drno007
asked on
Hacked!
Hi experts,
I found some strange programs running on my pc and started to investigate, this is what I found:
Small program for remote controlling the PC from http://www.dameware.com (72kb) dntus26.exe
Small program for ftp-server tasksrv.exe (22kb)
Question: How the heck did he get them there?
I am not running any servers on my pc. And no I have not surfed to the Nimda infected pages.
How did he start the telnet service remotely?
Below is from the eventlog.
Thanks in advance.
2002-05-11 05:39:00 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc al Settings\Temporary Internet Files\Content.IE5\EXXPQOHR \wbk24A.tm p
is infected with the W32.Nimda.A@mm (dr) virus.; Access to the file was denied..
2002-05-11 05:39:00 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc al Settings\Temporary Internet Files\Content.IE5\EXXPQOHR \wbk24A.tm p
is infected with the W32.Nimda.A@mm (dr) virus.; Unable to repair this file..
2002-05-11 05:39:00 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc al Settings\Temporary Internet Files\Content.IE5\YJGFKXU3 \readme[1] .eml
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11 05:39:00 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc al Settings\Temporary Internet Files\Content.IE5\YJGFKXU3 \readme[1] .eml
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11 04:20:53 TlntSvr Information None 1001 N/A HOMEPC1 The MS Telnet Service has shut down successfully.
2002-05-11 04:20:07 TlntSvr Information None 1000 N/A HOMEPC1 The MS Telnet Service has started successfully.
2002-05-11 04:14:03 TlntSvr Error None 4000 N/A HOMEPC1 An error occurred while attempting to create shell process.
2002-05-11 04:14:02 TlntSvr Error None 4000 N/A HOMEPC1 An error occurred while attempting to create shell process.
2002-05-11 04:14:02 TlntSvr Error None 4000 N/A HOMEPC1 An error occurred while attempting to create shell process.
2002-05-11 04:14:02 TlntSvr Error None 4000 N/A HOMEPC1 An error occurred while attempting to create shell process.
2002-05-11 04:14:01 TlntSvr Error None 4000 N/A HOMEPC1 An error occurred while attempting to create shell process.
2002-05-11 04:14:01 TlntSvr Error None 4000 N/A HOMEPC1 An error occurred while attempting to create shell process.
2002-05-11 04:14:00 TlntSvr Error None 4000 N/A HOMEPC1 An error occurred while attempting to create shell process.
2002-05-11 04:13:59 TlntSvr Error None 4000 N/A HOMEPC1 An error occurred while attempting to create shell process.
2002-05-11 04:13:56 TlntSvr Error None 4000 N/A HOMEPC1 An error occurred while attempting to create shell process.
2002-05-11 03:31:22 FrontPage 4.0 Warning None 1000 N/A HOMEPC1 Microsoft FrontPage Server Extensions:
error #50001 message: there is no environment variabel of type SERVER_PORT.
2002-05-11 03:27:55 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\DOCUME~1\ADMINI~1\LOCAL S~1\Temp\F rontPageTe mpDir\_vti _inf.html
was infected with the W32.Nimda.A@mm(html) virus.; The file was repaired..
2002-05-11 03:22:58 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\DOCUME~1\ADMINI~1\LOCAL S~1\Temp\F rontPageTe mpDir\_vti _inf.html
was infected with the W32.Nimda.A@mm(html) virus.; The file was repaired..
2002-05-11 01:37:54 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc al Settings\Temporary Internet Files\Content.IE5\CMH0YNG2 \wbk19D.tm p
is infected with the W32.Nimda.A@mm (dr) virus.; Access to the file was denied..
2002-05-11 01:37:54 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc al Settings\Temporary Internet Files\Content.IE5\CMH0YNG2 \wbk19D.tm p
is infected with the W32.Nimda.A@mm (dr) virus.; Unable to repair this file..
2002-05-11 01:37:53 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc al Settings\Temporary Internet Files\Content.IE5\EXXPQOHR \readme[1] .eml
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11 01:37:53 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc al Settings\Temporary Internet Files\Content.IE5\EXXPQOHR \readme[1] .eml
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11 01:37:52 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc al Settings\Temporary Internet Files\Content.IE5\EXXPQOHR \readme[1] .eml
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11 01:37:52 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc al Settings\Temporary Internet Files\Content.IE5\EXXPQOHR \readme[1] .eml
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11 01:37:52 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc al Settings\Temporary Internet Files\Content.IE5\EXXPQOHR \readme[1] .eml
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11 01:37:52 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc al Settings\Temporary Internet Files\Content.IE5\EXXPQOHR \readme[1] .eml
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11 01:37:45 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc al Settings\Temporary Internet Files\Content.IE5\YJGFKXU3 \170.143.1 72[1].htm
was infected with the W32.Nimda.A@mm(html) virus.; The file was repaired..
I found some strange programs running on my pc and started to investigate, this is what I found:
Small program for remote controlling the PC from http://www.dameware.com (72kb) dntus26.exe
Small program for ftp-server tasksrv.exe (22kb)
Question: How the heck did he get them there?
I am not running any servers on my pc. And no I have not surfed to the Nimda infected pages.
How did he start the telnet service remotely?
Below is from the eventlog.
Thanks in advance.
2002-05-11 05:39:00 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc
is infected with the W32.Nimda.A@mm (dr) virus.; Access to the file was denied..
2002-05-11 05:39:00 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc
is infected with the W32.Nimda.A@mm (dr) virus.; Unable to repair this file..
2002-05-11 05:39:00 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11 05:39:00 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11 04:20:53 TlntSvr Information None 1001 N/A HOMEPC1 The MS Telnet Service has shut down successfully.
2002-05-11 04:20:07 TlntSvr Information None 1000 N/A HOMEPC1 The MS Telnet Service has started successfully.
2002-05-11 04:14:03 TlntSvr Error None 4000 N/A HOMEPC1 An error occurred while attempting to create shell process.
2002-05-11 04:14:02 TlntSvr Error None 4000 N/A HOMEPC1 An error occurred while attempting to create shell process.
2002-05-11 04:14:02 TlntSvr Error None 4000 N/A HOMEPC1 An error occurred while attempting to create shell process.
2002-05-11 04:14:02 TlntSvr Error None 4000 N/A HOMEPC1 An error occurred while attempting to create shell process.
2002-05-11 04:14:01 TlntSvr Error None 4000 N/A HOMEPC1 An error occurred while attempting to create shell process.
2002-05-11 04:14:01 TlntSvr Error None 4000 N/A HOMEPC1 An error occurred while attempting to create shell process.
2002-05-11 04:14:00 TlntSvr Error None 4000 N/A HOMEPC1 An error occurred while attempting to create shell process.
2002-05-11 04:13:59 TlntSvr Error None 4000 N/A HOMEPC1 An error occurred while attempting to create shell process.
2002-05-11 04:13:56 TlntSvr Error None 4000 N/A HOMEPC1 An error occurred while attempting to create shell process.
2002-05-11 03:31:22 FrontPage 4.0 Warning None 1000 N/A HOMEPC1 Microsoft FrontPage Server Extensions:
error #50001 message: there is no environment variabel of type SERVER_PORT.
2002-05-11 03:27:55 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\DOCUME~1\ADMINI~1\LOCAL
was infected with the W32.Nimda.A@mm(html) virus.; The file was repaired..
2002-05-11 03:22:58 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\DOCUME~1\ADMINI~1\LOCAL
was infected with the W32.Nimda.A@mm(html) virus.; The file was repaired..
2002-05-11 01:37:54 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc
is infected with the W32.Nimda.A@mm (dr) virus.; Access to the file was denied..
2002-05-11 01:37:54 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc
is infected with the W32.Nimda.A@mm (dr) virus.; Unable to repair this file..
2002-05-11 01:37:53 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11 01:37:53 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11 01:37:52 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11 01:37:52 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11 01:37:52 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc
is infected with the W32.Nimda.enc virus.; Access to the file was denied..
2002-05-11 01:37:52 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc
is infected with the W32.Nimda.enc virus.; Unable to repair this file..
2002-05-11 01:37:45 Norton AntiVirus Error (1) 4097 NT AUTHORITY\SYSTEM HOMEPC1 The description for Event ID ( 4097 ) in Source ( Norton AntiVirus ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: The file
C:\Documents and Settings\Administrator\Loc
was infected with the W32.Nimda.A@mm(html) virus.; The file was repaired..
ASKER
Nimda has never been active on my pc.
These are the files caught by norton as indicated in the previous eventlog.
The file "C:\program files\norton antivirus\quarantine\incom ing\ap0.ht m" is infected with W32.Nimda.A@mm. The file is repaired.
The file "C:\program files\norton antivirus\quarantine\incom ing\ap0.ht ml" is infected with W32.Nimda.A@mm. The file is repaired.
The file "C:\program files\norton antivirus\quarantine\incom ing\ap1.ht ml" is infected with W32.Nimda.A@mm. The file is repaired.
W32.Nimda.A@mm has been successfully removed
from your computer!
The total number of the scanned files: 45008
The number of deleted files: 0
The number of repaired files: 3
The number of viral processes terminated: 0
The Guest account was removed from the administrators group: NO
The Guest account was disabled: YES
The number of shares found: 6
The number of shares secured for administrator use only: 6
The number of registry keys deleted: 0
These are the files caught by norton as indicated in the previous eventlog.
The file "C:\program files\norton antivirus\quarantine\incom
The file "C:\program files\norton antivirus\quarantine\incom
The file "C:\program files\norton antivirus\quarantine\incom
W32.Nimda.A@mm has been successfully removed
from your computer!
The total number of the scanned files: 45008
The number of deleted files: 0
The number of repaired files: 3
The number of viral processes terminated: 0
The Guest account was removed from the administrators group: NO
The Guest account was disabled: YES
The number of shares found: 6
The number of shares secured for administrator use only: 6
The number of registry keys deleted: 0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here are some things to try:
trojan remover
http://www.simplysup.com/tremover/
www.zonealarm.com
free dowload personal use
trojan remover
http://www.simplysup.com/tremover/
www.zonealarm.com
free dowload personal use
ASKER
I am accepting this comment and reinstalling my pc. Also going to install that firewall.
thanks for the help.
thanks for the help.
Why a C grade? Is there something that I did not answer? Also you didn't give me any chance of getting a better grade. I asked what you were asking.....
ASKER
The question was: how did he manage to start the telnet server service remotely? he obviously tried to get it started a few times before he succeded, as indicated by the eventlog. once that is done it would only be a matter of seconds before he could tftp the small programs to my pc.
Also I hate firewalls. only a bunch of false alarms.
A huge marketing scam in my opinion.
The C grade may have been unfair, but I am very tired from staying up until 3:00am and getting up again 7:30am.
Sorry, make it up to next time, OK?
Also I hate firewalls. only a bunch of false alarms.
A huge marketing scam in my opinion.
The C grade may have been unfair, but I am very tired from staying up until 3:00am and getting up again 7:30am.
Sorry, make it up to next time, OK?
ASKER
also a translation of this page would be fun to have.
http://ddjia.51.net/hebackwenzhan/page1/wenzhanmulu21.htm
http://ddjia.51.net/hebackwenzhan/page1/wenzhanmulu21.htm
ASKER
also a translation of this page would be fun to have.
http://ddjia.51.net/hebackwenzhan/page1/wenzhanmulu21.htm
http://ddjia.51.net/hebackwenzhan/page1/wenzhanmulu21.htm
You dont need to have a server or anything to get Nimda. You can be infected from just opening an email. Do you need to get this Nimda Virus removed?
http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.removal.tool.html
Go there and follow the instructions!
I would double tripple quadruple check to make sure it is gone.