Been Hacked and need advise

[spi200]

All

I have come home tonight and found out that all our bank accounts and credit card have been cleaned out. It would appear that they have been removing a couple of thousand out of different accounts each day over the past 4 days.
The bank believes that our Internet banking details of my wife have been compromised from our home PC.
Currently running a virus scan, but may need to scan for spyware etc - any advise on what I can use on Windows 2003 would be most helpful.
In total they have accessed two bank accounts and one credit card account. I have been in IT for 25 years and have herd of things like this happening to other people, but I thought that I have enough security in place that I would not be affected. Well I thought wrong, so any help you guys can give me would be most helpful.
I run wireless lan, but have had IP's locked to Mac addresses and I only use WEP and I do not broadcast my wireless network.

Back to scanning

Thanks

David

 

[spi200]

Hi All

I saw another tip on this forum which said to run "Hi jack this" and post the log. It means nothing to me, so any help would be appreaciated.

Logfile of HijackThis v1.99.1
Scan saved at 7:13:14 PM, on 20/08/2007
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\GIGABYTE\C.O.M\GCSVR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
E:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\CML.exe
E:\Microsoft\Program Files\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\2.13.0.12\PlaxoHelper.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
E:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\CML.exe
E:\Microsoft\Program Files\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
E:\Microsoft\Program Files\Multimedia Launcher\PowerBar.exe
C:\Program Files\Plaxo\2.13.0.12\PlaxoHelper.exe
C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Eset\nod32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tray2] C:\WINDOWS\system32\CML.exe
O4 - HKLM\..\Run: [RemoteControl] "E:\Microsoft\Program Files\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PowerBar] "E:\Microsoft\Program Files\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.0.12\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Desktop SMS] C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe /auto
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141527557265

O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MediaBar) -

http://sib1.pvw.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

http://www.popcap.com/games/popcaploader_v6.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: offline-8876480 - {9FB83033-1010-4696-B79F-EBFDE27FC057} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COM Service - Unknown owner - C:\Program Files\GIGABYTE\C.O.M\GCSVR.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
END

Regards

Dave

 

[electronicsfreak]

Well your log is clean from what I can tell. I do not see anything bad on it. As for your accounts being hijacked, this sounds like the work of a keylogger. Since you are on Windows 2003, im not sure if any of these will work on there but these are what I reccomend.

antivir antivirus (reccomend this for home computers not business)

http://www.free-av.com

avg anti spyware

http://www.ewido.net

Housecall (very good online scanner, works good to check behind programs)

http://housecall.trendmicro.com/

Also, definitely run this.

http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.mspx

Not everything it finds is bad so post the log if you are not sure what it shows.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[spi200]

Hi All

I have downloaded the Sophos root kit finder, but it did not detect anything, ran my NOD32 anti-virus and it did not find anything. Nothing from Windows defender (not surprised). Tried AVG Anti-spyware download and it found Backdoor.doebyt (high risk) - Tried Spware doctor and it found a couple of others including Trojan-pws.bs, but had to buy it to get rid of it.
I will source a good Antivirus for Win 2003 tommorrow, maybe Symantec Norton Enterprise.

See how things go.


Dave

 

[spi200]

Thanks Electronicfreak

Thanks for going over the log file.
I have download and will scan over night running the AVG that you recommended.
I have disconected my Wireless (I used WPA preshared key) not WEP that I said earlier.
Looks like they took two dips into the bank accounts, each of $2000 - daily maximum withdrawal. The bank have escalated to their security team and have indicated that I will get the money back.
Anyway will keep you posted as this may take a few days. I am on the East coast of Australia (GMT+10) so I am off for the night. See how these scans go overnight.


Dave

 

[jdeane]

if you still have the infected files tucked away in quarantine you should upload them to

http://www.virustotal.com/

so that the AV companies can get copies of the samples, it will also show you which AV packages can currently detect the infection.

 

[electronicsfreak]

Setup antivir as follows and then run another scan with it

This is to setup antivir after it has been installed.

Right click on the logo in the taskbar(a red square with a white umbrella), then left click configure. Towards the top left, you will see a box beside expert mode. Check this box. Now click the + beside scanner, and now the + beside scan. This will expand them.

Now click on scan itself to where it is highlighted. Now to the right under files, select the circle beside all files. Now click on action for concerning files. To the right, click the circle beside automatic. Now to the right of that, set primary action to repair and secondary action to delete. DO NOT check the box that says "copy file to quarantine before action".

Now click on archives to where it is highlighted. Make sure all boxes on this page are checked, if not check them. Now click on heuristic. To the right under win32 file heuristic, check the box beside "win32 file heurisitic", then click the circle beside medium detection level.

Now click the + beside guard and the + beside scan to expand them. Now click on scan to where it is highlighted. To the right under scan mode, check "scan when reading and writing". To the right of that under files, click the circle beside "all files".

Now click on heuristic to where it is highlighted. Check the box beside win32 file heuristic, and then click the circle beside medium detecion level. Now click ok and antivir is now setup for scanning.



There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[Ed2020]

Just out of interest why does the bank believe the details have been gained from your home PC? Have they any evidence for this?

Ed Metcalfe.

Please do not feed the trolls.....

 

[spi200]

Thanks guys

I will configure the antivir tonight and see how it goes.
The bank indicated that it was most likely that my machine had been compromised, but this is not absolute by any means. The Bank will investigate and I guess follow the money trail, but I may never find out the end result. I just hope they come good with the cash as they indicated.

Thanks

Dave

 

[electronicsfreak]

Well considering he has removed 2 trojans already, it more than likely was his computer. A lot of trojans contain keyloggers which is most likely how they got the information.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[spi200]

Thanks All

The Bank followed the money trail and found the money had been transfer out to Westpac (another Bank in Aus) and gave our money bank no questions asked.
I have upgraded my Antivirus & spyware so feeling a little moe confident.

Regards

Dave