I am Jacked: A Novel

Hello happy hunters! I thought I was knowledgable on such subjects until I was hit w/this invisible predicament: I will gladly shower praise upon anyone that at leasts reads through this page burner!

Well my sys: winxp pro sp2 (not current w/latest patches) amd64 3200 1 gig lv2 ddr3200 etc....

Where to start, besides the fact that I am pissed, but please read on because I am really at a loss. Anyway after I suspected something was fishy I ran through the standard list that is posted here but thats when the problems really began. I hope that someone has seen this and knows what the hell it is.

I noticed that IE pages were just coming up every so often w/out me initiating them. The first was alltheweb.com next lycosearch.com then later on through the ordeal was one other i cant remember because i have cleared the history and the last so far was gigablast.com which popped up shortly after I had restarted and began writing this plea for my sanity. The real wierd thing was at first they were the smallest window possible and minimized to the bottom right, under my taskbar then later, or at least in safe mode, they just popped up as a normal window. And then instead of minimizing to the taskbar windows would only minimize to the desktop. And then.....

Next My search page was change from google to .....Yahoo? What kind of a jack is that????
Then later on I noticed I was unable to cut/copy and paste anymore.

So The Scans: Safe Mode: got in once w/network but had to go to work so I shut down......reboot and I couldnt get network support again in safe mode.

Flashback: I scanned w/trend and symantec when I first noticed something (2 days ago in normal mode) and they didnt find a thing. Tried today and trend crashed twice and then this lead to the next escalation:

Links to helpful stuff would not open. so I got firefox and continued.

spybot did find a dso exploit which has not come back when I have scanned again.

I was in the taskmanager once when the IE window popped up and saw a process flicker on/off really quick but all I caught was it began w/a z. Also I have an ati card and it runs 2 cli.exe processes and, it might be unrelated, but i have noticed that they are using 90% cpu( when the havent b4) and the other 10% is split between idle and csrss.exe (which i guess could be a prob--w32.netsky.ab@mmworm, w32.webus trojan, win32.ladex.a, etc all use csrss.exe but I ran stinger, avg, and ,finally, trend which came up w/nothing )

ran hijackthis a few time throughout this process but never found anything that was suspicious. (except the search page to yahoo)

Thank you for reading this novel. I tried to cram as much info as I could remember. I look forward to any responses.

oh and my task bar has disappeared

Thanks again Destructo!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 

how about a system restore?

 

yep, did all that I could in the sticky, sys rest off hidden files out in the open. Dang it it just popped up so went to taskmanager really quick but it blinked out before I could catch it. Just ran ace utilities and found it in c;\windows\temp w/ a bunch of other suspicious 2kb file applications. What program is generating these? cfrtfgehiy.exe, hoqiqwi.exe, itxdpyqwa.exe, iuspcqftpz.exe, jouyipruws.exe, tocbori.exe, zggrmso.exe, zldfgcye.exe.

Anyway if anyone can think of anything let me know
thanks

 

I am at my wits end. I fixed a 2 lines in my hijack log that read R1...mainsearchbar=http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html

and somthing tried to add it back but spybot stopped it. My browser keeps deteriorating. I changed to firefox but that seems to be affected now-- tried to type this reply with it and it wouldn't let me get a cursor in the text area. I cannot click to open links in IE and I still have random search pages just come up which leads to a file being created in my C:windows/temp. The search feature is disabled on my drive. Please help. Ive done all the scans. Only spybot found anything:a dso exploit but I thought it corrected it. Avg, trend, adaware, cc, cw, stinger, all came up w/nothing and was never able to open the link for symantec. I am taking a break now but will be back later.

please help

 

Have done, or attempted, all the scans w/the lastest. Here is my latest log.

Thanks a lot for the quick reply this thing is killing my brain.

 

Teamspeack is a voice over internet thing I use w/games but I did have a problem with it. I could hear the other person but couldnt talk through it. I will uninstall it and see if it helps.

you can see my frustations I have been having. There just is no trail to the core file that I can find.

just uninstalled then tried to fix it through hijack and got this;

some error but since my clipboard is not working right I cannot past it here But it said to email, I think, merlin@spywareinf.com or somthing like that.

 

well I was running the find.bat and i got bluescreened and immediate restart....didnt have time to see the error but this had happened to me twice before when I ran the trend test.

Yes i did through add/remove then scanned and it was there. when i did it a second time it was gone though and i clicked the message closed because I thought i could paste it somewhere...nope and oops. I will look once i boot back up.

So is that what the kernel thing is for. I just installed new mobo procc and ram & had a hell of a time until we figured out that one of my sticks of ram could generate 70,000 errors in under a minute.

fyi I am on my back up comp.

 

here is the the next log. this time no crash. I shut down my 2 cli.exe that constantnly seem to be running for some reason. they take up 90% and the other 10% is split between system and csrss.exe until i end cli.exe (ati radeon files) This, I think is a new thing btw (new as in since i have had a prob.)

 

Well I must step out w/ the inlaws for a few hours I will be back and ready to try anything you can think of. Attached in the next message below is my output file
Thanks Chaslang

Destructo

 

No the memory is currently being rma-ed & I have some loaner dimms. The problem I am having is definately some kind of nasty that got on here somehow. What would be a next step to try to find this root of all evil?

Thanks, for the millionth time

 

I think I have the same problem as Jager in his/her post "random search engins connect to internet" Those are the same pages that pop up on my machine.

 

i will first thing tomorrow (around 10 am mst) thanks again I really apprecitate it.

 

Here is my latest log. Doesn't show anything new from what I can tell. Except the fact that messenger is suppose to start up and has not since I got this thing and under running processes it does not list csrss.exe---this is listed in task manager and is constantly using 2-5% (i have mentioned this b-4 and hope I am not beating a dead horse ) the other 90% is being used by my vid card files 2 cli.exe processes. and 5 to the system.

At any rate I have to step out for most the day. i will keep my comp on to see if the windows and temp files keep appearing. I know there is still somthing because it takes an eternity to load my comp, windows minimize to desktop, cant search files and folders, and a few others I wont babble about.
Thank you thank you thank you.

ps let me know if you want any earlier logs. I started creating them on the 14th.

 

No, and I have usually been shutting it down during this whole ordeal. (supersticious i guess) The thing is I have not ever noticed it actually using up cpu power b4 this crap began. So I was gone all day and came back, did not have anything but windows/spystuff/virusprot running and not a single window came up and no file in my c:\windows/temp either. but i cant access my windows firewall it asks ".....do you want to start the winfirewall/internet connection system (ICS) service" I hit yes then it says" ...cannot start ICS service" and those other probs i have already mentioned.

Anyway I will try turning off teatime and rebooting? and stopping the cli.exe---they were annoying anyway because I had to update my .netframework and I suspect they are causing some instability (b4this stuff occured).

Thanks and I will try to hop on as much as I can tonight & tomorrow. Definately be on tomorrow night.

Destructo.

 

Figured as much. At any rate I actually cant install another one because I cant "access the windows installer service."

What would be a next logical step. Or should I just format the dang thing....it might be faster.

thanks and Ill check back tomorrow morn

 

When I first noticed the intrusion. I could usually do anything that might help once (installing/download) and then the next time it had been logged by what ever the program is and I couldnt do it again. Thats when I got firefox. That is how I got the find it tool which installed ok but I guess getting a firewall up might actually solve the damn thing so it didnt let me.

If you can think of anything let me know. If not then tomrrow night I will probably just format (i just did on 12/30 so I dont have too much new stuff on it But man I really want to know what the hell this little bugger is. thanks again chaslang I will be home later tonight and hopefully online.

 

Ooops I guess I should use my brain b4 I spoke. I RAN Find it..not installed. Anyway sry had a lot more to deal w/then just this machine lately.

OK I downloaded Zone Alarm, installed it and thought "didnt I try this b4?" It installed fine, no problems. Then I looked and the one I had tried before was the Sygate firewall. and when I tried to install it b4 (didnt try again since zone installed fine) the message read, "cannot access windows installer service" so maybe a bad download possibly.

Anyway I installed zone alarm(choose 15 day trial) and when setting up it asked what zone I wanted this computer in "69.144.116.0" Which isnt on my network (checked my other ip and it wasnt even close" so I just set it to internet only/no sharing. Then it said everything else was ok.

here is my startup list as well. Still have limited access to windows search/copy-paste/no minimized windows on taskbar/cannot click links in explorer/and I tried to burn something last night and that didnt work either.

Talk back to you tonight for sure---have a few free hours finally!!!

thanks again chas
destructo

 

I went home to grab lunch and zone alarm had caught a port scan "blocked internet access to your computer (ftp) from 211.95.203.244 (tcp port 55699)" The details added that it was a port 21 connection attempt.

I googled web pages that talk about it and they mostly said they had attacks from this ip. The website linked to this addres is all in chinese. Possible problem? I have the worst luck it seems.

I am at my store most the day but will be back at the infected comp tonight.
Thanks
destructo

 

Good question and Hell if I know. Probably because they could. Could this have possibly been the root of the problem. And if so should I just try to do a windows repair to get everything working again? Or.....well, what other avenues are there?



thanks
Destructo

edit: problems: Limited functionality of windows: Cant search files and folders, minimized windows go underneath the taskbar, cannot open download links in IE, and maybe a couple others I cant think of right now. Do you think a win repair might be the answer?
thanks

 

Sweet, I will try it first thing when I get home later tonight!

thanks
destructo

 

I never seem to have a predictable schedule.. Anyway I ran iefix and nothing changed. After jumping through hoops I downloaded ie6setup.exe (iefix has a link but you have to kind of search around...or at least I did.) Tried to run it but it said I was running a new version?? Anyway I thought that iefix was suppose to set it back 0....or at least I guess thats what it meant when it altered the IsInstalled registry key.

In the mean time 2 more port scans #1 "Blocked access.....(ftp) from 62.233.57.31 (tcp port 3330) [tcp flags: s]" Details: port 21 scan. #2 "Blocked.....(http) 69.144.85.223 (tcp port 3868)" Details: Port 80 scan. This time I googled and nothing came up.

Hopefully someday I will actually get enough time to deal w/this damn thing.....rant rant rave...long day. If you can think of anything else let me know.

unknown jerks 1 me 0

Take it easy and thanks Dr C
D

 

Well I see that Bresnan is mentioned and this is my isp. But what do all the others mean? Is someone routing through all that or did my ISP try to attack me too? I see that telesa is a spanish telecom....great now I have to contend with the spanish as well as the chinese!!!

So at anyrate Windows is totally screwedup still. I tried to burn a couple files, the disc burned but there was no info on it. And added to the list of not working is any type of messenger service(noticed b4 just never mentioned it). Oh well.

Questions: Even if I format/reinstall do you think these attacks will continue? And how worried should I be that someone might have been using my computer for illegal activity?

No only one account Destructo1 which is the admin but I think there is an admin one on there as well....dont know if its default or was added now that i think about it. It always boots to my account w/out a choice.

Thanks once again.
Destructo

 

I think when I was in safemode is when I noticed the admin account. I will go and scan that when I get home in a few hours (if I have network support in safemode that was 1 of my first problems)

msn messenger is set to load @ start up but doesnt nor can I run it. Yahoo loads but when I try to type something to someone the words do not appear and they arent sent.

Oh and I went into my hotmail account and almost had a heart attack..it was empty!! Hopped on the other computer and it was ok though

It is as if I got locked out of everything is how to describe it I guess....maybe the admin account in safemode then....reallly wierd though.

As for the scans Zone alarm reported there have been 93 of them but only 3 critical. The 3 were those that popped up as for the other 93 I have not looked yet (there should be a log right?)

Anyway take it easy and thanks a lot................once again......
Destructo

 

My mistake, it is window messenger. Anyway tried cc in the admin safe mode w/networking (didnt have it though) then rebooted and........no change.

I am going to see if a windows repair will work because frankly I just want to relax and play some games finally!!!!! I still wish I could figure out what the hell happened here. I absolutely hate not knowing something and will usually exhaust every effort to gain the knowledge.

Oh well I think I am throwing in the towel.

I will let you know if the repair worked. Let me know if you can think of anything else.

later
Destructo

 

Repair Reshmair....still going through the muck!!! At any rate welcome to the world of the persecuted! The repair, started about 4 hrs ago, gave me some bs about the setup log not being correct? that was after blue screen when it goes into the install part of the repair...you know the "you have 39 min until your life is totally complete part" Anyway no idea so.....abrakazabrah!!!! format!!!!!!!!!!!!!!!!!!!!!!!

Still I have crappy luck.......insert sadistic laugh....... asap I installed avg, installed nic drivers, then win update.....virus..what??...no response after a few actions..... didnt update avg..ok maybe mistake...restart...get zone alarm........update win ..install....stall......restart (forgot I unplugged nic (lol/kick self)....uninstall sp2......restart......reinstall drivers.....update...install sp2.....finally the damn thing works.......poster child for the challenged.........

Well......so ends this crap...hopefully...oh I forgot during the Virus attack portion of the install I got a window that wanted me to go to fixerrors.com googled and could not find anything but it wanted me to click "ok" to go to the site. I restarted.

By the end of this the last update is confirmed and restarted...instead of a 10 min startup I now am clocking I guess around a minute or 2.

thank you for all your help and let me know if you ever find who or what this might have been.

Thank you once again East Coaster
Destructo

 

right b4 bed...nice to know someone else is lookin at me.......againthanks for that sam link at least I can see...kind of....who it is anyway dont forget to look below @ my other post and....sorry but I dont know how to post that well with the copy/paste and all....so it might not be that well ordered as yours but it is all there.....talk to ya later and why still china....

218.22.120.178 = [ ]
inetnum: 218.22.0.0 - 218.23.255.255
netname: CHINANET-AH
descr: CHINANET Anhui province network
descr: Data Communication Division descr: China Telecom
country: CN
admin-c: CH93-AP
tech-c: JW89-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINANET-AH
status: ASSIGNED NON-PORTABLE
changed: hostmaster@ns.chinanet.cn.net
20010528
changed: hm-changed@apnic.net
20040927
source: APNIC
person: Chinanet Hostmaster
address: No.31 jingrong street beijing
address: 100032
country: CN phone: 86-10-66027112 fax-no: 86-10-58501144 e-mail: hostmaster@ns.chinanet.cn.net
e-mail: anti-spam@ns.chinanet.cn.net
nic-hdl: CH93-AP
mnt-by: MAINT-CHINANET
changed: hostmaster@ns.chinanet.cn.net
20021016 remarks: hostmaster is not for spam complaint please send spam complaint to anti-spam@ns.chinanet.cn.net
source: APNIC person: Jinneng Wang address: 17/F Postal Building No.120 Changjiang address: Middle Road Hefei Anhui China country: CN phone: 86-551-2659073 fax-no: 86-551-2659287 e-mail: wang@mail.hf.ah.cninfo.net
nic-hdl: JW89-AP mnt-by: MAINT-NEW changed: wang@mail.hf.ah.cninfo.net
19990818 source: APNIC

 

Well as I began to type this another instrusion was attempted. This one is a bit different it seems 218.144.129.108. It says that it is not an isp but a, "National Internet Registry similar to APNIC." It also gives a alternate email address encase you cannot contact the main one or to report an abuse of the ip. Think I should?

At any rate here is my new jack log...nothing new.
Thanks and I will be on later today
Destructo
My comp boots so fast now And yes I have all safety in place. Sp2 is a pain to download and install.

 

I know, I know I enherited this persistent need to know things from my dad. It drives my wife crazy. Anyway not porn but I do use mirc, which is most likely the source of first contact.

If anything I learned my lesson. Up until now I thought I could root any problem out so was a bit laxed in security. You have to learn at sometime I guess. Good thing it wasnt a bad time.

Thank you once again for your time and effort. I truly appreciate it. If ever you see the same prob. again and figure it out let me know the results.
Destructo
btw if there is anything you would like in the way blownglass pm me. I am a lampworker I would be glad to make something 4 you since you spent so much time on my prob