Solved

Haxored

Posted on 2006-10-23
10
244 Views
Last Modified: 2010-08-05
I subscribe to a specialist forum and have just received an email advising me that a new message has been posted. When I clicked on the link in the email, a web page opens up advising that I have been ‘haxored’ which I gather means hacked.
This page as far as I can tell is genuine in the sense that when I try to get into the forum via its home website address, I still get this same ‘haxored’ page. There is no problem when I access other websites or forums I subscribe to (e.g. this one).

Can someone tell me if it is my PC or the forum’s server that has been hacked, and if it is my PC, what I should do?

PS My PC acquired an adware infection a few days ago, though I don’t think the 2 problems are related as the haxored forum site was working OK until last night.
0
Comment
Question by:grandsire02
  • 4
  • 3
  • 3
10 Comments
 
LVL 8

Expert Comment

by:mugman21
Comment Utility
Please post the links.

Wish there was more info too go on... One preliminary thing you could try is do a date/time search on your PC. Look for files changed/modified on your drive about the time you received the email. This isn't 100%, but is a fairly easy thing too do.

Sorry, but there isn't enough to go on here... are you just worried, your are you having a problem with your system since this event?

m.
0
 

Author Comment

by:grandsire02
Comment Utility
Herewith link: http://www.xequte.com/forum/topic.asp?TOPIC_ID=1958

Incidentally, the format of the page seems to change each time I go into it i.e. to start with it was bright green, now it's grey, and now there's no mention of the word 'haxored' etc. The rest of the www.xequte.com website appears to be functioning normally.

How do I look for the changes on my drive you mention?

I am a bit worried in case my PC security has been compromised, but also I was expecting a message on this forum (which presumably was posted) and I would like to pick it up.

If it's any help, I've also run a Hijackthis scan and I'm repeating the logfile for you:

Logfile of HijackThis v1.99.1
Scan saved at 10:51:27, on 23/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Multimedia Keyboard\PS2USBKbdDrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Registry Cleaner Trial\RCSystemTray.exe
C:\Documents and Settings\Ronald\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\NetConceal Anonymizer\ProxyNew.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WireLessKeyboard ] C:\Program Files\Multimedia Keyboard\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Registry Cleaner Trial\RCSystemTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [rdrextra] C:\DOCUME~1\Ronald\APPLIC~1\BOOKME~1\Soap 32.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &StealthBid - http://www.stealthbid.com/Toolbar/ContextMenu.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: StealthBid - {DA430631-621F-411c-A883-A4850D1928EC} - C:\WINDOWS\Downloaded Program Files\IQStealthBid.dll (HKCU)
O9 - Extra 'Tools' menuitem: StealthBid - {DA430631-621F-411c-A883-A4850D1928EC} - C:\WINDOWS\Downloaded Program Files\IQStealthBid.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ADVFN 4v4 - http://www.advfn.com/p.php?pid=loadercab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {271BEE78-FBBE-43D7-980B-58B5F53E34A7} (StealthBid Class) - http://www.stealthbid.com/Toolbar/IQStealthBid.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (CwlscInstall Object) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase2213.cab
O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F9D} (OC web Installer) - http://www.eastmediagroup.com/apps/objectCubeInstall.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129289955437
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF1D5B38-4EF7-4819-9AD4-28332AB0B582}: NameServer = 205.188.146.145
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Com


Hope this gives you more to go on.
0
 
LVL 8

Expert Comment

by:jako
Comment Utility
Soap 32.exe you have in your autorun ([rdrextra]) is highly suspicious. Even if you weren't h4x0red and it was a lame joke on the webpage, you should examine carefully what you run on your machine. Also the iexplore from c:\progra~1\intern~1\ catalog which might or might not be legit.
0
 
LVL 8

Expert Comment

by:mugman21
Comment Utility
Searching the drive: I was refering to your start menu "search" tool. You can use it to search for all files modified with in the last day. You can then examine the time stamps on them and see if anything matched about the time you were at this site.

From looking at your Hijack this log, it appears your running XP. If your worried about that site dropping some garbage on your system, roll back with system restore to a few days ago.

Regarding the site, I didn't see anything malicious there, nor was I alerted to any threads or processes being created on my system while browsing around there.
0
 

Author Comment

by:grandsire02
Comment Utility
1. Searching the drive - I ran this but not sure what to look for - there are 800 file change events listed on my PC over the past 36 hours!
2. Deleted the Soap 32 application but not sure what to do about the c:\progra~1\intern~1\ catalog
3. The 'haxored' page has now disappeared from  http://www.xequte.com/forum/topic.asp?TOPIC_ID=1958  - all I now get is the I.E. 'The page cannot be displayed' page.
4. Windows will not let me do a system restore ('Restoration failed') -I've tried it with 2 separate dates.
5. The pop-up ads seem to be getting more frequent - perhaps there is a connection?

I seem to be taking one step forward and two back!
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 8

Expert Comment

by:jako
Comment Utility
the No3 further instills my hunch that instead of you personally, the forum on xequte's website was h4x0red and defaced. No wonder too, it was built on top of an .mdf file and probably infrequently patched IIS5 (http://toolbar.netcraft.com/site_report?url=http://www.xequte.com).
0
 

Author Comment

by:grandsire02
Comment Utility
Any thoughts on Points 4 and 5 which are now worrying me more?
0
 
LVL 8

Accepted Solution

by:
mugman21 earned 225 total points
Comment Utility
system restore could be hampered due too malware or system currption.... both are valid things too think about.

Try a repair, from a cmd promopt do a sfc /scannow.

To do that, go to the start menu and click RUN. next, type in "cmd" and you'll get a dos stle looking window. In that window, type "SFC /SCANNOW". You might need your OS instal cd so make sure that's near. after sfc completes, try system restore again.

If this works for you, pop-ups should be reduced if you had adware installed. If not, then we can go from there.

m.
0
 
LVL 8

Expert Comment

by:jako
Comment Utility
on 4/5 seek out the RPGGamerGirl comments here on malware hunting -- she's the specialist.
0
 

Author Comment

by:grandsire02
Comment Utility
The sfc/scannow seems to have cured the pop-up problem - not a single one since, and my PC seems to be running far more briskly than of late!. The Xequte forum is closed today 'for maintenance' which seems to bear out that the original problem was not my PC but their website that was hacked. I'll now leave well alone and thank you guys for your helpful advice.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now