virus? worm? trojan?

Printable View

Show 40 post(s) from this thread on one page

12-12-2008, 10:30 AM
theoleek

virus? worm? trojan?

Hey Guys,

Theory and practial question here. My computer seems to be acting strange at the moment in that cpu useage is through the roof, secure websites gettin time out error, system start up slower than usual etc etc.

Im guessing it is virus/worm etc thats chewing my cpu etc. scanned comp with PC tools software and nothing is coming up, firewall is up and running fine.

I use WEP on my wireless (hardware issue with mulitmedia box) even though i know i should be WPA at least (alot of old people living here so figured would not be to much of a risk), so i wondering if someone has cracked my WEP, and somehow uploaded something to my computer.

How would they have uploaded something to my comp without my knowledge, and how can i guard against such things happening??

(best defence is to know there offence)

Many thx

The0
12-12-2008, 10:43 AM
Lincoln

You can start out by sniffing some traffic. BT comes with Wireshark. Pop that open and see if anything unusual is going on.

If your computer is comprimised, you're better off just reformatting and starting over. Move over to WPA and use stronger passwords.
12-12-2008, 10:59 AM
theoleek

Hey lincon,

Ive sent a report to security company, waiting to hear back from them, see if they can id anything.

If they carnt find it, will have to resort to factory reset. In regards to WPA, hardware issue mean WPA isnt supported (crap on a stick i know) so in that case may have to relocate said hardware and hardwire to router.

How the hell would someone have go something onto the comp in the first place??

Metaspolit?
12-12-2008, 11:43 AM
thorin
Quote:

Originally Posted by theoleek

How the hell would someone have go something onto the comp in the first place??

Metaspolit?

that's just one of many possibilities.

It's far more likely that you downloaded/installed something you shouldn't have, plugged in a USB key or other media from a source you shouldn't have trusted, are behind on patches (which might play to the metasploit angle), visited a web site with an insecure browser or accepted installation of a component/plugin/activeX etc when visiting a website of questionable repute (with or without your knowledge).

Things to try:
1. Restart in Safe mode and see how performance is.
2. Check msconfig and see what junk is in your startup items list.
3. Get processexplorer and see what's running/using CPU time.
4. Use wireshark/netstat/other tools to see what connections your machine is making.
5. Check your OS logs for errors or other strange messages.
12-12-2008, 12:24 PM
Thorn
Quote:
Originally Posted by thorin

that's just one of many possibilities.

It's far more likely that you downloaded/installed something you shouldn't have, plugged in a USB key or other media from a source you shouldn't have trusted, are behind on patches (which might play to the metasploit angle), visited a web site with an insecure browser or accepted installation of a component/plugin/activeX etc when visiting a website of questionable repute (with or without your knowledge).

Things to try:

Restart in Safe mode and see how performance is.
Check msconfig and see what junk is in your startup items list.
Get processexplorer and see what's running/using CPU time.

Use wireshark/netstat/other tools to see what connections your machine is making.
Check your OS logs for errors or other strange messages.
That is a real simple thing to try. A user at a client's place downloaded a Trojan last week, and managed to become a spambot. Within 5 minutes of my arrival, Wireshark showed a huge amount of traffic coming from one machine - all on port 25. Running netstat on the suspected machine confirmed the problem when the console window scrolled for a solid minute showing nothing but connections to email servers.

I think the user is recovering nicely from the bludgeoning the boss gave her...

For the record, the client has previously been told a whole host of best practices, which they continue to ignore.
12-12-2008, 12:31 PM
godcronos

Re:

Also, since your AP/router is a DHCP server also, check and see if another computer got an IP address from your router.
I tried this with some embedded viruses, that were trying to go out to the net or "call home", whichever.
Install ZoneAlarm , the free edition, it will by default tell if if something is trying to get outside of your computer and so many other things. Mind IP addresses, .exes,file extension,etc. Read up on it!
Come back and let us know!

Good luck!
12-12-2008, 01:21 PM
theoleek

Thank for all the reply's guys.

Take my own advise and use wpa2, will just have to do alot of cabling around the house to hardwire the offending hardware to router.

Cheers guys

the0
12-16-2008, 01:45 PM
AgentK

You might want to consider using a Homeplug device before re-wiring the house. Also keep in mind that you can convert phone jacks into RJ45 jacks with minimal effort. Most houses have enough to make it doable. If you do decide to re-wire, don't run the cable itself! Install conduit instead so you can upgrade your network with far less effort the next time.

Have you already formatted your system? I remove malware and medium depth rootkits for a living and should be able to help you remove it in about 45 minutes to an hour and a half (from your initial description of slow ssl pages, cpu usage etc.) it sounds like you have either a BHO or dll injector infection.
12-16-2008, 02:55 PM
streaker69

Quote:

Originally Posted by AgentK

Also keep in mind that you can convert phone jacks into RJ45 jacks with minimal effort. Most houses have enough to make it doable.

Only if the house is relatively new and was installed with CAT5 or better cable. Attempting to run Ethernet over CAT3 at speeds higher than 10Mb would be unreliable.

Quote:

If you do decide to re-wire, don't run the cable itself! Install conduit instead so you can upgrade your network with far less effort the next time.

You're advising someone to install conduit in their home? Do you expect them to rip up their drywall/plaster to do so? That may be a good idea in a new construction, but any retro-fitting wouldn't really be feasible even by the most experienced weekend warrior.
12-16-2008, 03:25 PM
Barry

Quote:

Originally Posted by streaker69

Only if the house is relatively new and was installed with CAT5 or better cable. Attempting to run Ethernet over CAT3 at speeds higher than 10Mb would be unreliable.

You're advising someone to install conduit in their home? Do you expect them to rip up their drywall/plaster to do so? That may be a good idea in a new construction, but any retro-fitting wouldn't really be feasible even by the most experienced weekend warrior.

I've pulled around four thousand feet of network cable in the last two houses I've lived in, none of it has been in conduit.

Show 40 post(s) from this thread on one page