May 13th, 2003, 02:36 AM
A smart trojan user would never let you know they were there so that they could continue to gain information, if there is such a thing. And even if they have many tojans installed most of them can still be removed, many AV programs have heuristics that will even find small programs that were written by the cracker themselves and not just downloaded of some geocities webpage. As for keyloggers it can be a little harder if they don't send information out, I could be wrong but I don't think that simple checking of what is typed is something that sets off alarms in most AV heuristics as many word processors do this for spell checking albeit in a slightly different way. You already installed a firewall so if you see odd connection attempts from programs that don't make sense then look into it as it could be a keylogger trying to email it's daily capture if it's set up to do that, other then that look for folders with growing text files then start looking through running processes for something out of the ordinary. I know what every process on my machine is so when something shows up I know someone's been messing with my computer.
Originally posted here by Qualm
Smart trojan users will install redundant trojans, keyloggers, etc. Then they'll keylog your passwords and steal your files, and then they'll mess with your head.
Reality is the one who has it wrong, not you
May 13th, 2003, 03:23 AM
I would suggest logging in to your eBay and Paypal accounts from a computer you are reasonably sure is clean, and changing your passwords ASAP. You can set eBay to not automatically log you on when you connect, which is what you should set until you are sure there are no keyloggers left running on your machine.
Originally posted here by CarefulEugene
I have used EBay & Paypal
There are four principal areas where, on an average system (meaning not one that has anything special like an Intrusion Detection System loaded on it), you will find traces of trojans and other active security breaches:
1. Your firewall logs - as you've already mentioned, your firewall will log a lot of nasty activity such as programs and people trying to connect to ports which are blocked.
2. Open ports and the programs connected to them - a good port scanner/port monitor like Active Ports will tell you what ports are open, what IP's are connected to them, and what programs are listening on them. Do google searches on specific open port numbers and listed programs, you will learn a lot that way.
3. Suspicious registry entries - specifically, programs set to automatically run at startup which you don't recognize or are otherwise suspicious. Again, google searches will tell you a lot about what's legitimate and what isn't normal.
4. Running processes (task manager, process window). This is where you'll find the harder to detect (and nastier) stuff. For example (just an example, this is rare and advanced hacking), if you see a .txt file listed as a running process, that's a major alarm bell because you've likely been hacked by someone who is sophisticated enough to exploit a specific "feature" of certain Microsoft OS's. Google anything odd you see (most of the processes there are cryptically named but perfectly normal).
What I'm trying to say is, don't rely on AV and anti-trojan scanners exclusively, particularly NOT on an already-cracked system. Really vicious trojan users will crack a system, install a backdoor or three with detectable signatures, and then customize and recompile from downloadable sourcecode an undetectable (by commercial scanners that is) backdoor. You can still find that one though if you know where to look for traces (see above) and do your homework.
May 13th, 2003, 03:43 AM
I don't want to underestimate the guy, but this may give a clue as to how smart he is (or how confident he can bust me---take your pick) He had actually sent me an e-mail telling me he was going to be cracking my accounts. Pretty poor English was used (Please to cry-I am to be cracking all your accounts, etc..)
After doing the scan on my system this thing came up as an exploit: PRegScheduler. I dumped it since I didn't know what the hell it was.
One last thing...This is the IPA that just keeps on coming up on my firewall alert..18.104.22.168.
What do you guys recommend I do with it ?
May 13th, 2003, 08:39 AM
I got this off that IP but I think I might have done the wrong search but you never know... this might actually be the right admins, address, and (ect)
22.214.171.124 - 126.96.36.199
1577 SPRINGHILL ROAD
VIENNA, VA, 22182
188.8.131.52 - 184.108.40.206
1701 E WOODFIELD
ROSEMONT, IL, 60173
And thanks to |The|Specialist I was able to DL his port scanner and I picked up these ports: 21, 25, 110, 135, 139, 389, 515, 1002, 1028, 1031, 1720 & probably others.
May 13th, 2003, 12:34 PM
Qualm's got the 4 major points there for getting rid of a serious cracker. I mean we are talking about a home computer and the fact that he's sending emails to CarefulEugene shows that he's probably doing this more for shits and giggles than for any personal gain because if he continues now that he's known about he has a 500% better chance of getting in serious trouble if he decides to take over any serious accounts like paypal, so long as CarefulEugene logs his ip and reports it. Authorities may not think much of people stealing home users email accounts but when they start taking money they'll listen a little better, though how much depends on the authority.
As for the ip, where are you from? Does this ip show up when the attacker does things to your computer? Because if you're on dial-up it could just be one of your ISP's computers checking to see if you're still online. Granted it could also be the attacker, I'm just saying to check all ip's running through that firewall and check their domain against your own to help narrow it down. A good way to check would be to close all programs like msn messenger/icq or anything that sends data out to the internet and then see what ip's are still trying to connect to your pc, if one shows up out of nowhere and attempts to connect to a high port (1000's and up) then it's a good bet that that's the ip you're after.
One last thing as was already mentioned, any online passwords, go to a different computer and change your passwords asap. If the cracker doesn't get to them before you change the passwords then it will save you a lot of trouble. But don't do it from your computer as any keyoggers/trojans still there may catch the passwords anyways. Not to mention if you change the passwords then he'll be back to try and find them again and you'll have a better chance at getting his ip and reporting him to his ISP.
I also just checked out the web addresses that Amanda gave, winstar does not have a website on winstar.net, but bossintl.com does and it seems to be a forum for engineers. Meaning someone's using one of their servers to bounce off of, one of their admins/employees is decidely being a moron, or someone's little kid is having some fun off daddy's computer which happens to be part of that network. I'd recommend sending an email to their tech support address firstname.lastname@example.org and tell them what has happened and that you keep seeing that ip popping up on your firewall. Chances are they'll check the server if that's what it is and the cracker will lose his ability to bounce off it or they'll get fired if it's someone who works there actually doing it.
Reality is the one who has it wrong, not you
May 13th, 2003, 03:12 PM
PRegScheduler is unlikely to be the entry point, although it can certainly be safely removed. See this discussion: http://www.annoyances.org/exec/forum/win98/n1009837867. It's possible the "legitimate" registration reminder program was replaced by a trojan, but given the level of intelligence this guy is exhibiting, that's unlikely.
As Pecosian recommended, send an e-mail to email@example.com with the details of what has been happening (i.e. that IP is showing up in your firewall log and you suspect it's a compromised machine being used to attack you).
I'd also send an e-mail to firstname.lastname@example.org - Winstar is Boss International's domain registrar and/or ISP, and that *should* be a working e-mail address if they follow accepted norms.
May 13th, 2003, 04:11 PM
i agree that u should install everything over, i have personally used the cleaner, its verygood but a trial, it should work though, but to prevent this, try to scan anything before u download it. dont use a p2p or anything else like it.
May 13th, 2003, 06:51 PM
oh for the love of mike!
Get an AV like McAfee, keep it up to date every day
Get a firewall, may I recomend Outpost (www.agnitum.com It's free and very very good)
Then you can use The Cleaner to get rid of that pesky trojan, even though, with a fire wall in place, it's harmless (More or less).
Then, do as I said above, and change your passwords to something hard...NOT 123password or some crap like that...
Now..if I see one more post about formating coz of a bloody trojan I'll beat you all with a stick! :P
With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!
Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.
May 13th, 2003, 09:52 PM
So who's this mike fella and why's he so great? And why did everyone give up on pete??
I'd agree with Noia about not formatting, I fight with local pc shops when they tell me to format a friends pc coz of something simple like that, then i just go and remove it and they're amazed half the time. I think there should be some kind of course you have to take or some test to prove you're not just some guy who knows how to install windows so you think you can solve any problem with it. I could install windows 3 days after I got it for the first time, and I was 13 at the time.. ah well, I suppose it's why people come to me before they let some of the local stores touch their pc's
Reality is the one who has it wrong, not you
May 14th, 2003, 12:40 AM
what you said that your hotmail account was cracked so he could have used that recent flaw in hotmail so he might not even have a trojan but you should still scan you hardrive nonetheless