Computers got Hacked?? Please Help!!!

TheMSsForum.com: The Microsoft Software Forum

I'm sorry if this is not the right forum to post this.

2 days ago, something strange has happened to our work computers. It
happened to our windows 2003 server and several other users' pcs (win2K and
win XP). cmd.exe window will pop up but no scripts is shown. Then, IE will be
opened by itself and goes to websites like rotten.com showing gross pics,
google and etc. Also, sometimes Solitaire, Calculator, My Documents will be
opened too. This happends randomly throughout the day.

I've checked the firewall logs, ran spybot,adware and virus scans. But
couldn't detect anything. Searched on google for similar incident, but didn't
find anything either:(

Please help as I'm clueless of what to do next in order to get rid of this
prob! I really appreciate your help.

Thanks,
KH
Top

Re: Computers got Hacked?? Please Help!!! by Colin

Colin
Sun Sep 19 02:17:39 CDT 2004


"itsupport" <itsupport@discussions.microsoft.com> wrote in message
news:446A0EFF-1D5C-435B-905D-A73873CDA666@microsoft.com...
> I'm sorry if this is not the right forum to post this.
>
> 2 days ago, something strange has happened to our work computers. It
> happened to our windows 2003 server and several other users' pcs (win2K
> and
> win XP). cmd.exe window will pop up but no scripts is shown. Then, IE will
> be
> opened by itself and goes to websites like rotten.com showing gross pics,
> google and etc. Also, sometimes Solitaire, Calculator, My Documents will
> be
> opened too. This happends randomly throughout the day.
>
> I've checked the firewall logs, ran spybot,adware and virus scans. But
> couldn't detect anything. Searched on google for similar incident, but
> didn't
> find anything either:(
>
> Please help as I'm clueless of what to do next in order to get rid of this
> prob! I really appreciate your help.
>
> Thanks,
> KH

I've never heard of those symptoms, but you really should format all of them
and reinstall Windows (carefully back up the data, but don't just blindly
backup each file and put them back on the rebuilt systems.) Yes this is
drastic but its the only way to be sure that there is nothing left. The
systems have been compromised and they aren't your computers any more ;)
For home PCs, I might suggest trying to clean out the infection but in a
business environment you need to be more careful.

http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx


Top

Re: Computers got Hacked?? Please Help!!! by Christo

Christo
Sun Sep 19 04:17:50 CDT 2004


"itsupport" <itsupport@discussions.microsoft.com> wrote in message
news:446A0EFF-1D5C-435B-905D-A73873CDA666@microsoft.com...
> I'm sorry if this is not the right forum to post this.
>
> 2 days ago, something strange has happened to our work computers. It
> happened to our windows 2003 server and several other users' pcs (win2K
> and
> win XP). cmd.exe window will pop up but no scripts is shown. Then, IE will
> be
> opened by itself and goes to websites like rotten.com showing gross pics,
> google and etc. Also, sometimes Solitaire, Calculator, My Documents will
> be
> opened too. This happends randomly throughout the day.
>
> I've checked the firewall logs, ran spybot,adware and virus scans. But
> couldn't detect anything. Searched on google for similar incident, but
> didn't
> find anything either:(
>
> Please help as I'm clueless of what to do next in order to get rid of this
> prob! I really appreciate your help.
>
> Thanks,
> KH

sounds like a trojan but since there are no viruses found it must be someone
local (already on the network)


Top

Re: Computers got Hacked?? Please Help!!! by Karl

Karl
Sun Sep 19 09:07:05 CDT 2004


"Colin Nash [MVP]" <cnash x@x mvps.org> wrote in message
news:eUlKBjhnEHA.3460@tk2msftngp13.phx.gbl...

> I've never heard of those symptoms, but you really should format all of
them
> and reinstall Windows (carefully back up the data, but don't just blindly
> backup each file and put them back on the rebuilt systems.) Yes this is
> drastic but its the only way to be sure that there is nothing left. The
> systems have been compromised and they aren't your computers any more ;)

I wouldn't recommend this without first finding out what caused this and how
to fix it. What if they reimaged every computer and then it happened a
minute later?



Top

Re: Computers got Hacked?? Please Help!!! by Karl

Karl
Sun Sep 19 09:11:54 CDT 2004


"itsupport" <itsupport@discussions.microsoft.com> wrote in message
news:446A0EFF-1D5C-435B-905D-A73873CDA666@microsoft.com...
> I'm sorry if this is not the right forum to post this.
>
> 2 days ago, something strange has happened to our work computers. It
> happened to our windows 2003 server and several other users' pcs (win2K
and
> win XP). cmd.exe window will pop up but no scripts is shown. Then, IE will
be
> opened by itself and goes to websites like rotten.com showing gross pics,
> google and etc. Also, sometimes Solitaire, Calculator, My Documents will
be
> opened too. This happends randomly throughout the day.

This doesn't sound like most viruses. Could be an internal prank by someone
there, or a remote control Trojan. Make sure your network has a firewall,
and that your anti-virus has been updated in the past week.

AV can be disabled by attackers so that it looks like it is still working.
Try running a second opinion AV scan by going to
http://housecall.antivirus.com

Also, Windows root kit functionality can hide viruses from the locally
logged in user... try using a known virus free computer to scan other
computers across the network using a Windows netowrking share and regular
anti-virus. You could also use an anti-virus boot floppy disk from your
antivirus vendor or a free live boot rescue CD from BitDefender.

If these don't help, see here:

http://securityadmin.info/faq.asp#startup
http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#harden


Top

Re: Computers got Hacked?? Please Help!!! by jeff

jeff
Sun Sep 19 10:54:33 CDT 2004

On Sat, 18 Sep 2004 23:23:03 -0700, itsupport
<itsupport@discussions.microsoft.com> wrote:

>2 days ago, something strange has happened to our work computers. It
>happened to our windows 2003 server and several other users' pcs (win2K and
>win XP). cmd.exe window will pop up but no scripts is shown. Then, IE will be
>opened by itself and goes to websites like rotten.com showing gross pics,
>google and etc. Also, sometimes Solitaire, Calculator, My Documents will be
>opened too. This happends randomly throughout the day.
>
>I've checked the firewall logs, ran spybot,adware and virus scans. But
>couldn't detect anything. Searched on google for similar incident, but didn't
>find anything either:(
>
>Please help as I'm clueless of what to do next in order to get rid of this
>prob! I really appreciate your help.

Sounds like a prank more than a virus or trojan, but if someone has
access to your system you've already lost. Might try rollbacks on the
XP systems for a start, restore from backup prior to two days ago for
the rest. Auditing security events would help track this, ensureing
systems are properly firewalled and disconnecting from an internet
connection to determine if this is internal or external might all be
prudent.

I also happen to subscribe to the "slash and burn" policy, nuke 'em
all and rebuild. While nice to know the cause, if your business is at
risk a full-on assault is warranted.

Jeff
Top

Re: Computers got Hacked?? Please Help!!! by itsupport

itsupport
Sun Sep 19 20:43:01 CDT 2004

Hmm....someone is on the network, this might be possible as firewall log
doesn't show anything. Is there a good method/tool to track who is on the
internal network?

Thanks,
KH

"Christo" wrote:

>
> "itsupport" <itsupport@discussions.microsoft.com> wrote in message
> news:446A0EFF-1D5C-435B-905D-A73873CDA666@microsoft.com...
> > I'm sorry if this is not the right forum to post this.
> >
> > 2 days ago, something strange has happened to our work computers. It
> > happened to our windows 2003 server and several other users' pcs (win2K
> > and
> > win XP). cmd.exe window will pop up but no scripts is shown. Then, IE will
> > be
> > opened by itself and goes to websites like rotten.com showing gross pics,
> > google and etc. Also, sometimes Solitaire, Calculator, My Documents will
> > be
> > opened too. This happends randomly throughout the day.
> >
> > I've checked the firewall logs, ran spybot,adware and virus scans. But
> > couldn't detect anything. Searched on google for similar incident, but
> > didn't
> > find anything either:(
> >
> > Please help as I'm clueless of what to do next in order to get rid of this
> > prob! I really appreciate your help.
> >
> > Thanks,
> > KH
>
> sounds like a trojan but since there are no viruses found it must be someone
> local (already on the network)
>
>
>
Top

Re: Computers got Hacked?? Please Help!!! by itsupport

itsupport
Sun Sep 19 20:45:04 CDT 2004

Karl,

> This doesn't sound like most viruses. Could be an internal prank by someone
> there, or a remote control Trojan. Make sure your network has a firewall,
> and that your anti-virus has been updated in the past week.
Yes, I've made sure that the Symantec Antivirus definition is up to date.

> AV can be disabled by attackers so that it looks like it is still working.
> Try running a second opinion AV scan by going to
> http://housecall.antivirus.com
Yes, I've tried using housecall to scan the infected pc but no luck.

> Also, Windows root kit functionality can hide viruses from the locally
> logged in user... try using a known virus free computer to scan other
> computers across the network using a Windows netowrking share and regular
> anti-virus. You could also use an anti-virus boot floppy disk from your
> antivirus vendor or a free live boot rescue CD from BitDefender.
Will try this tomorrow, thanks.

> If these don't help, see here:
>
> http://securityadmin.info/faq.asp#startup
> http://securityadmin.info/faq.asp#hacked
> http://securityadmin.info/faq.asp#harden
Will check them out now.

KH
Top

Re: Computers got Hacked?? Please Help!!! by itsupport

itsupport
Sun Sep 19 20:47:02 CDT 2004

Jeff,

> Sounds like a prank more than a virus or trojan, but if someone has
> access to your system you've already lost. Might try rollbacks on the
> XP systems for a start, restore from backup prior to two days ago for
> the rest. Auditing security events would help track this, ensureing
> systems are properly firewalled and disconnecting from an internet
> connection to determine if this is internal or external might all be
> prudent.
Thanks for your suggestions. Yes, I have to find out if it's internal or
external. I have a feeling that it's internal.

KH
Top

Re: Computers got Hacked?? Please Help!!! by itsupport

itsupport
Sun Sep 19 20:39:02 CDT 2004

Colin,

Thanks for your suggestion. Formating and reinstalling is my last option,
but I might have to do this if I can't find a better solution.

Kean Huat

"Colin Nash [MVP]" wrote:

>
> "itsupport" <itsupport@discussions.microsoft.com> wrote in message
> news:446A0EFF-1D5C-435B-905D-A73873CDA666@microsoft.com...
> > I'm sorry if this is not the right forum to post this.
> >
> > 2 days ago, something strange has happened to our work computers. It
> > happened to our windows 2003 server and several other users' pcs (win2K
> > and
> > win XP). cmd.exe window will pop up but no scripts is shown. Then, IE will
> > be
> > opened by itself and goes to websites like rotten.com showing gross pics,
> > google and etc. Also, sometimes Solitaire, Calculator, My Documents will
> > be
> > opened too. This happends randomly throughout the day.
> >
> > I've checked the firewall logs, ran spybot,adware and virus scans. But
> > couldn't detect anything. Searched on google for similar incident, but
> > didn't
> > find anything either:(
> >
> > Please help as I'm clueless of what to do next in order to get rid of this
> > prob! I really appreciate your help.
> >
> > Thanks,
> > KH
>
> I've never heard of those symptoms, but you really should format all of them
> and reinstall Windows (carefully back up the data, but don't just blindly
> backup each file and put them back on the rebuilt systems.) Yes this is
> drastic but its the only way to be sure that there is nothing left. The
> systems have been compromised and they aren't your computers any more ;)
> For home PCs, I might suggest trying to clean out the infection but in a
> business environment you need to be more careful.
>
> http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx
>
>
>
Top

Re: Computers got Hacked?? Please Help!!! by itsupport

itsupport
Sun Sep 19 20:39:03 CDT 2004

Yup, I want to find out the causes first.

"Karl Levinson [x y] mvp" wrote:

>
> "Colin Nash [MVP]" <cnash x@x mvps.org> wrote in message
> news:eUlKBjhnEHA.3460@tk2msftngp13.phx.gbl...
>
> > I've never heard of those symptoms, but you really should format all of
> them
> > and reinstall Windows (carefully back up the data, but don't just blindly
> > backup each file and put them back on the rebuilt systems.) Yes this is
> > drastic but its the only way to be sure that there is nothing left. The
> > systems have been compromised and they aren't your computers any more ;)
>
> I wouldn't recommend this without first finding out what caused this and how
> to fix it. What if they reimaged every computer and then it happened a
> minute later?
>
>
>
>
Top