Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Haxored

Posted on 2006-10-23
10
271 Views
Last Modified: 2010-08-05
I subscribe to a specialist forum and have just received an email advising me that a new message has been posted. When I clicked on the link in the email, a web page opens up advising that I have been ‘haxored’ which I gather means hacked.
This page as far as I can tell is genuine in the sense that when I try to get into the forum via its home website address, I still get this same ‘haxored’ page. There is no problem when I access other websites or forums I subscribe to (e.g. this one).

Can someone tell me if it is my PC or the forum’s server that has been hacked, and if it is my PC, what I should do?

PS My PC acquired an adware infection a few days ago, though I don’t think the 2 problems are related as the haxored forum site was working OK until last night.
0
Comment
Question by:grandsire02
  • 4
  • 3
  • 3
10 Comments
 
LVL 8

Expert Comment

by:mugman21
ID: 17787402
Please post the links.

Wish there was more info too go on... One preliminary thing you could try is do a date/time search on your PC. Look for files changed/modified on your drive about the time you received the email. This isn't 100%, but is a fairly easy thing too do.

Sorry, but there isn't enough to go on here... are you just worried, your are you having a problem with your system since this event?

m.
0
 

Author Comment

by:grandsire02
ID: 17787464
Herewith link: http://www.xequte.com/forum/topic.asp?TOPIC_ID=1958

Incidentally, the format of the page seems to change each time I go into it i.e. to start with it was bright green, now it's grey, and now there's no mention of the word 'haxored' etc. The rest of the www.xequte.com website appears to be functioning normally.

How do I look for the changes on my drive you mention?

I am a bit worried in case my PC security has been compromised, but also I was expecting a message on this forum (which presumably was posted) and I would like to pick it up.

If it's any help, I've also run a Hijackthis scan and I'm repeating the logfile for you:

Logfile of HijackThis v1.99.1
Scan saved at 10:51:27, on 23/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Multimedia Keyboard\PS2USBKbdDrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Registry Cleaner Trial\RCSystemTray.exe
C:\Documents and Settings\Ronald\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\NetConceal Anonymizer\ProxyNew.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WireLessKeyboard ] C:\Program Files\Multimedia Keyboard\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Registry Cleaner Trial\RCSystemTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [rdrextra] C:\DOCUME~1\Ronald\APPLIC~1\BOOKME~1\Soap 32.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &StealthBid - http://www.stealthbid.com/Toolbar/ContextMenu.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: StealthBid - {DA430631-621F-411c-A883-A4850D1928EC} - C:\WINDOWS\Downloaded Program Files\IQStealthBid.dll (HKCU)
O9 - Extra 'Tools' menuitem: StealthBid - {DA430631-621F-411c-A883-A4850D1928EC} - C:\WINDOWS\Downloaded Program Files\IQStealthBid.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ADVFN 4v4 - http://www.advfn.com/p.php?pid=loadercab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {271BEE78-FBBE-43D7-980B-58B5F53E34A7} (StealthBid Class) - http://www.stealthbid.com/Toolbar/IQStealthBid.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (CwlscInstall Object) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase2213.cab
O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F9D} (OC web Installer) - http://www.eastmediagroup.com/apps/objectCubeInstall.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129289955437
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF1D5B38-4EF7-4819-9AD4-28332AB0B582}: NameServer = 205.188.146.145
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Com


Hope this gives you more to go on.
0
 
LVL 8

Expert Comment

by:jako
ID: 17787519
Soap 32.exe you have in your autorun ([rdrextra]) is highly suspicious. Even if you weren't h4x0red and it was a lame joke on the webpage, you should examine carefully what you run on your machine. Also the iexplore from c:\progra~1\intern~1\ catalog which might or might not be legit.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 8

Expert Comment

by:mugman21
ID: 17787551
Searching the drive: I was refering to your start menu "search" tool. You can use it to search for all files modified with in the last day. You can then examine the time stamps on them and see if anything matched about the time you were at this site.

From looking at your Hijack this log, it appears your running XP. If your worried about that site dropping some garbage on your system, roll back with system restore to a few days ago.

Regarding the site, I didn't see anything malicious there, nor was I alerted to any threads or processes being created on my system while browsing around there.
0
 

Author Comment

by:grandsire02
ID: 17788405
1. Searching the drive - I ran this but not sure what to look for - there are 800 file change events listed on my PC over the past 36 hours!
2. Deleted the Soap 32 application but not sure what to do about the c:\progra~1\intern~1\ catalog
3. The 'haxored' page has now disappeared from  http://www.xequte.com/forum/topic.asp?TOPIC_ID=1958  - all I now get is the I.E. 'The page cannot be displayed' page.
4. Windows will not let me do a system restore ('Restoration failed') -I've tried it with 2 separate dates.
5. The pop-up ads seem to be getting more frequent - perhaps there is a connection?

I seem to be taking one step forward and two back!
0
 
LVL 8

Expert Comment

by:jako
ID: 17788437
the No3 further instills my hunch that instead of you personally, the forum on xequte's website was h4x0red and defaced. No wonder too, it was built on top of an .mdf file and probably infrequently patched IIS5 (http://toolbar.netcraft.com/site_report?url=http://www.xequte.com).
0
 

Author Comment

by:grandsire02
ID: 17788995
Any thoughts on Points 4 and 5 which are now worrying me more?
0
 
LVL 8

Accepted Solution

by:
mugman21 earned 225 total points
ID: 17789050
system restore could be hampered due too malware or system currption.... both are valid things too think about.

Try a repair, from a cmd promopt do a sfc /scannow.

To do that, go to the start menu and click RUN. next, type in "cmd" and you'll get a dos stle looking window. In that window, type "SFC /SCANNOW". You might need your OS instal cd so make sure that's near. after sfc completes, try system restore again.

If this works for you, pop-ups should be reduced if you had adware installed. If not, then we can go from there.

m.
0
 
LVL 8

Expert Comment

by:jako
ID: 17789060
on 4/5 seek out the RPGGamerGirl comments here on malware hunting -- she's the specialist.
0
 

Author Comment

by:grandsire02
ID: 17795101
The sfc/scannow seems to have cured the pop-up problem - not a single one since, and my PC seems to be running far more briskly than of late!. The Xequte forum is closed today 'for maintenance' which seems to bear out that the original problem was not my PC but their website that was hacked. I'll now leave well alone and thank you guys for your helpful advice.
0

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question