trojan finder?

TDS-3 is supposed to be good. One of the best I've heard. I think it has a free demo that works for so many days. Not sure.

SwatIT is free.

Also you may want to have a look at http://www.gladiator-antivirus.com/ It's a new scanner that will also give you a list of all apps on your PC that have the potential to access the net.

[Norm]

Yes, I always like to check things out JCOS, send me any info you have, pics and all.

PM me if you need my email addy.

[MadDoctor]

Originally posted by Joint Chiefs Of Staff
it was Tammy's quick fingers

Can you expand on that statement just a bit? Pictures would be nice.

[64bit]

We can probably eliminate one suspect....not l33t enough

[Norm]

As soon as you deviate from the MS way, you're a hacker.
I hack all the time, it's what I do.
But am I a hacker in the sense of hacking into other systems, no.

She's prolly good 64bit, secure your PC NOW !!

[Joint Chiefs of Staff]

Originally posted by Norm
Yes, I always like to check things out JCOS, send me any info you have, pics and all.

PM me if you need my email addy.

I already have it. Hacked your system just a few seconds ago.

pfft crappy firewall dude!

j/k

I have it from a few weeks ago. lol

[Joint Chiefs of Staff]

Norm....e-mail being sent now! Read first before opening attachment!

[64bit]

Originally posted by Norm

She's prolly good 64bit, secure your PC NOW !!

Im probably this dudes next victim. I keep getting a grow.bat file from jenny@addinchestoyourmanhood.org. Im bound to click it one of these times....

[blebs]

Ah man, I'm missing out on all the fun. Norm you feel like sharing?

[Joint Chiefs of Staff]

Originally posted by Joint Chiefs Of Staff
Norm....e-mail being sent now! Read first before opening attachment!

damnit! Outllook won't send it Norm. Potentially unsafe file it says. lol ya think! hehe

I'm trying hotmail now. Should send there without a problem. lol

[Norm]

Originally posted by 64bit

Im probably this dudes next victim. I keep getting a grow.bat file from jenny@addinchestoyourmanhood.org. Im bound to click it one of these times....

Open it in notepad and post it for us.

Kinda curious what it says in the bat file.

[Norm]

Originally posted by Joint Chiefs Of Staff
damnit! Outllook won't send it Norm. Potentially unsafe file it says. lol ya think! hehe

I'm trying hotmail now. Should send there without a problem. lol

I think hotmail scans now too.

Zip it, and then send it.

[Norm]

Originally posted by blebs99
Ah man, I'm missing out on all the fun. Norm you feel like sharing?

I'll send you a copy when I get it.

Be patient, JCOS is slow.

[blebs]

If he'd quit spamming and start sending, it would be a step in the right direction. I just got to thinking, RR scans now, so I may not be able to get it.

[Joint Chiefs of Staff]

Originally posted by Joint Chiefs Of Staff
damnit! Outllook won't send it Norm. Potentially unsafe file it says. lol ya think! hehe

I'm trying hotmail now. Should send there without a problem. lol

go figure...hotmail sent it. lol

[Norm]

Originally posted by Joint Chiefs Of Staff
go figure...hotmail sent it. lol

I got it, sent blebbs a copy too.

I am on my way out for about 15-20 minutes. I'll get back to you later.

I don't have a test machine right now. Blew a couple of old mobo's testing client's crap. The joys of working as a tech. Make 50 bucks fixing a clients pc, only to blow a 75 mobo lol

I'll have a look at it with a hex editor and see if anything is visible worth reporting.

[Joint Chiefs of Staff]

Originally posted by Norm
I got it, sent blebbs a copy too.

I am on my way out for about 15-20 minutes. I'll get back to you later.

I don't have a test machine right now. Blew a couple of old mobo's testing client's crap. The joys of working as a tech. Make 50 bucks fixing a clients pc, only to blow a 75 mobo lol

I'll have a look at it with a hex editor and see if anything is visible worth reporting.

Thanks e-mail anything I mean anything you find.

I'll forwarded back to Tammy so she can keep some ass. and she can too. lol

[teaaememy]

Originally posted by Joint Chiefs Of Staff
Thanks e-mail anything I mean anything you find.

I'll forwarded back to Tammy so she can keep some ass. and she can too. lol

So I can keep some ass????? WTH lol.

By the way just a smidge more detail. I know who the file was being sent to. But they are in denial. They say they have no idea whats going on but that I must have trojan. Funny why would it say it is emailing the info to their account?

[Joint Chiefs of Staff]

BUMP

[blebs]

I'm working on it.

[YeOldeStonecat]

Trojan scanner...

Pest Patrol

http://www.pestpatrol.com/

[knightmare]

next time u are in yahoo chat, dont go thru messenger, i wouldnt advise using yahoo messenger, many firewalls do not stop the scripts run thru yahoo messenger. Its not quite as functional, but logging into yahoo chat thru ur internet browser is safer, you will notice the yahoo booters cant seem to boot u that way. They have cookie stealers etc, they can take ur yahoo id, plus password crackers, i only go onto yahoo games anymore to play pool or spades, chat very seldom, everyone has a boot or script prog..

[blebs]

Tammy better get a trojan cleaner. What I had posted for you to remove may have really screwed you up. Continue reading this whole thread before you do anything.

[ghettoside]

TDS 3 is the best anti- trojan. don't know if the trial version removes, but here's link
tds 3
the prog is (or was) $50, well worth the money.

what other security progs did the guys give you? (what firewall, any other progs)

[ghettoside]

Hey Norm, that gladiator prog, I've tested that one, it looks great but it gives lots of false positives. don't know if its still beta... I abandoned that one. had some other problem with it too, can't remember exactly what it was.

[edit] just looked at it, it was the 'turbo loader' that was prob. scan was kinda slow. then tried the turbo loader and crash-ola...
it's still in beta too.

[Norm]

Ok, I have found a few things that may or may not be of any value in ridding this thing. All the below files etc were referenced in that exe file I was sent.
I could tell by what I saw that the registry gets written to, and some keys deleted. Also it has it's own mail handler.

These files are worth investigating.

c:\profile.fil
ANSMPT.dll
winsyst.exe
iphlpapi.dll
dosapi.dll
ANSMTP.obj
ANSMTP.obj.1
stole2.tib
sm.exe
RegSVR32.exe - (this is a normal windows file)
c:\DevStudios\vb\v85.old

C:\\inetpub\\mailroot\\pickup

This is some evidence that it is using the mail system.
test mail
txtEmailInterval
startkeylogGoStealth
GoStealthDelay
GoOutStealthDelay
GetUsername
CallBackMessage
GetWindowsDirectory
GetSystemDirectory
v8InternalUpdate
A.Root-Servers.net
GetMailServer

It is written in C++
There may be more, I got tired of looking at code.

[ghettoside]

don't know if this will help, went thru 20 search pages for online trojan scans, picked a couple that looked good to me

scan1

scan2

had hoped to find one with heuristics, no luck. 1st one has 9000+ trojs in base, but don't know about it finding custom troj

[blebs]

Norm how in the hell did you access the source code? The only thing I could do was view the thing with quickview. According to Pest Patrol it is Winspy but I haven't found any information on deleting the program altogether. I did delete the app folder with the keylogger text, the HKLM\Software\SSET folder key
HKLM\Software\Microsoft\Windows\Current Version\Run csrss.exe key and it appeared to stop functioning. Now you got me scratching my head.

[Norm]

I couldn't read most of it, but I used a hexeditor and could see some text.

The file named csrss.exe is a windows service I believe. I think the trojan just uses it.

Some of it is written in Visual basic as well.