Have I Been Hacked?

I've been experiencing problems since I received an email from somebody (in alias form) stating that I should be wary of a virus called jdbgmgr.exe and that I should carry out a procedure to ensure I wasn't infected. An hour later I received another stating that I should ignore the first email (the irony of it), as it was a joke.

The good news is that I have Norton Internet Security (I think) - the bad news is that it was not up-to-date (please don't shout at me), as I couldn't afford the subscription to download new virus thingies. Well, I've now found the money, but, it maybe too late. I've checked the Firewall log and noticed that it has blocked many communications coming into the unused port, inbound IP fragments, Backdoor/SubSeven Trojan, and other stuff - and that's just today. So, it is working - but there was a lapse of several months - at least for the viruses.

Since that email I have been experiencing major problems with my PC. For example, I can't download Window Updates (it takes hours just to download stuff and then just hangs there), it won't let me restore my PC back to a previous time, my Disk Doctor won't work (it tells me there are problems but won't fix them), and it won't even let me run Virus Scan - it tells me that "…a required .DLL file S32STAT.DLL was not found". When I ran Scan Disk it kept telling me that another program was already running and causing a conflict. This was despite me shutting everything down - even my Norton Utilities. Everything is running much slower than it normally is (I have an Advent 3200 PC, Pentium 4, 1800, 256.OMB RAM, and I'm using Windows ME).

Norton won't help (despite my subscription fee) because I have an out-of-date disk (Norton Internet Security Family Edition 2000). No wonder bloody Barclays were giving them away!

So, why am I so paranoid? Well, this guy is a known troublemaker (which is an understatement). I know he has hacked into my university server and is able to get into everybody's mailboxes. He has many aliases and uses them to fool people into believing he is somebody else - sometimes female. I told him I was aware of what he was doing and I warned my friends not to post anything private via the university mailboxes. He found out - I wonder how???? I received a warning shot across my bows (via another of his alias). Thing is, he used to be a friend and he knows my emails addresses, my home address, my telephone number. How difficult would it be to hack into my PC? And if he is there, how do I get him out? Incidentally, he is studying for a degree in IT, so I suspect he is honing his skills. BTW, I ran the Shields-Up program and was told that I had stealth capabilities but I may have inadvertently let him in some other way.


So, should I get rid of Norton and try, say, www.zonelabs.com instead? Or, will I have the same problem with that system - being told that there is a .dll file missing?

Any help anybody can give me would be gratefully received. Erm, sorry for the length of this post.

Can you publish his e-mail & IP? :)

i believe that is a hoax and to follow its directions on deletion, would compromise your system. i will try to find some sites. you may need to back up what you can and format your hdd, then reinstall your OS. since you had a trojan on there there is no telling what is compromised. one thing is for sure, you need to change all your passwords!

edit:
here is a discription of the hoax from symantec (norton). http://www.symantec.com/avcenter/ven...file.hoax.html

Quote:

---

believe that is a hoax and to follow its directions on deletion, would compromise your system. i will try to find some sites. you may need to back up what you can and format your hdd, then reinstall your OS. since you had a trojan on there there is no telling what is compromised. one thing is for sure, you need to change all your passwords!

edit:
here is a discription of the hoax from symantec (norton). http://www.symantec.com/avcenter/ve....file.hoax.html

---

You wouldn't believe how many people have called me about that! I have a backup copy of the file for those who actually deleted it, but I haven't noticed a difference on the machines that have had that deleted. Thats why they make group policies. ;)

Check and make sure your not a victim of the Bugbear virus .... I know that it will shutdown firewalls and virus scanners, including Nortons (a non-computer savvy relative fell victim recently) and it opens a port and listens for commands from the hacker. ... Symantec has a good write up at: http://[email protected]

Just a suggestion and something else to look for if your virus definitions have been out-of-date for some time.

Something else that might be of interest to you is here:

http://www.symantec.com/avcenter/ven...file.hoax.html

"This is a hoax that, like the SULFNBK.EXE Warning hoax, tries to persuade you to delete a legitimate Windows file from your computer. The file that the hoax refers to, Jdbgmgr.exe, is the Microsoft Debugger Registrar for Java. It may be installed when you install Windows.

NOTE: Recent version of this hoax take advantage of the recent outbreak of the W32.bugbear@mm worm, and the fact that the Jdbgmgr.exe file that is mentioned in the hoax has a bear icon. The actual W32.bugbear@mm worm file is an .exe file and does not have a bear icon."

QUOTE: Can you publish his e-mail & IP?

LOL - I doubt it would do me any good, RogueSpy. He would probably sue me! He has covered his tracks so well at my university that despite many people knowing it is him, they can't do anything about it.


QUOTE: i believe that is a hoax and to follow its directions on deletion, would compromise your system.

Sorry, I should have been more specific. I didn't actually follow the instructions in the email, as I sensed it was a hoax - especially coming from this person. However, I've had loads of email from this person in one form or another (graphics even). I was wondering if he might have put something in one of them that would attach itself into my PC as soon as I opened it?

QUOTE: i will try to find some sites. you may need to back up what you can and format your hdd, then reinstall your OS. since you had a trojan on there there is no telling what is compromised. one thing is for sure, you need to change all your passwords!

Thanks pak. Unfortunately, I can't format my hdd - it won't let me. Windows ME came with the PC and the recovery CD's no longer work - keeps telling me I need to load them from DOS - but then nothing happens. I will take your point about changing my passwords. Only thing is, I tried to change my password on Netscape but it keeps telling me that my poscode (zipcode) is not recognised. Keep going round in circles. This is driving me insane.

QUOTE: Check and make sure your not a victim of the Bugbear virus .... I know that it will shutdown firewalls and virus scanners, including Nortons (a non-computer savvy relative fell victim recently) and it opens a port and listens for commands from the hacker. ... Symantec has a good write up at: http://[email protected] [/B]

OMG, that sounds about right! Whatever it is, it seems to have shutdown everything I could use to get my system back up. Thanks, Phat_Penguin. Now, if only I could get my Norton virus scan to work!

Incidentally, I've noticed that my modem keeps starting up on it's own. I'm not on broadband. Would a hacker need my PC to be online to access it?

I did read the FAQ's before posting but nothing really could answer any of my questions. I've found lots of places to go for firewalls and the like - is it OK to have more than one firewall on your PC, will they confilct with Norton's (the one I already have), for example?

In the meantime, I'm going to have a look at the following and see if there is anything useful there (found on AntiOnline).

http://www.geektools.com/cgi-bin/proxy.cgi
www.neoworx.com.
www.cracks.am
http://www.moosoft.com/
http://www.lavasoftusa.com/
[email protected]
www.agnitum.com
www.zonelabs.comCan you publish his e-mail & IP?

hi sputnik.. welcome to AO..

first off, I should mention that going to cracks.am isn't going to help you.
I dont know if someone suggested that site to you or what.. but it's a site
that provides illegal cracks to software.. and at AO we kinda frown upon warez
and other illegal activities.. I don't feel you deserve negative AP's for this..
you probably got misled in thinking that this place would be helpful..
in fact, sites like those are ones you should avoid.. especially if you haven't
applied security patches to your browser. (like active scripting)

to answer your question tho.. no.. you don't run two firewalls concurrently.
a better protection is to use a software AND a hardware firewall (like a hub/router)

but your problem at this point really is.. getting an antivirus program to work to get
rid of what viri you have on there now.. and it might require you to have to reinstall
your AV software.. or if things are real bad.. reinstall your whole OS.

you might try a dos based AV program (norton does this) f-prot has a free dos version (search google for it)
that's fairly small .. you can download it.. with the latest ref files and uncompress and
put it on 2 diskettes and copy to your HDD.. ( booted up into dos mode) and run and
scan from there.

Quote:

---

Incidentally, I've noticed that my modem keeps starting up on it's own. I'm not on broadband. Would a hacker need my PC to be online to access it?

---

I guess not if a program/script has been uploaded to your machine automate the process. My linux machine dials back in on a disconnect automatically (as per my settings) - I have never had the need to explore this option under a Windows OS, I would imagine there would be something out there to do the same.

Symantec's site gives a detailed description on how to discover if you are infected and a solution.

Good luck and I hope you sort your problem soon,

PP

PS - have a look at AVG Virus scanner at www.grisoft.com ... its free and the current definitions will get Bugbear and others .... you can always delete it and restore Nortons once you have cleaned your machine.

start up your computer in adminstor run norton that should work i'm a computer tech and i have to fix virus problems alot. if that does not work format if you have to make sure you scan
any save files you back up. when you have a computer that won't let you format try useing a bootdisk. hope this helps you :)

Quote:

---

Originally posted here by sumdumguy
hi sputnik.. welcome to AO..
Thanks, sumdumguy.

first off, I should mention that going to cracks.am isn't going to help you. I dont know if someone suggested that site to you or what.. but it's a site that provides illegal cracks to software.. and at AO we kinda frown upon warez and other illegal activities.. I don't feel you deserve negative AP's for this..
you probably got misled in thinking that this place would be helpful.. in fact, sites like those are ones you should avoid.. especially if you haven't
applied security patches to your browser. (like active scripting)
Ah! right, I didn't know that. Somebody suggested it as a place to crack the code on a program they thought might help. I shan't go there then. As you can guess, I'm no expert and only just getting used to some of the jargon.

to answer your question tho.. no.. you don't run two firewalls concurrently. a better protection is to use a software AND a hardware firewall (like a hub/router)
Sorry about this but, how do I get a hardware firewall? Or rather, can you suggest a good one? I take it that Norton's is a software firewall.

but your problem at this point really is.. getting an antivirus program to work to get rid of what viri you have on there now.. and it might require you to have to reinstall your AV software.. or if things are real bad.. reinstall your whole OS.
Yep. Unfortunately, that is not an option. I've tried System Restore but my PC won't let me do that. I've tried reinstalling Windows ME, but it won't let me do that either. Whatever is in my PC is good - it's like check-mate!

you might try a dos based AV program (norton does this) f-prot has a free dos version (search google for it) that's fairly small .. you can download it.. with the latest ref files and uncompress and put it on 2 diskettes and copy to your HDD.. ( booted up into dos mode) and run and scan from there.

---

Thanks - I'll give that a go. As I've said, I'm new to all this. Once I've been shown how to do something I'm OK, but I do need some hand-holding when it comes to this type of thing <slightly embarrassed>. Thanks for all your help.

sputnik...

You also need to close the tags after you open them...LOL you'll get the hang of it real soon.
Welcome to AO :D

Originally posted here by Phat_Penguin


I guess not if a program/script has been uploaded to your machine automate the process. My linux machine dials back in on a disconnect automatically (as per my settings) - I have never had the need to explore this option under a Windows OS, I would imagine there would be something out there to do the same.
OK

Symantec's site gives a detailed description on how to discover if you are infected and a solution. Good luck and I hope you sort your problem soon.
Thanks.


PS - have a look at AVG Virus scanner at www.grisoft.com ... its free and the current definitions will get Bugbear and others .... you can always delete it and restore Nortons once you have cleaned your machine.
Once I've finished replying to these posts I'm going to check out the various sites. Thanks for all your help.

Quote:

---

Originally posted here by aeallison
sputnik...

You also need to close the tags after you open them...LOL you'll get the hang of it real soon.
Welcome to AO :D

---

LOL - just found out. BTW, how do you put a smilee in the body of your post? I've got a feeling that there is a how to do page around here somehwere but my puter is so slow at the moment that it is taking an age just to get between pages.

Know how to put in the one you've got = :D I guess what I'm asking is, where do I find the script for the rest of them?

When you edit a post look in the left column and select enhanced mode, javascript:opensmiliewindow(500,200,'') is the link to the full list of smilies :brickwall sometimes the editor will erase some of what you type if you click on the graphic, so, I suggest entering the text relating to it manually...hope this helps.

<edit>LOL... I can't make it work....hmmmm I was trying to give you the link to the full smilies list....it is in the left column of the edit screen... sometimes me and the editor have to experiment in order to get it to work right, I guess i am not much of a teacher :rolleyes: </edit>

Quote:

---

Try This....hehe

---

I am assuming that you really are a victim here and not just overacting to some shortcoming of Win98 (of which there were many). Win 98 slowing down to a crawl is nothing new and can even be a result of not being rebooted once a day or so. What you have said so far does not sound so simple, though, so I'll go through some emergency tricks.

I'm a little out of practice on Win 98, but there are some things you might try. (Note that I don't have any systems running Win 98 right now to check these out before suggesting them.)

1) Can you boot your recovery cd? This may require a change in your BIOS to modify the boot up sequence, but most fairly new machines allow this and it would be difficult (probably not impossible) to interfere with a cold boot from the recovery disk. If you can start the restore and there is an option to reformat the hard drive, I believe that's what I would do.

2) Usually recovery disks have an alternate way of booting (in case the hard drive goes south, or whatever). If you can't find a floppy boot disk, contact your vendor for help. This boot disk should contain a driver for your CD and possibly a recovery batch file in addition to the boot files.

3) If I remember properly, formatting a 3 1/2 inch drive with the /s switch in a dos window produces a boot disk. If your CD manufacturer provides a downloadable DOS driver, you could add that to the boot disk (so you can access the CD), make suitable changes in config.sys to load it, add mscdex to autoexec (mscded should be on your system somewhere, but I have forgotten the default location for it). Then you can do a clean boot using that disk and then run your restore CD from DOS. Even better would be to prepare the boot disk from another machine to allow for the possibility of one of the above files being infected with a virus or whatever. You could try all this with the driver on your computer, but there's the chance that someone has changed it. Also, there are web sites that offer drivers such as

http://www.driverzone.com/

If none of this works, let us know and we can possibly think of other things.



3)

Quote:

---

Originally posted here by aeallison
When you edit a post look in the left column and select enhanced mode, javascript:opensmiliewindow(500,200,'') is the link to the full list of smilies sometimes the editor will erase some of what you type if you click on the graphic, so, I suggest entering the text relating to it manually...hope this helps.

<edit>LOL... I can't make it work....hmmmm I was trying to give you the link to the full smilies list....it is in the left column of the edit screen... sometimes me and the editor have to experiment in order to get it to work right, I guess i am not much of a teacher </edit>

---

Thanks aeallison - I've book-marked the smilee page - it's brill! :hello:

Quote:

---

Originally posted here by GandalfTheGray
I am assuming that you really are a victim here and not just overacting to some shortcoming of Win98 (of which there were many). Win 98 slowing down to a crawl is nothing new and can even be a result of not being rebooted once a day or so. What you have said so far does not sound so simple, though, so I'll go through some emergency tricks.

I'm a little out of practice on Win 98, but there are some things you might try. (Note that I don't have any systems running Win 98 right now to check these out before suggesting them.)

1) Can you boot your recovery cd? This may require a change in your BIOS to modify the boot up sequence, but most fairly new machines allow this and it would be difficult (probably not impossible) to interfere with a cold boot from the recovery disk. If you can start the restore and there is an option to reformat the hard drive, I believe that's what I would do.

2) Usually recovery disks have an alternate way of booting (in case the hard drive goes south, or whatever). If you can't find a floppy boot disk, contact your vendor for help. This boot disk should contain a driver for your CD and possibly a recovery batch file in addition to the boot files.

3) If I remember properly, formatting a 3 1/2 inch drive with the /s switch in a dos window produces a boot disk. If your CD manufacturer provides a downloadable DOS driver, you could add that to the boot disk (so you can access the CD), make suitable changes in config.sys to load it, add mscdex to autoexec (mscded should be on your system somewhere, but I have forgotten the default location for it). Then you can do a clean boot using that disk and then run your restore CD from DOS. Even better would be to prepare the boot disk from another machine to allow for the possibility of one of the above files being infected with a virus or whatever. You could try all this with the driver on your computer, but there's the chance that someone has changed it. Also, there are web sites that offer drivers such as

http://www.driverzone.com/

If none of this works, let us know and we can possibly think of other things.
3)

---

Thanks GandalfTheGray for your suggestions. I suspect I cannot try these things as my PC (or the virus) won't let me (see previous posts). Having failed to System Restore, Boot from the Product Recovery disks, or even use Norton to scan for viruses, I can't see it allowing me to do what you suggest. Please bear in mind that I am no expert and could barely follow some of your suggestions (sorry). BTW, I don't have Win98 but Windows ME.

At somebody's suggestion - I've just downloaded 'The Cleaner' from Moosoft, which took several minutes. When it got to the end of the download, a window popped up saying that a required .DLL file S32STAT.DLL was not found. So, I can't even download stuff to get me out of this mess. Whatever is now in my PC has wiped out an all important file that stops me getting it back to the way it was.

As to over-reacting - I don't know. Thing is something has gone dreadfully wrong since I had that weird email from that person (a known hacker). I've just read about Bearbug and found that I have very similar symptoms to those suggested. I really don't know what to do next.

You say that the .dll file is missing , right? I'm not sure how to put this to good use but I found a site where you can download the file you need http://wwwpw.physics.uiowa.edu/~rlb/...gram/SYMANTEC/ . I hope it helps out. I assume you find where the .dll file goes and put it there. The other guys are probably more knowledgable on this.

treyain

Quote:

---

Originally posted here by treyain
You say that the .dll file is missing , right? I'm not sure how to put this to good use but I found a site where you can download the file you need http://wwwpw.physics.uiowa.edu/~rlb/...gram/SYMANTEC/ . I hope it helps out. I assume you find where the .dll file goes and put it there. The other guys are probably more knowledgable on this.

treyain

---

Thanks treyain. I will try that site out.

Funnily enough, I've just found the following site: http://www.dll-files.com/ I couldn't believe my luck, as it's free and offering to find any .DLL file. So, I typed in my missing file and it came up with a blank page!!!! Either the site doesn't have that .DLL file or the bug is stopping me downloading it. Or worse, the hacker is sitting at his computor, watching everything I am doing it and counteracting it. I have got to the stage were I want to throw my PC through the window. Thing is, as I am accessing various windows and Websites, things are going haywire. Things keeping popping up saying this and that will close (fatal error and all that).

Thanks to you and everybody who is helping - I really appreciate it. I've tried giving some of you positive antipoints but, as a newbie, I can't do it just yet.

Quote:

---

Originally posted here by sputnik


QUOTE: Can you publish his e-mail &amp; IP?

LOL - I doubt it would do me any good, RogueSpy. He would probably sue me! He has covered his tracks so well at my university that despite many people knowing it is him, they can't do anything about it.


QUOTE: i believe that is a hoax and to follow its directions on deletion, would compromise your system.

Sorry, I should have been more specific. I didn't actually follow the instructions in the email, as I sensed it was a hoax - especially coming from this person. However, I've had loads of email from this person in one form or another (graphics even). I was wondering if he might have put something in one of them that would attach itself into my PC as soon as I opened it?

QUOTE: i will try to find some sites. you may need to back up what you can and format your hdd, then reinstall your OS. since you had a trojan on there there is no telling what is compromised. one thing is for sure, you need to change all your passwords!

Thanks pak. Unfortunately, I can't format my hdd - it won't let me. Windows ME came with the PC and the recovery CD's no longer work - keeps telling me I need to load them from DOS - but then nothing happens. I will take your point about changing my passwords. Only thing is, I tried to change my password on Netscape but it keeps telling me that my poscode (zipcode) is not recognised. Keep going round in circles. This is driving me insane.

QUOTE: Check and make sure your not a victim of the Bugbear virus .... I know that it will shutdown firewalls and virus scanners, including Nortons (a non-computer savvy relative fell victim recently) and it opens a port and listens for commands from the hacker. ... Symantec has a good write up at: http://[email protected]

OMG, that sounds about right! Whatever it is, it seems to have shutdown everything I could use to get my system back up. Thanks, Phat_Penguin. Now, if only I could get my Norton virus scan to work!

Incidentally, I've noticed that my modem keeps starting up on it's own. I'm not on broadband. Would a hacker need my PC to be online to access it?

I did read the FAQ's before posting but nothing really could answer any of my questions. I've found lots of places to go for firewalls and the like - is it OK to have more than one firewall on your PC, will they confilct with Norton's (the one I already have), for example?

In the meantime, I'm going to have a look at the following and see if there is anything useful there (found on AntiOnline).

http://www.geektools.com/cgi-bin/proxy.cgi
www.neoworx.com.
www.cracks.am
http://www.moosoft.com/
http://www.lavasoftusa.com/
[email protected]
www.agnitum.com
www.zonelabs.comCan you publish his e-mail &amp; IP? [/B]

---

Hi sputnik,
The fact that your modem will autodial often on its own might be an indication of a trojan virus or a worm in your PC.
I use the system monitor tool to check if this is the case. Do this: close all your running apps and shut down all task bar items. Then go to <start> <proramms> < system tools> <system monitor> and watch the %processor time curve for a while. If it rises to a large % value you most likely have an undesired process running in the backgroud.
In order to get rid of most new generation trojans or worms you will have to start up windows ME in safe mode.
I can also suggest you run the "netstat -an" command in a DOS window and take note of the open TCP or UDP port. Then go to the well known Antivirus Libraries and check for viruses using ports numberd over 1000.
I hope this is not to technical.
I wish you luck.
Regards,
otsenre ;)

You should be able to get to the BIOS before any software loads, so I am pretty sure you can make it boot from a cd if the BIOS includes that as an option, regardless of any software someone has put on your machine. You may not know how to go the the BIOS setup on reboot (I don't remember the magic on all my machines.) If you have a logo (like DELL, etc) when you boot, there may be a message somewhere on the screen on how to get to BIOS setup ( It'll be something like CNTL-DELETE, possibly some function key, or some other unlikely key combination). If you have manuals on your machine, they may tell you something. When you do cold boot, there will probably be some indication of the maker of your BIOS and its serial number, even if only very briefly. This would tell you who to contact to learn how to get to the BIOS setup. Check this out, since if you can boot from the recovery cd, nothing someone has installed on the HD can prevent you from recovering.

Give this a try and give us the result. If it doesn't work or you can't figure out how to do it, let us know what you tried and what happened. I doubt that someone can really keep you from restoring your system if you have a good restore disk.