• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5058
  • Last Modified:

Hacked!

Hi experts,

I found some strange programs running on my pc and started to investigate, this is what I found:

Small program for remote controlling the PC from http://www.dameware.com (72kb) dntus26.exe

Small program for ftp-server tasksrv.exe (22kb)

Question: How the heck did he get them there?

I am not running any servers on my pc. And no I have not surfed to the Nimda infected pages.

How did he start the telnet service remotely?

Below is from the eventlog.

Thanks in advance.

2002-05-11      05:39:00      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\wbk24A.tmp
is infected with the W32.Nimda.A@mm (dr) virus.; Access to the file was denied..
2002-05-11      05:39:00      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\wbk24A.tmp
is infected with the W32.Nimda.A@mm (dr) virus.; Unable to repair this file..
2002-05-11      05:39:00      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YJGFKXU3\readme[1].eml
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11      05:39:00      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YJGFKXU3\readme[1].eml
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11      04:20:53      TlntSvr      Information      None      1001      N/A      HOMEPC1      The MS Telnet Service has shut down successfully.
2002-05-11      04:20:07      TlntSvr      Information      None      1000      N/A      HOMEPC1      The MS Telnet Service has started successfully.
2002-05-11      04:14:03      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:02      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:02      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:02      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:01      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:01      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:00      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:13:59      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:13:56      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      03:31:22      FrontPage 4.0      Warning      None      1000      N/A      HOMEPC1      Microsoft FrontPage Server Extensions:
   error #50001 message: there is no environment variabel of type SERVER_PORT.
2002-05-11      03:27:55      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FrontPageTempDir\_vti_inf.html
was infected with the W32.Nimda.A@mm(html) virus.; The file was repaired..
2002-05-11      03:22:58      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FrontPageTempDir\_vti_inf.html
was infected with the W32.Nimda.A@mm(html) virus.; The file was repaired..
2002-05-11      01:37:54      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CMH0YNG2\wbk19D.tmp
is infected with the W32.Nimda.A@mm (dr) virus.; Access to the file was denied..
2002-05-11      01:37:54      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CMH0YNG2\wbk19D.tmp
is infected with the W32.Nimda.A@mm (dr) virus.; Unable to repair this file..
2002-05-11      01:37:53      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11      01:37:53      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11      01:37:52      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11      01:37:52      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11      01:37:52      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11      01:37:52      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11      01:37:45      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YJGFKXU3\170.143.172[1].htm
was infected with the W32.Nimda.A@mm(html) virus.; The file was repaired..
0
drno007
Asked:
drno007
  • 5
  • 4
1 Solution
 
WakeupCommented:
drno007,

You dont need to have a server or anything to get Nimda.  You can be infected from just opening an email.  Do you need to get this Nimda Virus removed?
http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.removal.tool.html

Go there and follow the instructions!
I would double tripple quadruple check to make sure it is gone.
0
 
drno007Author Commented:
Nimda has never been active on my pc.

These are the files caught by norton as indicated in the previous eventlog.

The file "C:\program files\norton antivirus\quarantine\incoming\ap0.htm" is infected with W32.Nimda.A@mm. The file is repaired.

The file "C:\program files\norton antivirus\quarantine\incoming\ap0.html" is infected with W32.Nimda.A@mm. The file is repaired.

The file "C:\program files\norton antivirus\quarantine\incoming\ap1.html" is infected with W32.Nimda.A@mm. The file is repaired.

W32.Nimda.A@mm has been successfully removed
from your computer!

The total number of the scanned files: 45008
The number of deleted files: 0
The number of repaired files: 3
The number of viral processes terminated: 0
The Guest account was removed from the administrators group: NO
The Guest account was disabled: YES
The number of shares found: 6
The number of shares secured for administrator use only: 6
The number of registry keys deleted: 0

0
 
WakeupCommented:
well then it was on your system and was removed by norton.... according to the event logs....they may not have been active, or memory resident....but they did reside on your puter at one point in time since 3 of the files on your machine have been repaired.

Also I do not understand what kind of help you need.  If the viruses have since been removed...My suggestion is to get a firewall up.  That may help as well...Like ZoneAlarm or Norton Internet Security.  There are lots of Backdoor Trojans and the like...that this so called hacker may have used to access your system.  And may have gotten Nimda onto your machine via those backdoor trojans.

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
WakeupCommented:
Here are some things to try:
trojan remover
http://www.simplysup.com/tremover/

www.zonealarm.com
free dowload personal use

0
 
drno007Author Commented:
I am accepting this comment and reinstalling my pc. Also going to install that firewall.

thanks for the help.
0
 
WakeupCommented:
Why a C grade?  Is there something that I did not answer?  Also you didn't give me any chance of getting a better grade.  I asked what you were asking.....
0
 
drno007Author Commented:
The question was: how did he manage to start the telnet server service remotely? he obviously tried to get it started a few times before he succeded, as indicated by the eventlog. once that is done it would only be a matter of seconds before he could tftp the small programs to my pc.

Also I hate firewalls. only a bunch of false alarms.
A huge marketing scam in my opinion.

The C grade may have been unfair, but I am very tired from staying up until 3:00am and getting up again 7:30am.

Sorry, make it up to next time, OK?
0
 
drno007Author Commented:
also a translation of this page would be fun to have.

http://ddjia.51.net/hebackwenzhan/page1/wenzhanmulu21.htm
0
 
drno007Author Commented:
also a translation of this page would be fun to have.

http://ddjia.51.net/hebackwenzhan/page1/wenzhanmulu21.htm
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now