i think someone is trying to take over my puter please help

[green_newbie]

OK, i think i have a mean hacker problem, a few days ago
my sygate personal firewall picked up this

(time = 04/19/2003 20:10:01) (security type = Port Scan) (severity =Minor) (direction = Incoming) (protocal = UDP) (destination host =67.9.148.208) (source ip = 193.126.145.13)
(count = 1) (begin time = 04/19/2003 20:09:55)(end time = 04/19/2003 20:09:55)

and just now after restarting my computer i got this one

(time = 04/22/2003 13:43:55) (securtiy type =Executable File Change Denied) (severity = Major) (direction = Outgoing) (protocal =UDP) (destination host = 67.9.151.255) (source ip =0.0.0.0) (Application name = C:\WINDOWS\System32\ntoskrnl.exe) (count = 1) (begin time = 04/22/2003 13:43:49) (end time = 04/22/2003 13:43:49)

and then just now as i am typeing this all out i get something from my zone alarm "PROTECTED The firewall has blocked Internet access to your computer (http) from 67.116.225.80 (tcp port 4847) (tcp flags: S) time 4/22/2003

AVG virus protection has picked up no viruses and i am about to start up a 30 day trial of "Ipomar" a trojan horse removall program(i think) if someone can explain exactly what is going on with my computer cause i feel like i have been targeted by someone with unfriendly intentions
thanks allot

[Maxwell]

ntoskrnl.exe is the Windows NT Kernel.

Doing a search at Symantec for ntoskrnl yields: http://securityresponse.symantec.com...2.bolzano.html a virus that changes the security on ntoskrnl.exe, "...The virus modifies only 2 bytes in a security API called SeAccessCheck that is part of ntoskrnl.exe. This way Bolzano is able to give full access to all users to each file regardless of its protection, whenever the machine is booted with the modified kernel...."

As well as a port scan that the other poster suggest, you can also use the Symantec virus scanner: http://security.symantec.com/ssc/hom...FLJMVHNMITLPOQ

[green_newbie]

these post have been very helpfull, i am still dealing with the problem. i am not sure that i have the virus W32.Bolzano. because AVG was not able to detect it and neither was Norton.
allso symantec's site says

"W32.Bolzano is a new virus that replicates under Windows 95 and Windows NT" "This attack will work on any version of Windows NT (Version 3.50 up to 4.0) with each all the service packs. The attack does not work on any betas of Windows 2000, but it remains feasible."
i have win xp home edition. i am not sure if this makes a differance or not. sense Norton couldn't detect it and symantec says norton should (i have run live update) i am thinking that is not what i have maybe. or maybe because of the win version i am running it doesn't detect it ( i don't know very much about this stuff)

at any rate symantec allso has anouther way of getting rid of the virus they say to "If the system has been infected, the system files ntoskrnl.exe and ntldr.exe have been patched. Symantec has created a tool which can be used to restore these files. This tool was created for a more prolific virus, W32.Funlove.4099, which applies the same patching techniques to ntoskrnl.exe and ntldr.exe. You can find this tool here: DOS FunLove.4099 Fix Tool."

"1. Download FixFun.exe to a floppy disk.
2. Reboot the computer using a DOS boot disk.
If file system is FAT16, you can use any DOS boot disk.
If file system is FAT32, you must use a DOS 7.01 or later boot disk."
i use FAT32 so i go to get dos 7.01 bootdisk from http://www.powerload.fsnet.co.uk/bootdisk.htm
and they say

"MS-DOS 7.10s Bootdisk ~ This is a Special HEX Edited version of the 98se Version 4-10-2222 Bootdisk listed below. It has been patched with 3xStart.exe to allow Windows 3.1 to operate, and Hex Edited so that all referances to Windows 98se read as MS-DOS 7.10 ~ For use as a Standalone MS-DOS 7.10a only - Not for use with Windows 98se"

so i don't know if i can use this or not. all this is confuseing to me and if anyone reads this and can make sense of it please take my blindfold off and point me in the right direction. as i said i don't know allot about com. i am trying to learn.
thanks for all help given

[green_newbie]

i was thinking why can't i use my XP disk to boot from (my bios will let me boot from cd rom drive some don't but mine does)
and then just repair anything that has been changed? sense nothing seems to pick up an active virus in my puter includeing virus detectors that say on their web site they know all about the virus talked about in above posts.

i am thinking to try what you say, robo, first

[johnsr]

Newbie,
Don't do anything. Don't you understand what a firewall does, and why it is necessary?
Read your firewalls messages. It is telling you it PREVENTED these intrusions. That is why you installed it!!!
Hackers use programs to look for vulnerable computers, and you will probably be scanned hundreds of times. Be glad you have the firewall, and that it is performing as it is supposed to.
If you find the messages annoying or unsttleing, I am sure your firewall will allow you to save the messages to a log file, and not pop-up every time it blocks an intruder. READ THE HELP FILES!!

[InYearsToCome]

I agree with Johnsr MOSTLY, however it could never hurt to keep following up and making sure you have clean files on your system.

There are trojans and other viruses small enough and UNDETECTABLE by firewalls and scanning programs such as Zone Alarm...

its unlikely that this is the case, but if you are seeing files being changed or looking suspicious, go ahead and check them out. better safe then sorry.

also, i'm trying to find where i saw this program, i cant recall.... but it lets you program a message that gets sent out to the user who is trying to port scan you, for example you could program a message to say:
"Hi! welcome to my computer. Thank you for taking the time to give me your IP address and logfiles showing your attempts to scan my computer. That information will be forwarded to the authorities. Thank you again! and have a nice day"

just something that could be fun to play around with, but thats beside the point:o

porbably nothing to worry about newbie.

[fleppen]

Quote:

Originally posted by robo
...

Since we're using XP, we must not have the NT kernel (makes sense!) - what you might try is seeing if there is a difference in your 2 files - if so, you might copy the one in the Service Pack files, and overwrite the System32 file...better yet, you might find it on your XP disk...

XP (NT5.1) was based upon Windows 2000 (NT5.0) which was based upon NT4.0, so yes, you do have the NT Kernel, just an improved version of it

[green_newbie]

yes i thought that my firewall was working very well allso when it gave me origanal message about the port scan, and i was hardly worried about it. but what bothered me and started me looking for what has been done to my puter is the message i get after windows loads




"NT Kernel System has changed since the last time you used it. This could happen if you have updated it recently. Click Detail to see more information. Do you want to allow it access to the network?" i click details and it tells me "Detailed information of the NT Kernel System and the connection it is trying to establish" The executable has changed since the last time you used: C:\WINDOWS\System32\ntoskrnl.exe
File Version : 5.1.2600.1150 (xpsp2.021108-1929)
File Description : NT Kernel & System
File Path : C:\WINDOWS\System32\ntoskrnl.exe
Process ID : 4 (Heximal) 4 (Decimal)

Connection origin : local initiated
Protocol : UDP
Local Address : 67.9.148.208
Local Port : 138
Remote Name :
Remote Address : 67.9.151.255
Remote Port : 138 (NETBIOS-DGM - Browsing datagram responses of NetBIOS over TCP/IP)

Ethernet packet details:
Ethernet II (Packet Length: 243)
Destination: ff-ff-ff-ff-ff-ff
Source: 00-40-f4-39-d3-d4
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x11 (UDP - User Datagram Protocol)
Header checksum: 0xe586 (Correct)
Source: 67.9.148.208
Destination: 67.9.151.255
User Datagram Protocol
Source port: 138
Destination port: 138
Length: 8
Checksum: 0xf2a5 (Correct)
Data (209 Bytes)

Binary dump of the packet:
0000: FF FF FF FF FF FF 00 40 : F4 39 D3 D4 08 00 45 00 | .......@.9....E.
0010: 00 E5 00 41 00 00 80 11 : 86 E5 43 09 94 D0 43 09 | ...A......C...C.
0020: 97 FF 00 8A 00 8A 00 D1 : A5 F2 11 02 80 1A 43 09 | ..............C.
0030: 94 D0 00 8A 00 BB 00 00 : 20 46 41 46 46 46 43 46 | ........ FAFFFCF
0040: 47 45 4A 46 44 43 4E 44 : 49 44 41 46 41 45 4B 45 | GEJFDCNDIDAFAEKE
0050: 44 45 45 46 41 45 4F 43 : 41 00 20 45 4E 46 44 45 | DEEFAEOCA. ENFDE
0060: 49 45 50 45 4E 45 46 43 : 41 43 41 43 41 43 41 43 | IEPENEFCACACACAC
0070: 41 43 41 43 41 43 41 43 : 41 42 4F 00 FF 53 4D 42 | ACACACACABO..SMB
0080: 25 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | %...............
0090: 00 00 00 00 00 00 00 00 : 00 00 00 00 11 00 00 21 | ...............!
00A0: 00 00 00 00 00 00 00 00 : 00 E8 03 00 00 00 00 00 | ................
00B0: 00 00 00 21 00 56 00 03 : 00 01 00 00 00 02 00 32 | ...!.V.........2
00C0: 00 5C 4D 41 49 4C 53 4C : 4F 54 5C 42 52 4F 57 53 | .\MAILSLOT\BROWS
00D0: 45 00 0F 00 80 FC 0A 00 : 50 55 52 56 49 53 2D 38 | E.......PURVIS-8
00E0: 30 50 4A 43 44 50 4E 00 : 05 01 03 10 05 00 0F 01 | 0PJCDPN.........
00F0: 55 AA 00 : | U..

the fact that this has been changed is scarey, and i dont' know what the change is or how to find out. I think i should be able to but from my win XP home edition cd and this should be able to repair any unwanted changes yes?

[johnsr]

green,
Have you done any of the MS updates recently? One of the recent ones I did (Q811493), changed my ntoskrnl.exe. I didn't get that message about the change like you did (or it went by to fast for me to see it). Check its properties in windows explorer, and let us know what size it is (the one in system32), and its version number.

[iamien]

Quote:

Originally posted by InYearsToCome
I agree with Johnsr MOSTLY, however it could never hurt to keep following up and making sure you have clean files on your system.

There are trojans and other viruses small enough and UNDETECTABLE by firewalls and scanning programs such as Zone Alarm...

its unlikely that this is the case, but if you are seeing files being changed or looking suspicious, go ahead and check them out. better safe then sorry.

also, i'm trying to find where i saw this program, i cant recall.... but it lets you program a message that gets sent out to the user who is trying to port scan you, for example you could program a message to say:
"Hi! welcome to my computer. Thank you for taking the time to give me your IP address and logfiles showing your attempts to scan my computer. That information will be forwarded to the authorities. Thank you again! and have a nice day"

just something that could be fun to play around with, but thats beside the point:o

porbably nothing to worry about newbie.

Program is called Slap!
Now the thing with this is that the person on the other end needs to be set up so that they have something listening on that port to recieve a TCP or UDP message and then interpert the message into something the user can see

Example
They port scan you.
Zone alarm detects
Slap detects zone alarm has detected, take the log takes the IP scans them back and sends message
Message is recieved by other computer, Now heres the problem. lets say the program used to scan only responded to a specific command, text based or binary, it matters not. Then it wont display you message,.
I can explain more but so you know the message function is virtualy useless, as unless they are expecting a text based message that has no identifier then they wont read you message

[InYearsToCome]

YES! i couldnt remember the name for the life of me...thanks Lamien

[Gohan976]

inappropriate post removed.

AS

[goldfish]

hehe, lamien......hehe.....



sorry...... heck hem! if you think files have been changed on your system without you knowing, then try running sfc. Bear in mind that you will need your XP CD to hand and will need to re-update again once you have done it. go to run, type
sfc /scannow
and let it do its thing.
If it asks for a Pro CD there is somthing wrong, but dont ask me there is a thread out there that gives the resolution.
Basically it goes thru all system files and checks their integrity, and if they are corrupted or patched wrongly then it copys an old version of it from the CD...pretty handy really

[Gohan976]

Quote:

Originally posted by Gohan976
inappropriate post removed.

AS

wtf, this is gay

[green_newbie]

"Originally posted by Gohan976
inappropriate post removed.

AS "


i am wondering what was inappropriate, or at least the nature of it.

[Gohan976]

Quote:

Originally posted by AbbySue
The administrators here run a clean, legal site and we do not offer tech support for things that are illegal and/or shady. We like to keep things on the up and up here...that's just how things are run. There are however other sites available on the web who aren't concerned with legalities if you would like to persue the "how to's" for what you wanted to do.

Ok, sry about that

[Adrynalyne]

I've seen a couple references to ntldr not being in windows xp.

I just wanted to say it absolutely is in XP; it is a hidden file. By default, XP searches do not search hidden files and folders.

[green_newbie]

so i know this is dragging on but ....

i ran sfc /scannow and it didn't seem to change anything.

so i booted from my winXP home edition cd,
you get three options from there, the one i selected was to
use the CD to repair my system (in otherwords replace changed files with the ones on the cd) and then it wants an administrators pass word,
i type in my password, (i know it is the correct one cause i only use one complicated password for everything and i installed the xp on my system to start with)
it tells me this password isn't correct, and therefor i can't do anything with my system.
is there a way to find out what the pass word is?
and could someone in my system have changed it from what i set it to something they want? or am i just insain?

please answer me this

[mal1930]

Hi, Are you sure that you did use a password when you installed the OS. Like you I have only the one password for everything but when I installed my OS I did not use a password as it can be a nuisance if sent to a shop etc.

If you did not use a password then when it asks for it you just click or double click and it lets you in.

It would be worth trying this in the hope it is an easy answer.
If you click Help and Support in the start menu and search for administrator password it gives instructions on how to create a Password wizard reset disk.

Peace Mal

Firewall logs aren't really any good because they are trying to make it look like they did their job so they will say that someone is trying to crack your box when they are not so I would not trust the logs completely. Only one way to prove an intrusion attempt, full packet dump.

EDIT: If Norton doesn't find anything, that's usual a good sign, Norton is the best there is (atleast I believe so)