Solved

Hacked!

Posted on 2002-06-12
9
4,955 Views
Last Modified: 2011-08-18
Hi experts,

I found some strange programs running on my pc and started to investigate, this is what I found:

Small program for remote controlling the PC from http://www.dameware.com (72kb) dntus26.exe

Small program for ftp-server tasksrv.exe (22kb)

Question: How the heck did he get them there?

I am not running any servers on my pc. And no I have not surfed to the Nimda infected pages.

How did he start the telnet service remotely?

Below is from the eventlog.

Thanks in advance.

2002-05-11      05:39:00      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\wbk24A.tmp
is infected with the W32.Nimda.A@mm (dr) virus.; Access to the file was denied..
2002-05-11      05:39:00      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\wbk24A.tmp
is infected with the W32.Nimda.A@mm (dr) virus.; Unable to repair this file..
2002-05-11      05:39:00      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YJGFKXU3\readme[1].eml
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11      05:39:00      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YJGFKXU3\readme[1].eml
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11      04:20:53      TlntSvr      Information      None      1001      N/A      HOMEPC1      The MS Telnet Service has shut down successfully.
2002-05-11      04:20:07      TlntSvr      Information      None      1000      N/A      HOMEPC1      The MS Telnet Service has started successfully.
2002-05-11      04:14:03      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:02      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:02      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:02      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:01      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:01      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:14:00      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:13:59      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      04:13:56      TlntSvr      Error      None      4000      N/A      HOMEPC1      An error occurred while attempting to create shell process.
2002-05-11      03:31:22      FrontPage 4.0      Warning      None      1000      N/A      HOMEPC1      Microsoft FrontPage Server Extensions:
   error #50001 message: there is no environment variabel of type SERVER_PORT.
2002-05-11      03:27:55      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FrontPageTempDir\_vti_inf.html
was infected with the W32.Nimda.A@mm(html) virus.; The file was repaired..
2002-05-11      03:22:58      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FrontPageTempDir\_vti_inf.html
was infected with the W32.Nimda.A@mm(html) virus.; The file was repaired..
2002-05-11      01:37:54      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CMH0YNG2\wbk19D.tmp
is infected with the W32.Nimda.A@mm (dr) virus.; Access to the file was denied..
2002-05-11      01:37:54      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CMH0YNG2\wbk19D.tmp
is infected with the W32.Nimda.A@mm (dr) virus.; Unable to repair this file..
2002-05-11      01:37:53      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11      01:37:53      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11      01:37:52      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11      01:37:52      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11      01:37:52      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11      01:37:52      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EXXPQOHR\readme[1].eml
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11      01:37:45      Norton AntiVirus      Error      (1)      4097      NT AUTHORITY\SYSTEM      HOMEPC1      The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YJGFKXU3\170.143.172[1].htm
was infected with the W32.Nimda.A@mm(html) virus.; The file was repaired..
0
Comment
Question by:drno007
  • 5
  • 4
9 Comments
 
LVL 17

Expert Comment

by:Wakeup
ID: 7074198
drno007,

You dont need to have a server or anything to get Nimda.  You can be infected from just opening an email.  Do you need to get this Nimda Virus removed?
http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.removal.tool.html

Go there and follow the instructions!
I would double tripple quadruple check to make sure it is gone.
0
 
LVL 1

Author Comment

by:drno007
ID: 7074311
Nimda has never been active on my pc.

These are the files caught by norton as indicated in the previous eventlog.

The file "C:\program files\norton antivirus\quarantine\incoming\ap0.htm" is infected with W32.Nimda.A@mm. The file is repaired.

The file "C:\program files\norton antivirus\quarantine\incoming\ap0.html" is infected with W32.Nimda.A@mm. The file is repaired.

The file "C:\program files\norton antivirus\quarantine\incoming\ap1.html" is infected with W32.Nimda.A@mm. The file is repaired.

W32.Nimda.A@mm has been successfully removed
from your computer!

The total number of the scanned files: 45008
The number of deleted files: 0
The number of repaired files: 3
The number of viral processes terminated: 0
The Guest account was removed from the administrators group: NO
The Guest account was disabled: YES
The number of shares found: 6
The number of shares secured for administrator use only: 6
The number of registry keys deleted: 0

0
 
LVL 17

Accepted Solution

by:
Wakeup earned 100 total points
ID: 7074491
well then it was on your system and was removed by norton.... according to the event logs....they may not have been active, or memory resident....but they did reside on your puter at one point in time since 3 of the files on your machine have been repaired.

Also I do not understand what kind of help you need.  If the viruses have since been removed...My suggestion is to get a firewall up.  That may help as well...Like ZoneAlarm or Norton Internet Security.  There are lots of Backdoor Trojans and the like...that this so called hacker may have used to access your system.  And may have gotten Nimda onto your machine via those backdoor trojans.

0
 
LVL 17

Expert Comment

by:Wakeup
ID: 7074496
Here are some things to try:
trojan remover
http://www.simplysup.com/tremover/

www.zonealarm.com
free dowload personal use

0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 1

Author Comment

by:drno007
ID: 7074858
I am accepting this comment and reinstalling my pc. Also going to install that firewall.

thanks for the help.
0
 
LVL 17

Expert Comment

by:Wakeup
ID: 7074929
Why a C grade?  Is there something that I did not answer?  Also you didn't give me any chance of getting a better grade.  I asked what you were asking.....
0
 
LVL 1

Author Comment

by:drno007
ID: 7075427
The question was: how did he manage to start the telnet server service remotely? he obviously tried to get it started a few times before he succeded, as indicated by the eventlog. once that is done it would only be a matter of seconds before he could tftp the small programs to my pc.

Also I hate firewalls. only a bunch of false alarms.
A huge marketing scam in my opinion.

The C grade may have been unfair, but I am very tired from staying up until 3:00am and getting up again 7:30am.

Sorry, make it up to next time, OK?
0
 
LVL 1

Author Comment

by:drno007
ID: 7075473
also a translation of this page would be fun to have.

http://ddjia.51.net/hebackwenzhan/page1/wenzhanmulu21.htm
0
 
LVL 1

Author Comment

by:drno007
ID: 7075658
also a translation of this page would be fun to have.

http://ddjia.51.net/hebackwenzhan/page1/wenzhanmulu21.htm
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Max file length 5 86
Free Log Insight for vCenter 10 100
vcenter/esxi crash?  Going haywire... 18 298
Changing the installation path of this MSI 5 96
Introduction How to create multiboot configuration with XP\Vista and Windows 7 on it? And most important question - how to do this correctly so not to have any kind of nightmares we get when system gets screwed? First of all one should realize t…
Introduction Often we come across situations wherein our batch files would be needing to reboot Windows for a variety of reasons. A few of them would be like: (1) Setup files have been updated whose changes can take effect only after a reboot …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now