hacker in my comp

[thekeymaker264]

alright, well one of my friends got mad at me for getting him in trouble(it was for a good reason) and now he hacked into my comp and he can read, even take things from my computer and its annoying the heck out of me! do any of u know how to stop him from doing this. plz help

[Storm90]

You need to get a good firewall or a router. There are a few people hear that will recomend a software firewall or router. So sit tight and I am sure they will answer you. Goodluck!

[YeOldeStonecat]

You need to get a good firewall or a router.

What's your setup? Are you on broadband of some flavor (cable/DSL?)

What operating system? Passwords on your computer? Sounds like you have a full share with no security..and he's able to go to town. Networking services bound to your internet connection...and running = scarey!

You have any remote admin software running?

Did he ever have access to your computer directly? (did he ever sit down in front of your computer and do "whatever"?)

[cyberskye]

Backup the files you care about then format and reinstall - you have no way of kowing if anything was left behind.


Get a good personal firewall as mentioned above.

[thekeymaker264]

i have cable with windows XP, we have pw for different log in names. and yes he has been on my comp to "fix" it.

[Microsoft 98]

You can either ask mom or your dad to buy you a good router which is more powerful then software firewall, then change your passwords on XP to login, you should od that now.

So he's been over your place and on your pc don't blame you then he knows whats what.

[YeOldeStonecat]

and yes he has been on my comp to "fix" it.

That being the case.....as Cyberskye mentioned..."format"

You have no idea what he put on your system...

[darlin]

i have cable with windows XP, we have pw for different log in names. and yes he has been on my comp to "fix" it.

That's why he's having a field day with you. I would reformat, change passwords, and get a good firewall. The only reason he was able to do what he has done, is because he has had manual access to your computer.

Otherwise, it's not as easy as people think to do things like that, and a port isn't a window that a thief can crawl in. But, he has had manual access to your computer, so you've pretty much gave him the key to it.

[thekeymaker264]

well ok thanks for u guys help, and altho i really dont like the formating part, i guess ill do it cause u guys seem to know ur things

[Sava700]

Yea with most new computers they come with restore disks anyway and makes it easier to recover back to the beginning... just save all files you wanna keep first along with any sites you've bookmarked etc... Once you are back to the beginning install a firewall Sygate is about the best and have the computer Password locked by you only if your the only user so nobody else can get on the sucker and fool with it.

[MadDoctor]

Yea with most new computers they come with restore disks anyway and makes it easier to recover back to the beginning... just save all files you wanna keep first along with any sites you've bookmarked etc... Once you are back to the beginning install a firewall Sygate is about the best and have the computer Password locked by you only if your the only user so nobody else can get on the sucker and fool with it.

I can reformat in 1.2 hours now. No big thing anymore. Go for it!

[Norm]

I can't believe formatting was suggested.

Oh well, too late now.

Good luck

[Debbie]

I can't believe formatting was suggested.

Oh well, too late now.

Good luck

Hey Norm, maybe he hasn't reformatted yet. What do you suggest?

[Norm]

If my car starts leaking oil, I don't replace the engine. I find the leak and repair the gasket, or seal that's leaking. (know what I mean)

There is either a trojan on the PC or there is a legit remote networking app running (like VNC, PC Anywhere, Radmin etc, or the built in Windows remote desktop sharing.
Find it and disable it, that's all there is to it really.
Releasing the IP will stop all traffic so he'll have control of his own PC.

Check running proccesses. Scan for trojans. Disable any remote sharing apps
Fairly simple to fix.

Formatting can present it's own troubles for someone not too familiar with the proccess, and the re-install of an OS.
Drivers can be an issue with some hardware, although XP has a great driver DB, there is still some hardware out there XP has no drivers for, etc etc.
One example is 3rd party IDE controllers.

[Norm]

One more thing before I go...

I would rather take the time to learn or figure out a problem than just wipe it out and start over, but that's me.

I would also want some revenge, and show this guy he's not the only computer savy person on the block.

Flood the port he's using and crash his system

[greEd]

I would also want some revenge, and show this guy he's not the only computer savy person on the block.

Flood the port he's using and crash his system

<evil smirk>

[YeOldeStonecat]

If my car starts leaking oil, I don't replace the engine. I find the leak and repair the gasket, or seal that's leaking. (know what I mean)

There is either a trojan on the PC or there is a legit remote networking app running (like VNC, PC Anywhere, Radmin etc, or the built in Windows remote desktop sharing.
Find it and disable it, that's all there is to it really.
Releasing the IP will stop all traffic so he'll have control of his own PC.

Check running proccesses. Scan for trojans. Disable any remote sharing apps
Fairly simple to fix.

Formatting can present it's own troubles for someone not too familiar with the proccess, and the re-install of an OS.
Drivers can be an issue with some hardware, although XP has a great driver DB, there is still some hardware out there XP has no drivers for, etc etc.
One example is 3rd party IDE controllers.

That's assuming the kid did nursery school tactics, something as amateurish as simply enabling RD, or plopping in VNC or PcA...and hoping the owner didn't have both eyes open to see the icon hiding in systray.

[Norm]

That's assuming the kid did nursery school tactics, something as amateurish as simply enabling RD, or plopping in VNC or PcA...and hoping the owner didn't have both eyes open to see the icon hiding in systray.

Read my entire post
I did mention more than "nursery school tactics"

In my humble opinion it's easier, quicker, and more enlightening to learn and fix an OS and all apps than it is to format and re-install it, especially when it comes to the 2nd, 3rd, fourth +++ time.

[cyberskye]

I agree with you on the theoretical level, Norm. In this case - where the dude has had direct physical access - can you say root kit - I would not hesitate to format.

Rather than your oil leak example, I think of incidents like this more in terms of losing my housekeys - why risk it? I could play with the lock and recalibrate it somehow, but I would end up happier (and safer) with new locks.

If I installed sw that hosed my system, I'd be more curious as to how to fix it. If someone has my password and I use online banking...different story.

Skye

[Norm]

Skye, I may go the format root in this type of case for a client, because it has potential to speed up the time to fix it, but on my own system, if this were to happen, I would want to investigate it and know exactly how it was done. Just for the knowledge.

I learned how to format years ago, and now like to focus on the nitty gritty
Formatting is a pain in the * * if there no backup images, and you don't get to learn anything 'new'.

[darlin]

Skye, I may go the format root in this type of case for a client, because it has potential to speed up the time to fix it, but on my own system, if this were to happen, I would want to investigate it and know exactly how it was done. Just for the knowledge.

I learned how to format years ago, and now like to focus on the nitty gritty
Formatting is a pain in the * * if there no backup images, and you don't get to learn anything 'new'.

I agree with you there, and I would certainly want to screw with this person. I think I would have a field day.

[YeOldeStonecat]

Read my entire post .

I did, all of them, before I posted. Not knowing if the kid who did the hacking was savvy or not, better off being safe than sorry.

On our own systems, yeah, that's different. But we're talking about someone here who may or may not be behind a firewall, may or may not be able to work with use over a week or two's time in trying to help him find how someone is controlling his system. And even then, without being in front of his computer myself, I'd not be sure the problem was gone. Suppose this kid put in several back doors? Across the forum, we work with keymaker here, seem to find how the kids getting in the system, and go "Hooray, we got it"...meanwhile the kid who did the hacking did a halfway decent approach and has another back door...and he's back in!

We don't know if he was good or not. Maybe he was a wannabe hack, and all he could do was fire up remote desktop or sneak in VNC, in which case..great, easy as pie. But maybe he layered a few doors in there too......

[TonyT]

One more thing:

If your "friend" left you any floppys or cds, then virus scan them as his backdoor app may be on one of them. This can include any music cds as well that he may have given you.

[Norm]

Everyone...

Regardless of all the 'what if's', an investigation would be MY first step.
For any program(s) to execute automaticaly, there has to be an entry somewhere.


No matter how talented the "friend" is, ANY problem can be fixed without wiping all the data off the drive. This one may have been a good challenge, but not even close to impossible.

[Paft]

Everyone...

Regardless of all the 'what if's', an investigation would be MY first step.
For any program(s) to execute automaticaly, there has to be an entry somewhere.


No matter how talented the "friend" is, ANY problem can be fixed without wiping all the data off the drive. This one may have been a good challenge, but not even close to impossible.

Hypothetical situation: I manage to tack on a key logger to explorer.exe, and do not make a backup of the original. Or even better yet, kernel32.dll. Some system process that cannot be edited, even by the Administrator. I then set the file +h +s +r with the attrib command, and replace the files with something such as kerneI32.dll, which would be hard for an average user to detect with the way the default Windows fonts look. I keep all the entrances and exits to the .dll, so all programs work normally, with one hook - explorer reports every single keystroke to a file which is uploaded with an smtp server embedded in rundll32.exe, also set +h +s +r and replaced with rundIl32.exe so that the average user can't detect it.

Explain how you would fix that, if you didn't know about the replaced files, and couldn't edit the files with any user account on the system.

[Norm]

Well Paft, I'm not your average user for starters.
I was cleaning spyware off my machines long before any remover apps came along.

Filemon will tell me about any file being written to, so your keylogger is caught within seconds of my investigation.

SFC will catch any improper system files and replace them with originals.
An "upgrade" or repair install will replace all system files as well.
Process viewers will show any process running, and depedancies.

I'm on to the mispelled dll thing. See them right away these days.

You can't run an SMTP server stealthed (not stealthed to me anyway )

I could also delete the Windows dir with a boot disk, and reinstall over without deleting the whole drive contents (save a few mp3's and important files)

Many ways to get around this and figure it out.

Since I know the scenario here it's a bit easier, but an unknown just means more forensic work that's all.

You cannot hide from me what a computer is up to.

NEXT

[cyberskye]

Superior or just grumpy today?

[MadDoctor]

Well Paft, I'm not your average user for starters.

What I know about computers you could write on the head of a pin with a blunt crayon.

Format is the only option for me.

[Norm]

Superior or just grumpy today?

I believe you're reading something that isn't there. Sorry to hear you feel that way.
I don't sugar coat my posts, I just state the facts. Time is sometimes a factor.

I wonder where the thread starter is. Formatting can be more of a pain than first anticipated. It can be hard to get help when you can't get online (for whatever reason).

Paft decided to reply to me in a PM, I know not why.
Since it was a PM I won't print it out. I will say it was a positive acknowledgement.

[mnosteele52]

I completely agree with Norm.......... but........... for a lot of clients it's not cost effective to pay me to take the time to fix all of the problems, it's less expensive to just reformat.

Although formatting is not always an option, so it is always good to know how to actually fix the problem. I take pride in learning and knowing how to fix these issues, I see it as a challenge and don't like being beat. At the same time I have to look at the clients best interest..... the total cost.

[mccoffee]

I try norms way first to fix viruses and spyware I had this one comp i was working on had a bunch of virsues his startup was terriable anway i tried to do it manaully taking it off of start up it booted a couple of times and bam windows would not load not even into safe and old 98 machine


I save format for last resort i admit sometimes it's just eaiser and lot less hassle

[YeOldeStonecat]

I wonder where the thread starter is. Formatting can be more of a pain than first anticipated. It can be hard to get help when you can't get online (for whatever reason).

Seeing as your digging, we don't have to assume that. If he was getting serious about formatting, and didn't know how to do it, perhaps he's researching it, or would have asked what steps to take. If he rushed into it without checking out that process first, asking how to backup data, this, that, the other...all those steps, it's not the fault of those who suggested a format may be the cleanest route.

Once done it might be nice to know 100% that traces of trouble are gone.

And it's a whole different story if any of us techs can beat the issue or not if we were presented with this computer...it's not about a pissing contest here.

[YARDofSTUF]

I completely agree with Norm.......... but........... for a lot of clients it's not cost effective to pay me to take the time to fix all of the problems, it's less expensive to just reformat.

Although formatting is not always an option, so it is always good to know how to actually fix the problem. I take pride in learning and knowing how to fix these issues, I see it as a challenge and don't like being beat. At the same time I have to look at the clients best interest..... the total cost.

But in this case its not a client's PC, its his own, the cost is time and the payment is knowledge.


I agree with norm, an investigation should be the first step.

[cyberskye]

its his own, the cost is time and the payment is knowledge.

There are so many hateful things that could be done meanwhile - warez server, using as a launchpad for attacking others (DoS, etc).

The guy hacked him because he got him into trouble. Could the 'trouble' be IT related?

All teh guy has to do is use his machine to portscan a pentagon or federal gov't ip enough times and the FBI could be at his door...

Curiosity is fine - http://project.honeynet.org/ - but I don't play with security. If I were keymaster andhad no personal info (financial especially) and a spare machine to use to post here so someone could walk me through step-by-step...if not I'd format everytime. God bless Ghost and the geeks who wrote it.

[YARDofSTUF]

There are so many hateful things that could be done meanwhile - warez server, using as a launchpad for attacking others (DoS, etc).

The guy hacked him because he got him into trouble. Could the 'trouble' be IT related?

All teh guy has to do is use his machine to portscan a pentagon or federal gov't ip enough times and the FBI could be at his door...

Curiosity is fine - http://project.honeynet.org/ - but I don't play with security. If I were keymaster andhad no personal info (financial especially) and a spare machine to use to post here so someone could walk me through step-by-step...if not I'd format everytime. God bless Ghost and the geeks who wrote it.

Save the conspiracy theories. He's had the comp up and on long enough that if that were to happen it would have already and he would just tell them who did it, then the friend is in ****. So the friend isnt gonna do something like that.

Update adaware, spybot, and your virus scanner

Unplug ethernet cable

Run adaware, spybot and the virus scanner

Run hijackthis

Goto Start > Run > msconfig > startup > check for suspicious entries

Goto Control Panel > Add/Remove Programs look for any remote desktop junk

Check all running processes to see if there is somethign "extra" there

Hop back on the net and get a software firewall like sygate and see how it goes from there.

[YeOldeStonecat]

^^^

[YeOldeStonecat]

Save the conspiracy theories.

Uh...why would anyone "save the conspiracy theory"...the kid is Obviously in his computer, plain and simple, done under malice.

[darlin]

Well now wer're just tossing around theories. Considering the situtation, which is we don't know the skill level the guy that needed help has, and like was mentioned by someone, if he had another computer so we could talk him through the process of getting the problem resolved without reformatting, then that would be the way to go.

Otherwise, the best solution would be to have given him instructions on reformatting, so he could have printed it out. At any rate, he's not been back around, so this has turned into an ego, pissing match. And you all know full well that I'm the best tech here. (: J/K

[Norm]

This wasn't a "pissing contest" or an "ego" thing. My replies were what I would do, either for myself or someone else in this situation.

Debbie asked me what I would do , and I was given a scenario by Paft, and I replied to them.
I have a lot of professional respect for everyone who posted in this thread.
Formatting is one of my pet peeves. Personally, I can't bear giving in to the almighty format.

I am sincerely sorry this thread took a turn, and admit my style may have caused it.

Till the next time

Norm

[YeOldeStonecat]

Yeah that's the thing...you get 10 engineers in a room, you'll get at least 8 different answers.