June 4th, 2004, 12:10 AM
What happened was this idiot on aim said he "IP hacked me", and sent this program called reshack and supposedly, he said he has no control over the programs that it installs. I have a hardware based firewall, so I don't think I can view the firewall logs, or can I? The cleaner didn't catch anything called reshack, though it caught somehing called stumpy and that connects to another server or ftp site and downloads more trojans. The Cleaner already caught stumpy and took care of it. But ever since he said he ip hacked me, it seems as if my netstat readout's don't look normal, or am I just going crazy? Fport does show a lot of svchosts, and I don't remember seeing that many UDP ports, though they all have the *:* next to them, what does that mean? I forgot .
Here is the fport readouts in the attachment. What makes me worry is all the netbios stuff that is listening, I did the security check on norton.com and it said my firewall was keeping me safe, everything except that my computer response to pings. It claims I have the netbios port either closed or stealthed . I know what closed and stealth is but if that is true then why is it listening? Also something called "bootpc" keeps popping up here and there, and only for a couple of seconds, then it dispears, it's a UDP port and it has that *:* thing next to it.
June 4th, 2004, 08:48 AM
Reshack seems to be a program that can be used to modify a lot of AIM functions(icons etc) amongst other activities.I reckon that the guy has your ip,but nothing else unless reshack was bound with something..I would've included links but I wasnt sure bearing in mind the context of AO
PM if you want them or just google around
and The_Duck..accepting files from people you dont know?tsk tsk:P
June 4th, 2004, 01:12 PM
No No... I didn't accept any files. He just said he got my IP from a program and he IP hacked me sending me this file called "reshack" and that it come and goes for seconds and leaves other trojans behind, and then reshack disapears so you can't find it or something. This guy sounded like a script kiddie, he couldn't even tell me how to work the command prompt . I asked him what port it connects to me with and he says he thinks 6647... at least I think that's the port he says...
June 4th, 2004, 04:39 PM
hmm...cant seem to find anything grrr..tell ya what The Duck..how bout you have a peek at your registry and see if they're any suspicious entries?HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunServices
June 4th, 2004, 06:40 PM
I have a related question. My firewall shows I've been scanned twice since yesterday, which is rather unusual, from IP address 22.214.171.124, 80 (couldn't ping it). My ports scanned were 1199, 1200, 1201, 1203, 1204, 1115, 1116, 1117, 1118, and 1119. I'm still learning what all these points are, so which ports are these, and are they hints to anything?
June 4th, 2004, 07:33 PM
Looks like random port scanning by your isp actually,try a reverse DNS..it's crl.verisign.com,it'd have worked even if you'd just typed the ip in your browser
Here's a list of ports...the ports till 1024 are reserved,so I wouldnt worry lookuphttp://www.iana.org/assignments/port-numbers
June 4th, 2004, 08:34 PM
June 4th, 2004, 10:04 PM
The registry looks fine but I couldnt even find HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunServices
so... Am I looking for anything in particular in the registry?
Did I mention that I also have a wireless network set up? It's a wireless 2wire connection that we got for the PC and my laptop. Just thought you guys should know incase that makes a difference...
No anti malware program is picking up anything, not even in safe mode. Yest netbios related ports are listening and this program called "bootpc" keeps popping up... I did research on all of these things but I get things I don't understand. I think bootpc relates to linux somehow, according to my research, but I have windows, which made me suspicous...
June 5th, 2004, 06:15 AM
Malware programs wouldnt pick up say,a trojan or a logger The Duck.Well,the registry thing was just an idea,most programs load from it.Does anything look overly suspicious in your HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr
ent Version\Run entry?(Google around for the file names and see if you get anything)
If you're still not sure,get HijackThis(http://www.spywareinfo.com/~merijn/downloads.html
Unzip HijackThis to a permanent directory and run it)
Attach the log and post it here(There's also a HijackThis tutorial on the site,removing the file,if any's more fun if you find it yourself lol
June 6th, 2004, 09:45 PM
I thought malware = spyware, virii, trojans, etc. So wouldnt anti malware programs = AV, spybot, The Cleaner, etc?
I'm such an idiot, I still had Spybot search and destory version 1.2, I just recently got 1.3 now and I ran it, it found some stuff and fixed them, I did another netstat and port 5180 is no longer listening! However, I still have 2 netbios -ssn listening. Can anyone tell me what the *:* in the netbios readouts mean? I forgot what they mean . There are things called netbios -dgm with the *:* next to it. I will try your suggestion when I get back to that computer, which won't be till tuesday or wednesday.