Help! My computer has been hijacked!

[mr.Curmudgeon]

Ok, I'm at my wits ends trying to figure out what's going on.

I noticed traffic on my router, threw a packet sniffer on my computer and lo and behold, ports 25 and 53...and others, are being overwhelmed with traffic. I've tried Norton AV, HijackThis, Search & Destroy and several other programs and they all found nothing.

It's definitely being used as a mail relay, but I don't have SMTP installed. I don't even have the IIS module on WinXP...so I have no idea how to thwart this.

Windows firewall doesn't do crap. So my question is: How do I find out which program is being referenced as the relay, so I can then destroy/fix the damn thing?




mrC

[Havok]

The Windows firewall sucks. It doesn't block outgoing traffic. Load up ZoneAlarm - it's one of the best in my opinion, get it here:

http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=dbtopnav_zass

Once it starts up, it will block everything until you authorize it. Then, you can track down what the problem is. I would also recommend running the Microsoft Anti-Spyware software. It's actually quite good. Get it here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en

I've seen a lot of really sneaky spyware out there - most of the "better" ones have their own SMTP engine, so you don't have to have IIS\SMTP installed for them to work silently in the background.

Good luck!

[AtomSmasher]

I'd try installing a firewall that limits both inbound and outbound traffic.

[ChadTower]

You shouldn't be using a software and a hardware firewall together, if that is the case.

Does your router have a firewall in it? If so, use that one.  A firewall inside the network completely defeats the purpose. 

Conceptually... wall to prevent fire... if you put your firewall ON what you are trying to protect, by the time the fire gets there to stop, it's on what you are protecting.

[Havok]

You shouldn't be using a software and a hardware firewall together, if that is the case.

Does your router have a firewall in it? If so, use that one.

[ChadTower]

Yeah, but if it's managed correctly, that outgoing software doesn't end up on the box inside the network to begin with.

And you can set up your hardware router to block outgoing as well.

[AtomSmasher]

You shouldn't be using a software and a hardware firewall together, if that is the case.

Does your router have a firewall in it? If so, use that one.

[missioncontrol]

Unplugging it from the wall helps too

[Stingray]

This is all Bush's fault.

-S

[missioncontrol]

I was waiting for someone to blame Bush 

[ChadTower]

Well duh, it IS Mr C... the CIA has planted monitoring software on his machine.

I mean how many I HATE BUSH conversations can you have before the FBI tags you? 

[Stingray]

how many I HATE BUSH conversations can you have before the FBI tags you? 

I'll let you know. This is like the licks to the center of a tootsie pop thing, right?

-S

[SirPoonga]

Yeah, but if it's managed correctly, that outgoing software doesn't end up on the box inside the network to begin with.

And you can set up your hardware router to block outgoing as well.

Right, but you can never have too much security.  It is wise to have both a software and hardware firewall.

This is all Bush's fault.

Actually, it's Al Gore's fault, he invented the internet.

[ChadTower]

I'll let you know. This is like the licks to the center of a tootsie pop thing, right?

I knew a stripper who called herself Tootsie Pop. 

It took quite a few licks.

[mr.Curmudgeon]

I have a netopia router with a built-in hardware firewall. I initially started with all ports blocked, and only opened the ports I actually use. However, over time and since I use my computer to do a great many things (P2P, Gaming, Development, IM, etc) there are now a great many number of ports open.

Personally I hate software firewalls, and I've have pretty good protection with the netopia. I believe the trojan got in when I clicked on a file within my LAN. It was included with a file from a trusted source, so I assume the person wasn't aware of the offending program.

I'm going to try ZoneAlarm when I get home from work today and we'll see how that goes.

Btw, is there any kind of program that will allow you to see what's being called on in memory, etc...ie: Kind of like a packet sniffer, but for program tasks (other than task manager, since that doesn't necessarily show you what is being called and how)?

And finally, I blame Cheney...



mrC

[ChadTower]

There are better shareware apps out there that have a GUI like the Task Manager but will allow you to drill down into threads and windows dll calls and such.

[NinjaEpisode]

Btw, is there any kind of program that will allow you to see what's being called on in memory, etc...ie: Kind of like a packet sniffer, but for program tasks (other than task manager, since that doesn't necessarily show you what is being called and how)?

Check out Regmon and Filemon.  Both will tell you all that's being accessed, written, deleted, etc. on a machine.

They're created by Sysinternals, who also have a bunch of other tools, such as PMon which will let you take a little closer look at the processes and threads.

[mr.Curmudgeon]

Sweet!  I'll give that stuff a shot. Wish I could leave work right now!


mrC

[JackTucky]

You need a software firewall to keep out the other jerks on the LAN, and a hardware firewall to keep the jerks out of the whole LAN.

and I blame Howard Dean.

yeehaa!

Art

[Jess--]

if you are trying to find the program doing the work have a quick search for a bit of software called Active Ports

it list all connections in / out of your PC, where they are connecting to, what port they are using and more importantly what program is creating that connection.

also give you a method of killing any active task (even if windows is relying on it.... no protection for any tasks)

[saint]

Layering your protection is one of the strategies recommended today. Both desktop and gateway protection (be it firewall, antivirus, etc...) is a great approach.

Yeah, but if it's managed correctly, that outgoing software doesn't end up on the box inside the network to begin with.

And you can set up your hardware router to block outgoing as well.

[mr.Curmudgeon]

Ok, here's the update:

Ran a couple of the software suites mentioned. ZoneAlarm has successfully stopped the hijack from calling out to the internet, but the infestation is still in the system.

It appears that one of my system tasks has been hijacked and turned into a mail relay.

'Winlogon.exe' is the problem, but it's a necessary sub-system of winXP and I'm not sure how to deal with it, since I can't delete it. I'm searching the 'net for tips, we'll see how it works out.

Suggestions are welcome, especially if someone has dealt with something similar.


mrC

[whammoed]

This is sort of a cop out answer, but sometimes a reformat and re-install is quicker than all the time spent trying to figure out your problem...and sometimes you never figure it out.

[xar256]

C:\windows\system32\winlogon.exe is a system file.  But there are several other viruses out there that create winlogon.exe in other folders.

Do a search on your system for other versions of that file...You may have your answer.

Xar256