Solved

Friend is being hacked, keylogs, breaks passwords, copies IM's and they have no ip to trace

Posted on 2003-10-22
14
3,385 Views
Last Modified: 2013-11-16
Hi. A friend is having real trouble with a hacker. They have stolen passwords, monitoring IM's etc. We believe it is a keylogging program. We were told there is no way to get rid of it because it is a spyder in the system. They also use AIM, and it seems when the hacker "takes over" the account, it knocks them offline.  Any suggestions to remove this, and to catch the person doing it? Thanks in advance.
0
Comment
Question by:Serendipity14
  • 3
  • 2
  • 2
  • +6
14 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9601602
Ask him to install and run these softwares

SpyBot-S&D

SpyBot-S&D is an adware and spyware detection and removal tool. This includes removal of certain advertising components, that may gather statistics as well as detection of various keylogging and other spy utilities. In addition, it also securely removes PC and Internet usage tracks, including browser history, temporary pages, cookies (with option to keep selected) and more. The program offers an attractive outlook-style interface that is easy to use and multi-lingual. SpyBot-S&D allows you to exclude selected cookies, programs or extensions from being reported, allowing you to prevent false positive messages for items that you dont want to be alerted of every time. It can even scan your download directory for files that have been downloaded, but not yet installed, allowing you to detect unwanted programs before you even install them. SpyBot produces a detailed and easy to understand report before it deletes any files and allows you to deselect any item that you do not want to be processed. In addition, a recovery feature allows you to restore your settings if needed. Very nice tool, that exceeds the capabilities of the popular Ad-Aware application.

http://www.webattack.com/download/dlspybot.shtml

Ad-aware

AdAware is a privacy tool, that scans your memory, registry, hard, removable and optical drives for known data-mining, aggressive advertising, and tracking components. It then lists the results and offers to remove or quarantine the components. The program detects a wide range of adware/spyware related issues and can be updated with the latest signatures via the built-in update utility. Please be advised that removing certain components may impact the functionality of effected software applications. You should fully read the included Ad-aware documentation before removing any files!

http://www.webattack.com/download/dladaware.shtml


HijackThis

HijackThis is a tool, that lists all installed browser add-on, buttons, starup items and allows you to inspect them, and optionally remove selected items. The program can create a backup of your original settings and also ignore selected items. Additional features include a simple list of all startup items, default start page, online updates and more. Intended for advanced users.

http://www.webattack.com/download/dlhijackthis.shtml

Keylogger Hunter

Keylogger Hunter is a program that attempts to detect any keyloggers that may be running on your computer. It performs a system analysis, which takes about 3-5 minutes and then produces a list of suspicious files (if any). It detected 2 out of 3 running keyloggers in our test. Future versions are planned to be shareware.

http://www.webattack.com/download/dlklhunter.shtml

KL-Detector

KL-Detector is designed to provide a way to find out whether your activity is being recorded with a keylogger application. It uses the fact that most keyloggers create a hidden log file on your hard drive and therefore scans for any suspicious activity during a test period that you have to initiate. Basically, it asks you to use the keyboard for several minutes, type some text or do similar activities, while it is monitoring your system to check if it can detect any suspicious logging activity. KL-Detector is intended for occasional use and not as a permanently running program, as normal PC activity may cause false positives. During our test, it did detect changes in a keylogger log file (that we installed), but it did not find the activity suspicious enough to warn us. Advanced users may get value by inspecting the logged items, however novice users should not rely on the results.

http://www.webattack.com/download/dlkldetector.shtml

X-Cleaner Free

XCleaner is a privacy tool suite that detects and removes installed spyware and adware components and includes tools to securely delete files, edit the registry, disable startup programs and more. Additional features include IE home page protection, cookie, cache and history cleaning, built-in password generator and more. This free version also contains some additional feature options, however they are disabled and require upgrade to a full version. The spyware and adware scanning as well as many cleaning features however can be used freely.

http://www.webattack.com/download/dlxcleaner.shtml

SpywareBlaster

SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It achieves this by disabling the CLSIDs of popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage. This allows you to run Internet Explorer with Active-X enabled, but it will never download or even prompt you for any of the known ActiveX controls. All other Active-X controls or plug-ins will work fine. The SpywareBlaster database contains information on these known spyware Active-X controls and can be updated with the click of a button. The application windows displays a list of all controls that it is able to detect (this is not a list of what was found on your computer). The program cannot detect if you have any of the known objects already installed, but if you do, they will be disabled. The program also allows you to take a snapshot of your computer (certain settings) in its clean state and later revert many changes made by spyware and browser hijackers.

http://www.webattack.com/download/dlspywareblaster.shtml

SpywareGuard

SpywareGuard provides a real-time protection solution against so-called spyware. It works similar to an anti-virus program, by scanning EXE and CAB files on access and alerting you if known spyware is detected. If this is the case, it initially blocks access to the file and then allows the user to select an action. SpywareGuard provides a fast scanning engine, signature-based scanning, heuristic/generic scanning, a control panel, and an online-update utility for downloading of definition updates. It does not replace your anti-virus protection, but instead detects programs that may cause privacy concerns. The list of detected programs includes AdBreak, AdultLinks/LinkZZ, Brilliant Digital, CommonName, Cytron, FreeScratchAndWin, FriendGreetings, HighTraffic, HotBar, IEDisco, iGetNet, Lop.com, MoneyTree Dialer and others.

http://www.webattack.com/download/dlspywareguard.shtml


SpySites

SpySites allows you to manage the Internet Explorer Restricted Zone settings and easily add entries from a database of 1500+ sites that are known to use advertising tracking methods or attempt to install third party software. You can select the sites from the list, or optionally add all of them, or only the "worst offenders". The program then adds the URLs to the IE Restricted Zone settings. Once configured, there is no need to run the program again, unless you want to add additional sites.

http://www.webattack.com/download/dlspysites.shtml


Sunray
0
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 50 total points
ID: 9601614
Also have him install firewall for better protection like zonealarm

Ask him not to store passwords in his computer  ( disable remember password )

Ask him to download this software to check for trojan ( trojan remover)

Update the virus definitions and scan for viruses

Sunray
0
 

Author Comment

by:Serendipity14
ID: 9601733
He did all that and it comes up with nothing. This hacker comes onto IM and threatens him and says he is watching. It appears to be in the system and untraceable.
0
 
LVL 2

Expert Comment

by:sh00t3r
ID: 9602007
Here's an idea...

reformat the entire box and reinstall the OS. Use differnet usernames/passes for ALL internet related activity: email, IM, etc. That's the only way you'll be 100% that everything is removed.

0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9602311
>>  This hacker comes onto IM and threatens him and says he is watching. It appears to be in the system and untraceable.

Test him . I donot agree to what he is saying. May be he is fooling your friend. Ignore and delete his contact in IM ..


Sunray
0
 
LVL 4

Expert Comment

by:ferg-o
ID: 9603703

Sunray does it again! Yeah sounds to me like the guy threatening is just a moron - when I was moderating a chat server a few years back we'd see these kind of threats all the time. Usually came to nothing. Often turns out the instigator has a chip on their shoulder becaus ethey failed computing 101 in junior school.

The best thing I can recommend is if your friend is using XP, start with going into advanced TCP/IP options and switching on the built-in firewall, otherwise use zonealarm or something like that as Sunray suggested. I can't speak for zonealarm but some have built in IDS functionality which can give you the source address and type of attack.

Also get him to run netstat -a at the command prompt to see what open connections there are to the machine - look for something strange. Look for direct connections to broadband service providers - a typical one would be something like ip-201.31.45.67.netvigator.com (netvigator being a local ISP here) or something like that.

Your friend should only have direct outbound connections unless he is using something like Kazaa etc.

I can't suggest that you post the full output of netstat -a to this forum as someone may use it malignantly, however you can post it if you replace all mention of your friends machine name and IP with x's and y's etc...

If you find a suspect IP or a few suspect IPs check back with us here and we can tell you how to find out where they are and what you can do about it. This kind of behaviour is nothing more than online bullying and it annoys me intensely. Let's get 'em.

0
 

Author Comment

by:Serendipity14
ID: 9604654
Thanks for all your comments. I will pass this all on.  Thanks for taking the time. I will keep you updated.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Expert Comment

by:DigitalMechanic
ID: 9607303
My answer would be quite simple, use these software:

- ZoneAlarm Pro (firewall)
- BlackICE (firewall)
- SpySweeper (real-time protection)
- Ad-Aware Pro (real-time protection)
- Norton Antivirus (real-time protection)

BlackICE and ZoneAlarm can co-exist no problems, and the other programs can keep monitoring the system,
keep in mind that their virus / protection definitions must be up to date in order to keep the system safe.

Scan the system with the scanners, then make sure important files arent infected, back 'em up, and do a fresh
install, I would recommend using some disk wiping software, these will make sure no bad data is left on the
HDD, do a 7 write / delete cycle ( or more, but could take more time ), that option is available in the disk wiping / cleaning software.

Goodluck.
0
 

Expert Comment

by:DigitalMechanic
ID: 9607332
Another comment, install BlackICE, ZoneAlarm, NeoTrace (tracing program) / HackTracer.

1) Install BlackICE, ZoneAlarm
2) connect to the internet ,and use ZoneAlarm to shutdown all internet activities
3) go to blackIce, clear the evidence log and other logs
4) via ZoneAlarm, re-eanable the internet
5) watch BlackICE's main window for types of suspicious attacks.
6) note down the IP address / details
7) launch NeoTrace / hacktracer / tracert, punch in the IP address, trace the hacker using the software.

Maybe that would help?
0
 

Expert Comment

by:Chaser101
ID: 9620654
I downloaded Keylogger Hunter and when I went to do the scan, there's a flashlight scanning, then a window comes up and says:
"Parimeter is incorrect"

what happened and what do I do?

Thanks
0
 

Expert Comment

by:ReanimatedSky
ID: 9623447
The security set up I use is
1)ZoneAlarm firewall (the regular version is even free)
2) Pest patrol (detects over 15,000 "pests" such as keyloggers, adware, malware, hackers and other spies
3)Norton anti virus
4)Zone log analyser (reads the firewall logs and can report access attempt for you)

After you have everything set up test your firewall online and make sure it is working correctly.
0
 

Expert Comment

by:m34k
ID: 9631360
all of these suggestions are great and some cost alot of coin too...

this is what I use and it's essentially free

-ZoneAlarm (free version)
-Avast Anti-Virus (free, but has a nag every few months to re-register)
-Spybot S&D
-Adaware
I use them both because one will always find things that the other didn't

but I also think these guys are right...it sounds like this guy is just harassing your friend. Best thing to do is try to ignore him...he'll eventually find someone else to annoy.
0
 

Expert Comment

by:ericmagee
ID: 9633890
You may also what to try a product called sypcop:

http://spycop.com/products.htm

It's a anti-keylogger and anti-spy product!

I've been years it for a while.   It's wroth a try!
0
 

Expert Comment

by:Chaser101
ID: 9757680
HELP AGAIN!!!!!
I cannot open my ADD/REMOVE programs....it says cannot open Rundll32.exe is missing.

where can i redownload this from??????

*running windows 95*


Thank you
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now