Somebody is taking control of my computer

Printable View

Show 40 post(s) from this thread on one page

November 4th, 2004, 01:31 AM
Adrenaline

Somebody is taking control of my computer

Somebody is taking control of my computer, he closes my windows or open my start menu and tries to start an application

i ran the netstat -an command and this is what i get:

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3011 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3725 0.0.0.0:0 LIST
TCP 0.0.0.0:3011 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3725 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3728 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3729 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3992 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3994 0.0.0.0:0 LISTENING
TCP 10.0.0.2:3725 207.46.107.170:1863 ESTABLISHED
TCP 10.0.0.2:3728 64.215.171.57:80 CLOSE_WAIT
TCP 10.0.0.2:3729 64.215.171.57:80 CLOSE_WAIT
TCP 10.0.0.2:3992 207.68.178.16:80 CLOSE_WAIT
TCP 10.0.0.2:3994 63.209.221.228:80 CLOSE_WAIT
TCP 10.0.0.2:3995 207.46.108.31:1863 ESTABLISHED
TCP 10.0.0.2:3994 63.209.221.228:80 CLOSE_WAIT
TCP 10.0.0.2:3995 207.46.108.31:1863 ESTABLISHED
TCP 127.0.0.1:3001 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3002 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3003 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1025 *:*
UDP 0.0.0.0:3004 *:*
UDP 0.0.0.0:3396 *:*
UDP 0.0.0.0:3404 *:*
UDP 0.0.0.0:3407 *:*
UDP 0.0.0.0:3734 *:*
UDP 0.0.0.0:9370 *:*
UDP 10.0.0.2:9 *:*
UDP 10.0.0.2:123 *:*
UDP 10.0.0.2:137 *:*
UDP 10.0.0.2:138 *:*
UDP 10.0.0.2:1831 *:*
UDP 10.0.0.2:1900 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:3014 *:*
UDP 127.0.0.1:3030 *:*
UDP 127.0.0.1:3084 *:*
UDP 127.0.0.1:3363 *:*
UDP 127.0.0.1:3878 *:*
UDP 127.0.0.1:3996 *:*
UDP 127.0.0.1:4542 *:*

i'm not sure how he connects to my pc..
maybe somebody can help me find what port he connects to
November 4th, 2004, 01:48 AM
fyrewall

It is probably a trojan .. Scan your computer with an uptodate virus scanner like AVG and it will hopefully detect it and delete it for you.. or once you find out what it is you can surf the net for an answer on how to clean it :)
November 4th, 2004, 02:03 AM
Soda_Popinsky

Unplug your computer from the network, bring in an AntiVirus like ClamWin or AVG on a CD, plug back in and quickly update the AV's, reboot into safe mode (F8 at boot) and scan. Here is a doc to help out:

http://www.antionline.com/attachment...achmentid=4913

When you are done, update windows from Internet Explorer. Go to tools and select windows update, it is very important that you do this.
November 4th, 2004, 02:19 AM
;TT

What are you talking about? You have MSN running and you have an internet browswer of some sort running... I don't see anything out of the usual... anybody mind pointing out what's wrong there?!
November 4th, 2004, 03:16 AM
Soda_Popinsky

Quote:

Somebody is taking control of my computer, he closes my windows or open my start menu and tries to start an application

I think that screams [strike]sub7.[/strike] a typical trojan.
November 4th, 2004, 04:22 AM
FanacooL

Re: Somebody is taking control of my computer

Quote:

Originally posted here by Adrenaline
Somebody is taking control of my computer, he closes my windows or open my start menu and tries to start an application

There is nothing seems to be wrong with the active connections, but there are trojans which can use some well unkown ports. To detect the trojan simple browse the following registry and paste its values in th thread.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices-

Sure you know how to open the registry, if not its regedit command run it and you will see a nw window. When u reach the desire regsitry copy the contents on right hand n paste them here.

Also u can download a scanner from
http://www.glocksoft.com/download.htm which will help u scanning the trojab urself.

Soda_Popinsky
I think that screams sub7.

Well there isn't any Sub7 port open i think all are safe. The normal ports used by sub7 are 1243, 1999, 2773, 2774, 6667, 6711, 6712, 6713, 6776, 7000, 7215, 16959, 27374, 27573, 54283 normally, do u have a special one. :eek:
November 4th, 2004, 05:41 AM
Soda_Popinsky

1. My point was that there is a trojan that allows mouse control. Doesn't really matter what the name is, this person is severely owned.
2. Recent trojans include an option to choose the port the hacker would like to operate on (to avoid firewalls or whatever), so using open ports to ID the trojan is pretty much useless.
November 4th, 2004, 11:36 PM
RoadClosed

There is also a decent one this year that allows limited remote control via ICMP. Hows that for hard to detect? Show my a windows box that has that turned off?
;)
November 4th, 2004, 11:43 PM
Adrenaline

thanx for all your awnsers.
i ran a procesmanager to see what proceses are running and here is the out put:
i know i have a couple of spyware in there, but is it possible to use one of them to acces control over my pc.

Process PID CPU Description Company Name
System Idle Process 0 86
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 512 Windows NT Session Manager Microsoft Corporation
csrss.exe 576 2 Client Server Runtime Process Microsoft Corporation
winlogon.exe 600 Windows NT Logon Application Microsoft Corporation
services.exe 644 Services and Controller app Microsoft Corporation
svchost.exe 804 Generic Host Process for Win32 Services Microsoft Corporation
WISPTIS.EXE 3964 Microsoft Tablet PC Platform Component Microsoft Corporation
svchost.exe 904 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 972 Generic Host Process for Win32 Services Microsoft Corporation
wscntfy.exe 2484 Windows Security Center Notification App Microsoft Corporation
Smc.exe 1084 3 Sygate Agent Firewall Sygate Technologies, Inc.
svchost.exe 1300 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1368 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1484 Spooler SubSystem App Microsoft Corporation
nhksrv.exe 204
cisvc.exe 240 Content Index service Microsoft Corporation
cidaemon.exe 3484 Indexing Service filter daemon Microsoft Corporation
cidaemon.exe 1764 Indexing Service filter daemon Microsoft Corporation
fpavupdm.exe 288 F-Prot Antivirus Update Monitor FRISK Software
NPROTECT.EXE 452 Norton Protection Status Symantec Corporation
nvsvc32.exe 580 NVIDIA Driver Helper Service, Version 43.45 NVIDIA Corporation
NOPDB.exe 1052 NOPDB Symantec Corporation
svchost.exe 1424 Generic Host Process for Win32 Services Microsoft Corporation
symlcsvc.exe 1040 Symantec Core Component Symantec Corporation
wdfmgr.exe 1844 Windows User Mode Driver Manager Microsoft Corporation
symwsc.exe 2044 Norton Security Center Service Symantec Corporation
alg.exe 3328 Application Layer Gateway Service Microsoft Corporation
lsass.exe 656 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1228 Windows Explorer Microsoft Corporation
CTHELPER.EXE 2872 CtHelper Application Creative Technology Ltd
mouse32a.exe 3000
MsgPlus.exe 3032 Messenger Plus! Patchou
jusched.exe 3052
realsched.exe 3060 RealNetworks Scheduler RealNetworks, Inc.
NetLimiter.exe 3084 NetLimiter LockTime
F-Sched.exe 3096 Scheduler - Windows application FRISK Software International
F-StopW.exe 3448 F-StopW Version 3.15B Frisk Software International
ctfmon.exe 3560 1 CTF Loader Microsoft Corporation
TeaTimer.exe 3700 1 System settings protector Safer Networking Limited
msmsgs.exe 3788 Windows Messenger Microsoft Corporation
firefox.exe 3392 Firefox Mozilla
WINZIP32.EXE 1600 WinZip WinZip Computing, Inc.
procexp.exe 424 8 Sysinternals Process Explorer Sysinternals
rundll32.exe 3752 Run a DLL as an App Microsoft Corporation
msnmsgr.exe 3836 MSN Messenger Microsoft Corporation

Process: Procexp Pid: -2

Type Name

i really want to know how he connects to my pc and can control it...
how do they use the remote control via ICMP?
November 5th, 2004, 01:19 AM
Relyt

Adrenaline,

I noted in your thread that you had Norton and that may be some fairly reputable software. However, I never limit myself to just one AV or means of detecting Viruses and Trojans. Additionally, contrary to their claims, not all AV’s are worth a hoot at detecting Trojans. Therefore, to detect some of the newer Trojans, you really need software that is current and written just for that purpose. Below are a few of the Trojan Cleaners I have used and would recommend. Some are free and some have a 30 day trail. Be sure to write the name of it down verbatim before quarantining or deleting it though. If it’s not detected there are other possibilities.

Swat it
http://swatit.org/

The Cleaner
http://www.moosoft.com/

TDS-3
http://tds.diamondcs.com.au/

Pc Doorguard
http://www.astonsoft.com/whypdg2ultra.htm

In addition to your Norton, surf on over to either HouseCall - Trend Micro or BitDefender for an online scan.

Trend Micro - Free online virus Scan
http://housecall.trendmicro.com/

BitDefender ScanOnline
http://www.bitdefender.com/scan/license.php

Show 40 post(s) from this thread on one page