Link to home
Start Free TrialLog in
Avatar of drno007
drno007

asked on

Hacked!

Hi experts,

I found some strange programs running on my pc and started to investigate, this is what I found:

Small program for remote controlling the PC from http://www.dameware.com (72kb) dntus26.exe

Small program for ftp-server tasksrv.exe (22kb)

Question: How the heck did he get them there?

I am not running any servers on my pc. And no I have not surfed to the Nimda infected pages.

How did he start the telnet service remotely?

Below is from the eventlog.

Thanks in advance.

2002-05-11      05:39:00      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\wbk24A.tmp
is infected with the W32.Nimda.A@mm (dr) virus.; Access to the file was denied..
2002-05-11      05:39:00      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\wbk24A.tmp
is infected with the W32.Nimda.A@mm (dr) virus.; Unable to repair this file..
2002-05-11      05:39:00      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YJGFKXU3\readme[1].eml
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11      05:39:00      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YJGFKXU3\readme[1].eml
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11      04:20:53      TlntSvr      Information      None      1001      N/A      HOMEPC1      The MS Telnet Service has shut down successfully.
2002-05-11      04:20:07      TlntSvr      Information      None      1000      N/A      HOMEPC1      The MS Telnet Service has started successfully.
2002-05-11      04:14:03      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:02      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:02      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:02      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:01      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:01      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:00      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:13:59      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:13:56      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      03:31:22      FrontPage 4.0      Warning      None      1000      N/A      HOMEPC1      Microsoft FrontPage Server Extensions:
   error #50001 message: there is no environment variabel of type SERVER_PORT.
2002-05-11      03:27:55      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FrontPageTempDir\_vti_inf.html
was infected with the W32.Nimda.A@mm(html) virus.; The file was repaired..
2002-05-11      03:22:58      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FrontPageTempDir\_vti_inf.html
was infected with the W32.Nimda.A@mm(html) virus.; The file was repaired..
2002-05-11      01:37:54      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CMH0YNG2\wbk19D.tmp
is infected with the W32.Nimda.A@mm (dr) virus.; Access to the file was denied..
2002-05-11      01:37:54      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CMH0YNG2\wbk19D.tmp
is infected with the W32.Nimda.A@mm (dr) virus.; Unable to repair this file..
2002-05-11      01:37:53      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11      01:37:53      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11      01:37:52      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11      01:37:52      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11      01:37:52      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11      01:37:52      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11      01:37:45      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YJGFKXU3\170.143.172[1].htm
was infected with the W32.Nimda.A@mm(html) virus.; The file was repaired..
Avatar of Wakeup
Wakeup
Flag of United States of America image
drno007,

You dont need to have a server or anything to get Nimda.  You can be infected from just opening an email.  Do you need to get this Nimda Virus removed?
http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.removal.tool.html

Go there and follow the instructions!
I would double tripple quadruple check to make sure it is gone.
Avatar of drno007
drno007

ASKER

Nimda has never been active on my pc.

These are the files caught by norton as indicated in the previous eventlog.

The file "C:\program files\norton antivirus\quarantine\incoming\ap0.htm" is infected with W32.Nimda.A@mm. The file is repaired.

The file "C:\program files\norton antivirus\quarantine\incoming\ap0.html" is infected with W32.Nimda.A@mm. The file is repaired.

The file "C:\program files\norton antivirus\quarantine\incoming\ap1.html" is infected with W32.Nimda.A@mm. The file is repaired.

W32.Nimda.A@mm has been successfully removed
from your computer!

The total number of the scanned files: 45008
The number of deleted files: 0
The number of repaired files: 3
The number of viral processes terminated: 0
The Guest account was removed from the administrators group: NO
The Guest account was disabled: YES
The number of shares found: 6
The number of shares secured for administrator use only: 6
The number of registry keys deleted: 0

ASKER CERTIFIED SOLUTION
Avatar of Wakeup
Wakeup
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Wakeup
Wakeup
Flag of United States of America image
Here are some things to try:
trojan remover
http://www.simplysup.com/tremover/

www.zonealarm.com
free dowload personal use

Avatar of drno007
drno007

ASKER

I am accepting this comment and reinstalling my pc. Also going to install that firewall.

thanks for the help.
Avatar of Wakeup
Wakeup
Flag of United States of America image
Why a C grade?  Is there something that I did not answer?  Also you didn't give me any chance of getting a better grade.  I asked what you were asking.....
Avatar of drno007
drno007

ASKER

The question was: how did he manage to start the telnet server service remotely? he obviously tried to get it started a few times before he succeded, as indicated by the eventlog. once that is done it would only be a matter of seconds before he could tftp the small programs to my pc.

Also I hate firewalls. only a bunch of false alarms.
A huge marketing scam in my opinion.

The C grade may have been unfair, but I am very tired from staying up until 3:00am and getting up again 7:30am.

Sorry, make it up to next time, OK?
Avatar of drno007
drno007

ASKER

also a translation of this page would be fun to have.

http://ddjia.51.net/hebackwenzhan/page1/wenzhanmulu21.htm
Avatar of drno007
drno007

ASKER

also a translation of this page would be fun to have.

http://ddjia.51.net/hebackwenzhan/page1/wenzhanmulu21.htm