Spyware, Viruses, & Security forum

General discussion

My computer has been hacked 2x

by naivex2 / June 16, 2007 4:38 AM PDT

Intro: I am all new to message boards. I must have posted it in the wrong place b/c someone responded that this should be a new discussion. Many thanks for teaching me the ropes! Now the dilemma:

Short version: while symantec spent five days (4 1/2 hours via remote access on one of the days) trying to get rid of the continuous alert Bloodhound.Exploit 13,my computer was hacked and everything was taken. Symantec tried to do a files recovery that maybe things were just scrambled around. "Sorry, everything is gone. There is nothing to recover." I was fortunate enough in an echat with the tech support for my computer (emachine T5086 / Vista Home Premium) to be able to send it to Gateway for reformatting. Serious damage had been done such that it could only be fixed by sending it to Gateway. I thank them for all their assistance. My computer was reformatted and factory installed software reinstalled under the warranty.

The hacker also diverted all my email. A first level tech at the ISP made a fatal mistake making it impossible for the higher level to find a footprint of where the mail went. A new user name and password were established at the ISP. 3 days later I ordered a replacement CD to install drivers for the usb cable connecting my computers when I could not find the original CD. Being afraid to contaminate anyone else's computer, I have not given the new address to anyone except when I placed the CD order on a secure website (Laplink)

Deciding it was time to put this experience behind me, I went into email to re-enter all the email addresses of my friends. Imagine my absolute shock when I find that there are 2 emails. The latter being a confirmation of my CD order, and the other was from some unknown being "Ken Sheffler" w/ the subject "PC Upgrade." Afraid to open it (who knows the address that I have not given anyone??),I contacted the ISP to open it.

They did and put it onto the screen within the echat. The suspicious email mentioned my full name in a cordial letter (paraphrased) "I can be of service to you with a product to connect your computers." It ends with a polite and closing statement. Such as Cordially yours, and then the writer's name, Ken.

I don't believe this sole email was just a coincidence that the subject was connecting computers.

The ISP supervisor was of no help. The explanation: (1) You MUST have given someone your address (2) Someone else had the email address before you and that is their mail (3) It's just spam - ignore it.

Contacting Gateway, the answer was that I need to reformat again.

My question is this: I read in your forum about keystrokes and clipboard contents captured by spyware. Can you give me objective advice of what to do? Windows Defender did not find it, nor McAfee virus scan. Reformatting does not seem like the answer until I can find out how the "connect the computers" found out the new email address. Obviously I am still being watched.. each spyware company touts its own horn about their spyware products and ends with the disclaimer that no product is perfect.

How do I proceed?? Help!

Discussion is locked
You are posting a reply to: My computer has been hacked 2x
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: My computer has been hacked 2x
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Are you patched?
by Donna Buenaventura / June 16, 2007 5:37 AM PDT

May I ask if your Windows has the patches/updates from Windows Update when the attacked happened? I ask because I didn't see you mention that you have the Windows updates in place which is one of the defense from such attacks.

"My question is this: I read in your forum about keystrokes and clipboard contents captured by spyware. Can you give me objective advice of what to do? Windows Defender did not find it, nor McAfee virus scan. Reformatting does not seem like the answer until I can find out how the "connect the computers" found out the new email address. Obviously I am still being watched.. each spyware company touts its own horn about their spyware products and ends with the disclaimer that no product is perfect.

How do I proceed?? Help!
"

I will first consider the advise by your ISP to (3) It's just spam - ignore it.
Some users fall into opening anything out of curiosity. Email is one of the major method in use to spread malware.

Next, I would change the Internet account's password (with a strong password). Change your email address' password too with strong password.

Re-install the system, use the system with 'logon password' instead of using it without user's account password, enable the firewall software, install antivirus, antispyware with real-time protection and patch the system by visiting Microsoft Update website.

Safehex - http://www.sophos.com/security/best-practice/
There's a lot to do but using that guide and by not opening anything from stranger is something that might save a user.

In addition, no security tool is effective if scanning is not done regularly. Scan often and get a 2nd opinion by scanning again using online scanners.

Collapse -
I believe I am patched
by naivex2 / June 16, 2007 12:24 PM PDT
In reply to: Are you patched?

When the hacker struck the first time, the alert Bloodhount.Exploit.13 would flash every 20 seconds. Symantec assured me (on day #4) that there were some problems but they had fixed them and the computer was safe. Via remote, they read their error logs to see that indeed it was high alerting every 20 seconds, so I was not exaggerating.

After whatever they did and deemed me safe...

The same alert went off at 11:00pm that same night. I don't know if it is a coincidence that it would late at night b/c I virtually never saw the alert using the computer during the day.

All security software is up-to-date. McAfee offers all security against spyware, adware, virus within the computer and the same measures for email and internet. It updates automatically and now reports that all is well. It works in real-time so it is always on look-out.

Defender reports also that all is well. Windows update reports that there are no critical updates - all is well there also. The programs within mcafee are virus scan, personal firewall, site advisor, spamkiller, and privacy service.

I downloaded Webroot Spy Sweeper today and it found 27 "Spy Cookies." To get rid of them you would have to purchase the software. Before trying that, I went to tools under internet options and deleted all cookies and history. Re-ran the scan and nothing was found.

I am not one to be curious enough to open emails from unknown sources nor anything that has a tempting subject to pique one's curiosity. My security softwares each say that they block spyware before the consumer even knows of its existence.

So now I need to know the answer to another question: if all this security did not find anything, if I reformat again, what is missing in my security measures that it was hacked in the first place.

The only diffence between then and now is that I am using mcafee instead of norton.

And if you believe the email was just spam, then I will relax although it is still freaky that it contained my full name.

Still, this evening when I went online to printout my bank statement to balance my checkbook, there was an additional credit card that came out of nowhere. Called bank - they say the account was opened in 2003 and closed in 2004. I told them that regardless, I have never had a business visa and how did it get attached to my other accounts if it was not there just yesterday. The matter will go to credit card fraud, and also the bank shutdown online access as a precaution.

There is also a Bank of America alert email today. Needless to say, I will not open it.

Am I more protected than I think if you believe the email to be spam (meaning that I was not hacked to get the email address)

I read about mcafee firewall lockdown. would it help to lockdown while I enter all user names and passwords.

Collapse -
The said patch need a re-run
by Donna Buenaventura / June 16, 2007 4:14 PM PDT
In reply to: I believe I am patched

>>>>>So now I need to know the answer to another question: if all this security did not find anything, if I reformat again, what is missing in my security measures that it was hacked in the first place.

I don't know how did you install the patch but one of the method that Microsoft and some researchers (e.g. Internet Storm Center) advised to the users is to re-run it for each of the affected programs or affected components. To ensure that patched is installed, there is "GDI+ Detection tool" that will point to the user which products in their computer requires patching. Some software vendors provided a security patch to it too.

So if you did not do that, that is what you've missed.

The problem was not only Microsoft products was affected by the vulnerability but also 3rd party software that is using the gdi+ and if your computer contains a vulnerable gdi+, your security software (whether that is Norton, McAfee etc) is not a solution.

The 2nd problem is if the system patched and if the seecurity solution are in placed, the user shouldn't rely on it all the time because it depends on the attacked and the user. If the user continue to click, open and view... no tool will help especially if the system and applications is NOT fully patched.

If we will review the caused of the attack... we'll see that the caused "maybe" you were persuaded to view something that shouldn't (from spammer, from attacker via email or from a site) :

Bloodhound.Exploit.13
http://www.symantec.com/security_response/writeup.jsp?docid=2004-091516-5119-99&tabid=2
"Microsoft Security Bulletin MS04-028 describes a vulnerability in the JPEG parser of the GDI+ library, which various Microsoft operating systems and software packages use."

MS04-028
http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
An attacker who successfully exploited this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.

The vulnerability could only be exploited by an attacker who persuaded a user to open a specially crafted file or to view a directory that contains the specially crafted image. There is no way for an attacker to force a user to open a malicious file.

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.

Windows XP, Window XP Service Pack 1, and Windows Server 2003 are the only operating systems that contain the vulnerable component by default. By default, Windows 98, Windows 98 SE, Windows Me, Windows NT 4.0, Windows 2000, and Windows XP Service Pack 2 are not vulnerable to this issue. However, the vulnerable component will be installed by any of the programs listed in the affected software section of this bulletin on these operating systems and you should install the appropriate security update for those programs.

Write-up by US-CERT
http://www.us-cert.gov/current/archive/2004/11/09/archive.html
By convincing a victim to view a specially crafted JPEG image with a program that uses the GDI+ library, an attacker could execute arbitrary code with the privileges of the victim.

>>>>And if you believe the email was just spam, then I will relax although it is still freaky that it contained my full name.

There's a lot spoofing and phishing and there are people who fall to it. Their bank accounts were affected.

>>>>I read about mcafee firewall lockdown. would it help to lockdown while I enter all user names and passwords.

It should help but make sure that your system is fully patched, ensure that the patch is installed (use MBSA, Secunia Security Inspector, Belarc PC Audit etc) and that your software from other products is also patched. Old versions are usually one the affected programs and always vulnerable not matter how many definitions is installed.

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!