[C0B01]

I've found some stuff in my processes/netstat that I dont know what is, I've tried googlein' but cant find a straight forward answer.

I have a TCP epmap and UDP isakmp connetion?!

Neither of which do I remember installing. The reason why I find this a bit doggy is the fact that my websites ftp server appeared to be hacked. A file named 'Akamai' appeared in a read only area where no files should be created with the text saying 'Ok' in the document (answering the notice i guess saying that you cant write files). A few days ago I was looking at my open connetions and I noticed one with the name "host13.akamai-hex.....", funnt i thought, thats the same name!! I did a port scan just so I could see what kind of system it was, and its linux, (what a supprise!) with services such as ssh, smtp, http & https (has a website running from the machine?) as well as pop3 and .... ISAKMP.

I recon my, well not mine, my parents computer.. (my computer is still up at uni..) has been "Owned". What do you guys make of that? Im not sure what to do, my parents dont have a real firewall (ive told them hundereds of times they need one!) so ive put on ZA for them, but its their free version, and it doesnt allow individual program control.

What do you guys recon i should do?

- I've:

updated thier windows XP
updated their AV
installed ZA
installed Spybot Search and destroy
ive changed the registry to save only the new NT password types
changed their user password
used 'net user' on comprompt and deleted an extra account (my old one) which for some reason wasnt showing up in the account manager but was still present after i originally deleted it.

Ughhh.... windows..

 

[C0B01]

Also.. they have reported the computer turning on by itself, all though i have not seen this myself.

Thanks for any help, C0B01

 

[tetonbob]

Sounds like you may have a worm onboard....let's run some tools and see what we can see:


Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

• Ad-Aware® SE Personal Edition
  *Note* For Ad-AwareSE also install the VX2 Addon Cleaner To run this tool once Adaware is updated click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK" , then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.
  
• Spybot Search & Destroy
• CWShredder

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Please configure CleanUp with the following settings:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
  [X]Scan local drives for temporary files (Please uncheck this option)
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Note: There is no need to purchase Ewido. It will remain as the freeware version after the trial period, which means the guard process will no longer work, but the scanner will be just as effective.

Reboot into normal mode now.

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
2. Click On 'Scan Now'
3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
4. Begin the scan by selecting My Computer
   * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
5. If it finds any malware, it will offer you a report. Click on see report
6. Then click Save report
7. Post the contents of the report in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Now Please download HijackThis http://www.greyknight17.com/spy/HijackThis.exe - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

So I would need logs from:

Ewido
Panda ActiveScan
HJT

 

[C0B01]

Thanks, I'll start sorting that out! Will post the logs up once I've done.

Might be a day or so.. (I've just got my retake results back from Uni, and I've passed my year!!!!!) :grin: :grin: :grin:



w00t w00t, wont have to do my first year three times then!