I've been hacked, again

[cparent]

About once every 6 months I notice my AVG email scanner(part of AVG antivirus) popping up with emails that I'm not sending. I usually then installing zonealarm. This stops the emails, but begins to become a PITA. I end up reinstalling windows a month later, which seems to fix it.

It's becoming a ritual now. and getting old. I don't know how deep they are in my system, if they can do this. I don't like being a PC for spam.

I'm getting them again. They are lagging my PC.


#1: How am I getting hacked? I have AVG installed and updated. I always have. I have a DLINK DI 524 router. I have my routers DMZ disabled. virtual server is only on 1 port for utorrent TCP 38326/38326.

#2: How can I stop them in the future? It's getting old. Zonealarm is a PITA and I'd prefer not to have to run it.

A screenshot of an email

 

[John]

1) AVG sucks :light:
2) Please click the link in my sig :thumbsup:
3) Have a merry Christmas :gift:

 

[cparent]

thanks! trying Kaspersky AV 6.0 right now. it's scanning right now.

 

[rasczak]

Originally posted by: John
1) AVG sucks :light:
2) Please click the link in my sig :thumbsup:
3) Have a merry Christmas :gift:

john, your link rox man. thanks a bunch it's helped me out tons!

 

[John]

Thanks for the kind words.

 

[cparent]

Kaspersky ran for 3 hours. it didnt find anything. i'll try another from your list

 

[Lemon law]

To cparent,

Something about your post really bothers me---here you are--now a spam bot---again--and its happened at least twice. That should be a wake up call that your overall security
is not cutting it.

Jpbelauskas is correct when he says John's links roxs---but the thing to realize is that security should consist of a multi-layered defense---and just having a very good anti-virus
means little if your other bases are not covered.----something akin to saying it does no good to have the best locks on your front door if you leave your back door unlocked. And it also means that there is no single magic bullet.---even if AOL Kaspersky is very very good.----and trying to implement John's advice one incremental program at a time will not get it either.

Here is my take---sad to say--you are best off doing what you did before--wiping out your hard drive and starting fresh--and then taking all of John's advice and that process will implement a multi-layered defense for your computer---the reason I say that is that you have--in your own word been hacked---and any decent hacker will always plant a back door on your computer so he can get back in---and only starting out fresh will be sure to wipe that back door out.

My other take is that something like bit torrent is always risky---and even though I do not download music or do peer to peer things---I do know there are more secure programs than bit torrent that do exactly the same things as bit torrent. Hopefully someone will post what program you should use in that area. Then--if I were you---I would max out my router setting for security---then add a good software firewall---something that is not bloatware like zonealarm---something like the Kerio ones---then I would add Aol Kaspersky anti-virus---then add a number of spyware scanners--certainly spybot---and the low footprint spyware blaster which can prevent malware from registering--add windows defender--and maybe a few others--then I would add something in the process control area---win patrol, process guard--or something similar that will warn you if things are trying to install---do your web browsing with opera, firefox, or seamonkey---if you have XP pro--do your downloading from a guest account--and after all that you may be ready to take the risk of music downloading.---but John's link covers it far better than I can---implement the whole of John's package and you have made your self very difficult to hack again----and quite clearly---you were a sitting duck before.----and will be a sitting duck again unless you lock EVERYTHING down.

 

[mechBgon]

Originally posted by: cparent
Kaspersky ran for 3 hours. it didnt find anything. i'll try another from your list

Could you post a HijackThis log? I'm curious to see what it shows, or doesn't show.

 

[Pulsar]

Where is your decent firewall program, like zonealarm?

Where is your malware scanner, like AVG malware? Do you routinely run other malware programs, like spybot, ad-aware, etc?

Where is a decent virus scanner, like AOL's rebadged Kaspersky?

Are you still using preview / autoread panes in your email browser, or do you have them turned off?

Do you have a decent spam filter that auto-deletes known spam, or are you clicking on all your email?

Have you changed the password on your router or did you leave it the default?

Have you updated the firmware on your router to prevent known hacks from working?

Have you turned off un-needed services in windows XP like the dreaded UPNP?

You are torrenting. That in itself is a major vulnerability. Do you download cracks of programs as well? Most of those have dialers / trojans in them.

Are you using internet exploder or have you moved to a less exploited browser like firefox or opera?

Just having a poor virus scanner like AVG is no way to try to keep yourself secure. I have found that most people who get "repeatedly" infected deserve it for doing silly things like running non-trusted programs that they downloaded. I doubt you are being "hacked". It is far more likely you are running programs you shouldn't, or opening emails you shouldn't.

 

[cparent]

Just a quick update for info.

could my security be better? sure. AVG AV isnt the best, but I really cant afford to buy one. So that's why I was running it.

I dont download stuff from emails. Never have.
I run Microsofts firewall.
I run my routers firewall.
I run AVG anti spyware.
I use firefox.
I dont run any warez, and if I did, and kaspersky is so good, it would have found a virus when I scanned.
I do download music with torrents. only MP3s. there are no ways to put malware in an mp3
There may be ways to attack utorrent. there may be a way to exploit the 1 port I have open.
My email is gmail.
My DLink router is firmware updated.
I have not turned off un-needed services in XP. I'm using the default install.
I'm posting my HJT log in a sec.

To me, I'm doing something wrong. Obviously or I wouldnt be being used as a spambot. However, if you look at the list I typed, I'm willing to bet that I'm more secure than 99.99% of U.S. households out there. and still got hacked. I just need to figure out what it is that I'm doing where the hole still is. Maybe AVG is the problem. Maybe AVG is free for a reason. But so far if kaspersky didnt find any virus', then i'm willing to bet it's something else.

 

[mechBgon]

If your router has configurable rules, block ALL traffic on all ports that don't actually have to be open right now, both inbound and outbound. For you, that appears to be

53 for DNS
80 for HTTP

So block TCP and UDP traffic on ports 1 through 52, 54 through 79, 81 through 65535, as damage containment for now. You won't be able to reach HTTPS sites, but with an infected system, you don't want to be typing anything that's supposed to be secure anyway.

For the general idea of how to configure your router like that: http://www.mechbgon.com/build/router.html shows how. This should keep the Spam from actually getting out the door, and hopefully cuts the command-&-control channel so the Spam bot can't get any new orders.

*waits to see the HJT log*

 

[cparent]

Logfile of HijackThis v1.99.1
Scan saved at 11:01:26 PM, on 12/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\xampplite\apache\bin\apache.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\xampplite\apache\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\HCWemMON.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\KIREOL~1.KIR\LOCALS~1\Temp\Rar$EX40.312\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: NXIECatcher Class - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor 2400W STD] C:\WINDOWS\system32\MSTMON_S.EXE STARTUP
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [emMON] HCWemMON.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WinMySQLadmin.lnk = C:\Program Files\xampp2\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\xampplite\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Program Files\xampp\xampp\service.exe (file missing)

 

[mechBgon]

I grabbed a DI-524 manual to check it out. It looks like it does have IP filters available, in the Advanced > Filters section of its menus. Set up rules to block TCP and UDP on ports 1-52, 54-79, and 81-65535, for all your internal IP addresses, as damage containment.

In the future, you probably should keep the router arbitrarily locked like that, only permitting the ports that you KNOW why they ought to be open.

 

[mechBgon]

Since you have full-version Kaspersky installed, try this:

1) download this file: http://www.mechbgon.com/maxed-out.cfg

2) right-click the red K icon and choose Settings. The Settings panel opens.

3) go down to Service and click the Load button. Have it load settings from the maxed-out.cfg file. As the filename suggests, this sets it for all-out detection, not the default setup.

4) update the virus definitions and run another full scan overnight.


Looking at your HJT log, it appears that your system may even be hosting a phishing website, because you have an Apache webserver running. Were you aware of that? If not, power off your modem overnight or get the dasm thing reformatted.

 

[cparent]

I run apache. I'm a web developer. I only run it internally however. The ports are off at the router.

 

[mechBgon]

If you've now blocked all of the ports on the router except 53 and 80, now look at the router's logs. Are there blocked outbound access attempts being logged? If so, what ports?

 

[cparent]

reinstalling windows per the recomendation up above. starting from scratch. installing the right stuff. making sure the right software is installed this time

 

[ValuedCustomer]

Originally posted by: cparent
Just a quick update for info.

could my security be better? sure. AVG AV isnt the best, but I really cant afford to buy one. So that's why I was running it.

I dont download stuff from emails. Never have.
I run Microsofts firewall.
I run my routers firewall.
I run AVG anti spyware.
I use firefox.
I dont run any warez, and if I did, and kaspersky is so good, it would have found a virus when I scanned.
I do download music with torrents. only MP3s. there are no ways to put malware in an mp3
There may be ways to attack utorrent. there may be a way to exploit the 1 port I have open.
My email is gmail.
My DLink router is firmware updated.
I have not turned off un-needed services in XP. I'm using the default install.
I'm posting my HJT log in a sec.

To me, I'm doing something wrong. Obviously or I wouldnt be being used as a spambot. However, if you look at the list I typed, I'm willing to bet that I'm more secure than 99.99% of U.S. households out there. and still got hacked. I just need to figure out what it is that I'm doing where the hole still is. Maybe AVG is the problem. Maybe AVG is free for a reason. But so far if kaspersky didnt find any virus', then i'm willing to bet it's something else.

Your config is exactly like mine down to the D-Link router. The only thing different is the torrent usage (I never touch the stuff). Since I've never been in your situation I'm guessing the torrent use may be the culprit.

 

[Lemon law]

To cparent,

As mentioned earlier---and ValuedCustomer is also saying---is that bit torrent is almost certainly your security hazard---but if that is also your passion---the question becomes how do you make music downloading or sharing safer?

But at this point one unasked question should be asked--------NAMELY WHAT OS DO YOU USE?--because certain decisions may hinge on that.

If you use win XP Pro--------there is a lot you can do in XP pro by just using a limited account------and implementing a software restriction policy---PM mechbgon for instructions--and otherwise you should be investigating setting up a virtual machine with something like sandboxie. And until you have a better security defense--I would advise you to avoid implementing any music downloading or sharing.

 

[mechBgon]

Also, if I were going to run a torrent thingie, I would make sure that any services it installs run under a separate minimal-rights account, not an Admin-class account or my own Limited account. Start > Run > services.msc. If you're going to hand over your firearm to strangers, make sure it's loaded with blanks. Eh?

 

[cparent]

sounds good. I'll look into that over the next few days.


to everyone that posted in this thread, thanks! I think that i'm on the right track now.


Now if I could only get AOL to send me a kaspersky key from their "free" site. I think it must be broke